Skip to content

Microsoft Exchange 2016 and 2010 coexistence – Outook shows login promt

14. March 2016

During a migration from Exchange 2010 to Exchange 2016 I was facing a strange problem. Users with a Mailbox on 2016 always received a login prompt when they started Outlook.
outlook-login-prompt

The problem only happened for users that had access to public folders (still hosted on Exchange 2010) or mailboxes that also had not been migrated. If you start to google for the problem, the first hint you get is to change the Outlook Anywhere Authentication on Exchange 2016 (the default now is Negotiate) to NTLM. Ok – let’s check the current settings with PowerShell (Exchange Management Shell) for each CAS-Server:

Get-OutlookAnywhere –server SERVERNAME

Exchange 2016:
ex2016-ntlm
Already Ntlm – so let’s check 2010:
ex2010-basic
As you can see this was still Basic.

Interestingly the Exchange 2010 Shell shows the option ClientAuthenticationMethod – while the 2016 Shell shows InternalClientAuthenticationMethod AND ExternalClientAuthenticationMethod.

Time to change the Exchange 2010 CAS to NTLM Authentication:

Set-OutlookAnywhere -Identity "SERVERNAME\Rpc (Default Web Site)" -ClientAuthenticationMethod ntlm

Restart IIS to make sure the setting is applied (CMD – IISRESET):
ex2010-ntlm

Unfortunately this didn’t fix the problem Sad smile So time to look for other solutions. I then found Hotfix 2990117 from Microsoft which exactly described our problem. I downloaded the hotfix – but the installation “failed”. There was no error message nor anything else – the installation just started fine but never finished. Luckily the Hotfix also describes a workaround:

Open the IIS Manager on the 2010 CAS and go to Application Pools => DefaultAppPool and choose Advanced Settings on the right side.
iis-app-pools

Go to Identity and press “…”.
default-app-pool

Now switch the setting to NetworkService.
default-app-pool-identity

After this confirm the settings with OK (twice) and press Recycle on the right side in the IIS Console (when the Default-App-Pool is selected). To make sure everything is applied correctly I also did an IISRESET. First I only changed the setting on the 2010 CAS-Servers – than also on 2016. But guess – still the same problem :/

Time to check the information’s that I had until now. All information’s that are available point to an Authentication Problem. Mainly Exchange 2016 uses different methods compared to 2010. So it’s often suggested to change the settings to NTLM. What happens if Outlook uses Outlook Anywhere? It “opens” the RPC Website. Let’s check the Authentication settings for the RPC Website:

Open IIS Manager and go to  Sites => Default Web Site => RPC => Authentication
iis-rpc

Now select Windows Authentication =>  Providers.
iis-authentication

We can now see that Negotiate is the first configured provider. If we now remember that we had to switch our Outlook Anywhere Settings for Exchange 2016 to NTLM to make it compatible with 2010 this doesn’t sound correct.
providers_negotiate

So I moved NTLM to the top and restarted the IIS (IISRESET).
providers_ntlm

I repeated this on every other Exchange 2010 CAS-Server and 2016 Server – and after that the login prompt didn’t occur any longer. To make this a permanent change (and remove Negotiate until all Exchange 2010 Servers are removed) enter the following command for every Exchange-Server:

Get-OutlookAnywhere -Identity "SERVER-FQDN\rpc (Default Web Site)" | Set-OutlookAnywhere -IISAuthenticationMethods "Basic, ntlm"

PS:
After switching back the App-Pool-Identity to AppliactionPoolIdentity some clients (especially Outlook 2016) again showed the login prompt – so I think it’s necessary to change both settings.

From → Exchange, Microsoft

10 Comments
  1. I got this site from my friend who told me concerning this web page and at the moment this time I am browsing this web page and reading very informative articles at this time.

  2. Mitch permalink

    Did you also change the priority of the providers on the Exchange 2016 servers as well?

    Thanks,

  3. Noroji permalink

    I’m in the exact same situation as you and tried your solution. Seems like some of my users do not get the login prompt now! That’s great so far.

    But some still do… Well, more research i guess. 🙂 Thanks for the guide! Was, sadly, hard to find.

  4. Dominik permalink

    OMG, I’m sitting here, 1pm on a Monday morning after I’ve migrated my customer off of SBS 2008 to 2016 using a Exchange 2010 box as interim.
    Everything worked fine until I moved all mailboxes to the 2016 server..login prompts galore and no access to the public folder calendar anymore.

    Was ready to throw in the towel when I stumbled across your post, you saved my Monday morning 🙂

  5. Brewmeister permalink

    Thanks a mil, This saved me hours of hair pulling after our Exchange 2016 install!

  6. Nien permalink

    Whoa… thank you for figuring this out and sharing… saved me a heart attack :-p

  7. Mike permalink

    Great article.
    What if Outlook Anywhere is not configured on the Exchange 2010 during Co-Existence with Exchange 2016?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: