When Exchange
2016 is installed with Exchange 2010, MAPI over HTTP is enabled by default for
the organization.
Exchange 2010
mailboxes continue to accessed via RPC.
Exchange 2016
mailboxes will use MAPI over HTTP
If Exchange
2016 mailboxes have Full Access to an Exchange 2010 mailbox then Outlook
Anywhere is used to connect to that secondary mailbox.
If using a
wildcard cert you need to set the certificate name for the EXPR outlook
provider for Outlook Anywhere as msstd:*domain.com.
Authentication prompts
Exchange 2010 on Windows Server 2008
R2 requires a security update for Outlook Anywhere to function properly. This
is a security update from 2016 (KB3140410). It "should" already be in
place, but if it's not then Outlook Anywhere will cause tons of authentication
popups in Outlook.
I saw this manifest as Exchange 2016 mailboxes with a secondary mailbox on
Exchange 2010 getting the popups. Only an Exchange 2016 mailbox was fine
because it used only MAPI over HTTP on Exchange 2016. Only an Exchange
2010 mailbox was fine because it used only RPC to Exchange 2010.
If the update is not in place and you don't have the opportunity to apply the
update quickly, you can modify DefaultAppPool in IIS Manager to use the
identity Network Service. Recycle DefaultAppPool for the the change to take effect.
Recycling DefaultAppPool does not affect users.
Error message that you will likely see in RpcHTTP proxy log (C:\Program
Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\RpcHttp):
Complete=PrepareServerRequest;,WebExceptionStatus=ProtocolError;ResponseStatusCode=
401;
WebException=System.Net.WebException:
The remote server returned an error: (401) Unauthorized. at
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult
asyncResult) at
Microsoft.Exchange.HttpProxy.RpcHttpProxyRequestHandler.<>c__DisplayClass1.nullb__0
();HttpException=System.Web.HttpException
(0x80004005): NegotiateSecurityContext failed with for
host
'mail.contoso.com' with status 'InvalidToken' at
Microsoft.Exchange.HttpProxy.KerberosUtilities.GenerateKerberosAuthHeader.
Win7 certificate errors
Windows 7
clients that don't have TLS 1.1 and 1.2 enabled might see a certificate error
when connecting to Exchange 2016 for web services (not necessarily mailbox). To
enable TLS 1.1 and 1.2 on Windows 7, you need to ensure that update KB3140245
is installed. With the update installed, you need to create additional registry
entries.
The registry
keys created by the quick fix utility distributed with this update by Microsoft
are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\WinHttp
Create
DWORD: DefaultSecureProtocols
Value: 0xA00
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet
Settings\WinHttp
Create
DWORD: DefaultSecureProtocols
Value: 0xA00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
Create DWORD:
SecureProtocols
Value: 0xA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
Create DWORD:
SecureProtocols
Value: 0xA8
The
DefaultSecureProtocols key is used by the Office Apps and the value 0xA00
designates TLS 1.1 and TLS 1.2.
The SecureProtocols key is used by Internet Explorer and the value 0xA08
designates TLS 1.0, TLS 1.1, and TLS 1.2.
0 Comments