Issues with MAPI over HTTP for Outlook 2016/Exchange 2013 while in Hybrid

Joey Marshall 46 Reputation points

My company is beginning to prepare for a migration to Exchange Online from Exchange 2013. When we moved to 2013, by GPO, we forced NTLM authentication for the entire business and only have a subset of associates that have their CAS mailbox with MAPI over HTTP enabled so they can use Outlook off our corporate network. We set up the hybrid configuration wizard over a weekend but the next day, those that have the ability to use Outlook with MAPI over HTTP with Autodiscover had their Outlook profiles repeatedly ask for credentials and never connect. When we disabled Cached Exchange mode, Outlook connected just fine. When removing the .ost file and rebuilding it, there are no issues but once Outlook is closed and re-opened, the credential prompts return. Seeing similar posts from the past, we've tried everything noted, including removing cached credentials in the Credential Manager, recreating Outlook profiles and recently, reordering the Negotiate in IIS to after NTLM for EWS to no effect. Our next step is to remove Negotiate all together but that will disable us from being able to migrate mailboxes to EXO. Outlook also isn't populating troubleshoot logs after we enable for me to see exactly how a Cached .ost file somehow authenticates differently than what Online mode does for this to be an issue. I assumed that because the Negotiate was first thing that tried instead of NTLM that maybe it was constantly getting hung up there and not failing over to NTLM but that reordering did not solve it.

Is there anything else to try besides rolling back the hybrid configuration wizard?

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,915 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,211 Reputation points

    @Joey Marshall

    I think this phenomenon doesn't related to hybrid. From this article, we can know that we could set the IISAuthenticationMethods to Negotiate for a non-hybrid Exchange server.

    This phenomenon more related with the GPO that you used for your organization.

    Did you try to test MAPI Over Http your Exchange server? I guess there doesn't issue with MAPI Over Http on the server side.

    Test-OutlookConnectivity -RunFromServerId Exch -ProbeIdentity OutlookMapiHttpSelfTestProbe  

    If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on configured security policy. The Negotiate isn't a real protocol, it is suggested enable Negotiate for your organization.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments