0

The environment:

Single domain, two Windows Server 2012 R2 domain controllers, one Exchange 2016 CU23 server and Windows 10 21H2 clients. Environment is offline, NTLM is disabled and clients authenticate via Kerberos.

The problem:

After upgrading Office 2010 standard to Office 2016 standard, Outlook 2016 cannot logon to Exchange. The error message when opening outlook is:

Outlook cannot log on. Verify that you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Clients that are still on Office 2010 in the same environment can still connect to Exchange. Testing with the same mailbox, it works on 2010 but not 2016.

What I've tried/checked:

  • Verified autodiscover works, the autodiscover URL can be browsed, the built-in autodiscover test in outlook works and returns the correct data.

  • The Outlook Connection Status box is empty.

  • OWA works.

  • MapiHttpDisabled according to this Microsoft article, tried setting both 0 and 1.

  • Checked traffic on the client with Wireshark. After a successful autodiscover, no more traffic is generated, the last packet in the network log is an [RST, ACK] from port 389 on the DC (this entry is also present on a working system).

  • Verified RPC ports on DCs and Exchange servers are open with portqry.exe and Test-NetConnection.

  • Clean install of a new client machine so no Office 2010 files/registry settings might be interfering.

  • Compared DNS records, exchange certificates, Active Directory accounts and IIS authentication with another environment where this is working. The other environment is almost exactly the same as the one described above, but I've yet to find any differences.

  • Recreating the mail profile via the control panel, after autodiscover the profile creation fails with the same error message as above.

  • Checked firewall log for dropped packets.

  • Checked various event viewer logs.

  • Enabled and checked failed request tracing logs in IIS.

  • Checked logs under Exchange Server\V15\Logging\ and Exchange Server\V15\TransportRoles\, admittedly i don't know exactly which log would be best to check here, but i've run Get-ChildItem to find logs with a LastWriteTime corresponding with login attempts but i haven't found anything obvious in these logs yet.

  • Browsing to https://exchange-server.domain.com/mapi/<emsmdb|nspi>/?MailboxId=<id>@domain.com works on a client where Outlook cannot logon.

I've probably left something out that I've tried, been troubleshooting this for 3 weeks now. As mentioned i have another environment where this scenario is working that i can compare with, so any suggestions on things that i might've not compared yet are appreciated. I'll gladly supply any more information that might be necessary.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
AmazingRealist
  • 1
  • 2
  • The Authentication Policies and verifying Modern Authentication needs to be checked. Outlook 2016 with Modern Authentication disabled should be the the next thing to test. https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/enable-modern-auth-in-exchange-server-on-premises?view=exchserver-2019 https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/modern-authentication-configuration – Greg Askew Jul 07 '23 at 10:13
  • Tried now with `AlwaysUseMSOAuthForAutoDiscover = 0`, same error message and verified same behavior in Wireshark. – AmazingRealist Jul 07 '23 at 10:43
  • I believe the relevant registry value is: `Key: HKCU\Software\Microsoft\Office\16.0\Common\Identity\ Value: EnableADAL DWORD:00000000` – Greg Askew Jul 07 '23 at 11:02
  • I'm 80% sure I've tried that, but I'll give it a go Monday when I'm back at work. – AmazingRealist Jul 07 '23 at 17:33
  • Have you checked the setting in this link: https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/outlook-connection-issue-caused-by-rpc-encryption-requirement – Kael Jul 10 '23 at 03:39
  • @GregAskew, tried `EnableADAL = 0`, no success. @Kael, yes I've seen that link before, the symptoms sections sounds promising but sadly no difference. Since i can't create a profile i tried with `Set-RpcClientAccess -EncryptionRequired:$false -Server `. – AmazingRealist Jul 10 '23 at 05:58

1 Answers1

0

Finally, after a month of troubleshooting, i found the solution.

As mentioned in the question, i had another system where this was working, but couldn't find any difference. The other system has a router since it's spread over three networks, while the one that was not working is just a single network and therefore has never had a router.

So they key difference between the two was that nothing was responding when pinging the default gateway on the system where it wasn't working. I just installed a simple router without any more config than setting the interface ip just so ping would work, and voila, Outlook 2016 can now log on!

I'm guessing it's doing some self connectivity test before starting that Outlook 2010 didn't do, weird that i couldn't see this in Wireshark though.

AmazingRealist
  • 1
  • 2