Outlook Anywhere users prompted for credentials when they try to connect to Exchange Server 2013 or Exchange Server 2016

Symptoms

Consider the following scenario:
  • You are running Microsoft Exchange Server 2013 or Microsoft Exchange Server 2016 in a coexistence environment together with either or both Microsoft Exchange Server 2010 or Exchange Server 2007.
  • Mailboxes in this environment connect through an Exchange Server 2013 Client Access server (CAS) or Exchange Server 2016 client access service.
  • Users in this environment try to connect their Exchange Server 2010 or Exchange Server 2007 mailboxes by using the Outlook Anywhere feature.
In this scenario, these users cannot make a connection. Instead, they are prompted continually for their credentials. Additionally, their Outlook clients may remain in a disconnected state.

This problem may also affect Outlook Anywhere connections to Exchange Server 2010 or Exchange Server 2007 legacy public folders or Offline Address Books (OAB).

Troubleshooting indicates that the affected users cannot connect directly to the legacy Client Access servers (CAS) by using Outlook Anywhere.

Cause

This problem occurs if the Exchange Server 2010 or Exchange Server 2007 servers that have the CAS role are running in Windows Server 2008 R2. This problem occurs because an incorrect flag is set in a global credential after the computer password for the CAS is changed. More information about this problem is included in the hotfix package that is mentioned in the "Resolution" section.

Resolution

To resolve this problem, install the following update on all Exchange Server 2010 and Exchange Server 2007 CAS that are running in Windows Server 2008 R2:

 3140410 Security update for Microsoft Windows to address elevation of privilege: March 8, 2016
Note You must restart the computer after you apply this security update.

More Information

When this problem occurs, an error may be logged in the HTTP RPC Proxy logs at the following location:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\RpcHttp
This log entry resembles the following:

Complete=PrepareServerRequest;,WebExceptionStatus=ProtocolError;ResponseStatusCode= 401;
WebException=System.Net.WebException: The remote server returned an error: (401) Unauthorized. at
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at
Microsoft.Exchange.HttpProxy.RpcHttpProxyRequestHandler.<>c__DisplayClass1.nullb__0
();HttpException=System.Web.HttpException (0x80004005): NegotiateSecurityContext failed with for
host 'mail.contoso.com' with status 'InvalidToken' at
Microsoft.Exchange.HttpProxy.KerberosUtilities.GenerateKerberosAuthHeader.

Workaround

To work around this problem, configure the default application pool on all the 2010/2007 CAS to run under the Network Service identity instead of the Application Pool identity. This workaround is temporary.

To change the default application pool configuration, follow these steps:
  1. Start Internet Information Services (IIS) Manager.
  2. Click Application Pools, right-click DefaultAppPool, and then click Advanced Settings.
  3. Click Identity, and then click the Ellipses (…) button.
  4. Click the drop-down arrow, and then locate Network Service in the list under Built-in account.
  5. Right-click the Default application pool, and then click Recycle
Properties

Article ID: 2990117 - Last Review: Mar 29, 2016 - Revision: 1

Feedback