Exchange IIS authentication for Outlook

Bash 156 Reputation points
2022-10-13T07:50:10.847+00:00

Hello,
I have 2 Exchange 2016 on-prem servers. Both were identical in the terms of IIS settings.
We decided to modify some settings on one server to disable basic authentication for ActiveSync devices. But, some other settings were changed (mostly in IIS - Authentication).
Result: One server is healthy and accepts Outlook connection, one server asks Outlook for password and refuse to connect.
Test connection from Outlook looks like this:
https://mail.contoso.com/mapi/emsmdb/?mailboxid=<GUID> .. and there asks for credentials over and over again..
There is no difference in Get-MapiVirtualDirectory cmdlet between these two servers. I tried to compare all Virtual Directories and their authentication methods, fixed some but still something is missing ...
Other services like OWA etc works fine...

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,929 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,382 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Aholic Liang-MSFT 13,821 Reputation points Microsoft Vendor
    2022-10-18T08:25:09.757+00:00

    Hi @Bash ,
    I followed your steps to test in my lab and got the same results as you.
    The Outlook client keeps popping up password input box and trying connection.
    Then, I tried disabling basic authentication for Autodiscover and retrying connecting to the server from Outlook client. Now ,it can be successfully connected.

    251430-2022-10-18-1.png
    251532-2022-10-18-2.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Bash 156 Reputation points
    2022-10-24T13:02:20.3+00:00

    Some update.. After we disable Negotiate provider from mapi/windows authentication, leaving only NTLM, the connection from Outlook succeeded.
    After that some prompts appeared again from autodiscover. Removing Negotiate from Autodiscover virtual directory fixed it as well.

    So, one server is working with all "default" options, one server has different configuration (removed Negotiate).

    What could couse the problem with Negotiate option in Windows authentication provider?

    0 comments No comments

  3. Aholic Liang-MSFT 13,821 Reputation points Microsoft Vendor
    2022-10-27T08:22:12.42+00:00

    Hi @Bash ,
    I wonder if the computer using Outlook Client connect to Server is joined-in domain?
    According to my test, after I disable Basic authentication for ActiveSync, I can successfully connect to the server in the following scenarios:

    1. Disable Basic authentication for Autodiscover.
    2. Enable Windows authentication for ActiveSync.
    3. Remove the Negotiate in Windows authentication for Autodiscover.
      In my opinion, I would suggest that you enable Windows authentication for ActiveSync.
      This article details Windows authentication: Windows Authentication Overview | Microsoft Learn
      This is closer to AD and IIS, hope it helps you a little!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.