A small company I am working for has a self-hosted Exchange Server 2010 running, and my job is to migrate this server to an Exchange server 2016, since the old one is out of support for quite a while now.
I know that Exchange 2016 and 2010 can co-exist, and since we cannot afford to loose our emails, I did some testing first. I created a dummy user on the old exchange server, created a migrate job and tried to access it (But the goal is to shutdown the old server after migration has been completed).
Mailflow (sending/receiving from/to external/internal emails - everything works!) is not the problem.
But I cannot get the outlook (2010) clients to work. Please note that we are using Outlook only internal - on a machine which is domain-joined, external access is (currently) not necessary. Whenever I add the dummy account to my outlook, everything works as it should - but as soon as I close outlook and open it again, Outlook cannot access the information store anymore. Accessing the dummy mail via the internal URL https://ex2016.domain.local/owa/
works perfectly.
When I check the connection status right after adding the dummy email account, it shows those mapi over http connections (as far as I know, this is the default access method since exchange 2013). I have executed the autodiscover test, it was successful.
There is a certificate warning, since currently this is the self-signed certificate from the installation. But I also tried replacing this with a certificate issued to a real domain name, but that did not make a difference. (Even though I changed the certificate and the url, Outlook still showed a certificate warning, and I have no idea why!)
But I doubt that the certificate problems are related to my client issues. During my web research, I found a bug that has been existent on exchange 2016 servers, where the authentication on the mapi virtual directory has not been enabled, which caused those client connections to fail. I checked that (I installed exchange 2016 CU21), microsoft obviously fixed that bug - at my installation, authentication already has been enabled.
I am really lost now. Any hint on what could be wrong is appreciated!
Updated Info
Thank you for your reply: Concerning Outlook Version, I double checked it, it should be supported.
Microsoft Outlook 2010 (14.0.7268.5000) SP2 MSO (14.0.7268.5000)
Concerning the certificate warning: It is the first warning (The security certificate was issued by a company you have not chosen to trust.). Thank you for the hint about install certificate, I didn't know about this possibility.
What is really weird, I clicked on install, chose to install it for the whole computer, and closed outlook. After I reopened Outlook, the issue as above showed, and after a minute, the same certificate warning showed again, even though I installed and clicked on trust previously. I repeated the step, this time for the local user, and after a second restart, everything started working!
Why did I have to install the certificate twice ? Outlook connects only to the default website (ex2016.domain.local:443
) and not to the exchange backend (ex2016.domain.local:444
) correct ?
Here is the result of the powershell script (I removed all references to the old exchange server)
Transcript started, output file is C:\log.txt
C:\Windows\system32>
PS>Get-OabVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\OAB (Default Web Site)
Server : EX2016
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
InternalUrl : https://ex2016.domain.local/OAB
ExternalUrl :
C:\Windows\system32>
PS>Get-WebServicesVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\EWS (Default Web Site)
Server : EX2016
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalUrl : https://ex2016.domain.local/EWS/Exchange.asmx
ExternalUrl :
C:\Windows\system32>
PS>Get-OutlookAnywhere | fl Identity, server, *Auth*, InternalHostName, ExternalHostName
Identity : EX2016\Rpc (Default Web Site)
Server : EX2016
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalHostname : ex2016.domain.local
ExternalHostname :
C:\Windows\system32>
PS>Get-OwaVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\owa (Default Web Site)
Server : EX2016
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://ex2016.domain.local/owa
ExternalUrl :
C:\Windows\system32>
PS>Get-ClientAccessServer | fl Identity, Name, AutodiscoverServiceInternalUri
