Outlook connection issues with Exchange mailboxes because of the RPC encryption requirement

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Enterprise More

The article only applies to the Outlook connection issues that are caused by the RPC encryption requirement.

The screenshot about RPC encryption option

Symptoms


When you start Microsoft Office Outlook by using a profile that includes a mailbox on a server that is running Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, or Microsoft Exchange Server 2016, you may receive the following error messages: 
Cannot start Microsoft Office Outlook. Unable to open the Outlook window. The set of folders could not be opened.
Unable to open your default e-mail folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.
The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
Unable to open your default e-mail folders. The information store could not be opened.
Outlook could not log on. Check to make sure you are connected to the network and are using the proper server and mailbox name. The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
Also, if you are using a cached mode profile, Outlook does not display an error. Instead, you may experience the following symptoms:
  • Outlook starts in the Disconnected state (the lower-right corner of the Outlook windows displays "Disconnected", the screen shot for the state is shown below).

    The screen shot for the lower-right corner of the Outlook windows
  • Outlook starts and you can send and receive email messages. However, you only see two connections within the "Microsoft Exchange Connection Status" and you may see the Type Directory displayed as Disconnected/Connecting.

    The screenshot of this symptom
When you try to create a new Outlook profile for a mailbox on a server that is running Exchange 2010 or Microsoft Exchange Server 2013, you may receive the following error messages:
The action could not be completed. The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
The name could not be resolved. The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
Outlook could not log on. Check to make sure you are connected to the network and are using the proper server and mailbox name. The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
The name could not be resolved. The action could not be completed.
Your Server or Mailbox names could not be resolved.

Resolution


Note If you are using one of the automated methods (Group Policy or a .prf file), make sure that you fully test the method before you deploy it on a large scale.

Method 1: Update or create your Outlook profile with RPC encryption

Manually update an existing profile

To manually update an existing Outlook profile so that it uses RPC encryption, follow these steps:
  1. In Control Panel, open the Mail item.
  2. Select Show Profiles.
  3. Select your profile, and then click Properties.
  4. Select E-mail Accounts.
  5. Select Microsoft Exchange (send from this account by default) account > Change.
  6. In the dialog box that contains your mailbox server and user name, select More Settings.
  7. In the Microsoft Exchange dialog box, select the Security tab.
  8. Select Encrypt data between Microsoft Office Outlook and Microsoft Exchange OK (A screen shot for this step can be seen here).

    The screen shot for this step
  9. Select Next > Finish.
  10. Select Close > Close > OK.

Deploy a Group Policy setting to update existing Outlook profiles with RPC encryption

From a client perspective, deploying the Outlook-Exchange encryption setting is probably the simplest solution for organizations that have many Outlook clients. This solution involves a single change on a server (domain controller), and your clients are automatically updated after the policy is downloaded to the client.

Method 2: Disable the encryption requirement on all CAS servers

Important Microsoft strongly recommends you leave the encryption requirement enabled on your server, and to use one of the other methods listed in this article. Method 2 is only provided in this article for situations where you cannot immediately deploy the necessary RPC encryption settings on your Outlook clients. If you use Method 2 to allow Outlook clients to connect without RPC encryption, please re-enable the RPC encryption requirement on your CAS servers as quickly as possible to maintain the highest level of client-to-server communication.

To disable the required encryption between Outlook and Exchange, follow these steps:
  1. Run the following command in the Exchange Management Shell: 
    Set-RpcClientAccess –Server <Exchange server name> –EncryptionRequired:$False 
    Note The Exchange_server_name placeholder represents the name of an Exchange Server that has the Client Access Server role.

    You must run this cmdlet for all Client Access servers that are running Exchange Server 2010 or later version.
  2. Rerun this command for each Exchange server that has the Client Access Server role. The command also needs to be run on each Mailbox Server role that contains a Public Folder Store. Public Folder connections from the MAPI client go directly to the RPC Client Access Service on the Mailbox server.
  3. After your Outlook clients are updated with the setting to enable encrypted RPC communication with Exchange (see steps provided below), you can re-enable the RPC encryption requirement on your Exchange servers that have the Client Access Server role.

    To re-enable the RPC encryption requirement on your Exchange servers that have the Client Access Server role, run the following command in the Exchange Management Shell: 
    Set-RpcClientAccess –Server <Exchange server name> –EncryptionRequired:$True –EncryptionRequired:$True 
    Note The Exchange_server_name placeholder represents the name of an Exchange server that has the Client Access Server role. 

    You must run this cmdlet for all Client Access servers that are running Exchange Server 2010 or later version.

Cause


One of the possible causes is that you are using Microsoft Office Outlook and you disable the Encrypt data between Microsoft Office Outlook and Microsoft Exchange profile setting. The default configuration for Exchange Server 2013 requires RPC Encryption from the Outlook Client, this prevents the client from being able to connect.

Note The default Exchange Server 2010 Release to Manufacturing (RTM) configuration requires RPC encryption. This behavior is a change from Microsoft Exchange Server 2010 Service Pack 1 where the RPC encryption requirement is disabled by default. However, any Client Access Server (CAS) deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting which could still prevent the client from being able to connect.