Identity : EX2016
Name : EX2016
AutoDiscoverServiceInternalUri : https://ex2016.domain.local/Autodiscover/Autodiscover.xml
C:\Windows\system32>
PS>Get-EcpVirtualDirectory| fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\ecp (Default Web Site)
Server : EX2016
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://ex2016.domain.local/ecp
ExternalUrl :
C:\Windows\system32>
PS>Get-ActiveSyncVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\Microsoft-Server-ActiveSync (Default Web Site)
Server : EX2016
MobileClientCertificateAuthorityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl : https://ex2016.domain.local/Microsoft-Server-ActiveSync
ExternalUrl :
C:\Windows\system32>
PS>Get-MapiVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\mapi (Default Web Site)
Server : EX2016
IISAuthenticationMethods : {Ntlm, OAuth, Kerberos, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Kerberos, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Kerberos, Negotiate}
InternalUrl : https://ex2016.domain.local/mapi
ExternalUrl : https://ex2016.domain.local/mapi
C:\Windows\system32>
PS>Get-PowerShellVirtualDirectory | fl Identity, server, *Auth*, InternalURL, ExternalURL
Identity : EX2016\PowerShell (Default Web Site)
Server : EX2016
CertificateAuthentication : True
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : False
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : False
AdfsAuthentication : False
InternalUrl : http://ex2016.domain.local/powershell
ExternalUrl :
C:\Windows\system32>
PS>Get-ExchangeCertificate | fl Identity, FriendlyName, Subject, CertificateDomains, Services, Issuer, *not*, Status
Identity : EX2016.domain.local\xxxx_Cert_1_xxxx
FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10.09.2026 15:12:39
NotBefore : 06.10.2021 15:12:39
Status : Valid
Identity : EX2016.domain.local\xxxx_Cert_2_xxxx
FriendlyName : Microsoft Exchange
Subject : CN=EX2016
CertificateDomains : {EX2016, EX2016.domain.local}
Services : IIS, SMTP
Issuer : CN=EX2016
NotAfter : 06.10.2026 15:11:29
NotBefore : 06.10.2021 15:11:29
Status : Valid
Identity : EX2016.domain.local\xxxx_Cert_3_xxxx
FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-EX2016
CertificateDomains : {WMSvc-SHA2-EX2016}
Services : None
Issuer : CN=WMSvc-SHA2-EX2016
NotAfter : 04.10.2031 12:32:50
NotBefore : 06.10.2021 12:32:50
Status : Valid
Identity : EX2016.domain.local\xxxx_Cert_4_xxxx
FriendlyName : real.domain.org (rapidssl rsa ca 2018)
Subject : CN=real.domain.org
CertificateDomains : {real.domain.org}
Services : IMAP, POP, SMTP
Issuer : CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter : 05.11.2021 13:00:00
NotBefore : 07.10.2019 02:00:00
Status : RevocationCheckFailure
C:\Windows\system32>
PS>Get-OrganizationConfig | fl MapiHttpEnabled
MapiHttpEnabled : True
C:\Windows\system32>
PS>Get-CasMailbox -Identity Dummy.User | fl MapiHttpEnabled
MapiHttpEnabled :
C:\Windows\system32>
PS>Stop-Transcript
Make sure your Outlook version is latest and supported: Supportability for Mapi over HTTP.
At the same time, try to create a new profile for your mailbox and see if there is any difference.
What's the description of the certificate warning?
The common cert warnings happened in Outlook are the following:
1 -
The security certificate was issued by a company you have not chosen to trust.
If you are using the self-signed certificate for IIS, this cert will not be automatically added to the trusted root certificate store, you should manually trust it by clicking the button "View Certificate" and "Install Certificate" on your clients.
More details about the self-signed certificate: Self-Signed Certificate
2 -
The security certificate has expired or is not yet valid.
Click "View Certificate" and view its valid time, if it's expired, renew it and restart IIS.
3 -
The name on the security certificate is invalid or does not match the name of the site.
This warning normally is related with the internal/external hostnames of the virtual directories/services(e.g. MAPI, Outlook Anywhere, SCP) and the domain names included in certificate.
Please run the following commands to view if the configurations of them are proper (Please change the value of the parameter
-Identity
for the cmdletGet-CasMailbox
with your mailbox identities, and don't forget to alter any sensitive info.):