You have an on-premises deployment, in which Microsoft Exchange Server 2013 is installed in an existing Exchange Server 2010 or Exchange Server 2007 organization.
You have an on-premises deployment, in which Exchange Server 2016 is installed in an existing Exchange Server 2010 organization.
You have a hybrid deployment of Exchange Server and Exchange Online in Office 365, in which the hybrid server is running Exchange Server 2013 or later.
In either of these scenarios, users who have a mailbox on Exchange 2013 or later or Exchange Online are constantly prompted for credentials. If the users click Cancel when they are prompted for credentials, they can access their mailboxes. However, they can't open the following resources:
A shared mailbox or a shared calendar of the mailbox in Exchange Server 2010 or Exchange Server 2007
A public folder in Exchange Server 2010 or Exchange Server 2007
Additionally, users receive the following error message:
Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance.
This issue occurs if the Logon network security option in Microsoft Outlook is set to Anonymous Authentication. If you manually change the setting to something else, the Autodiscover service will change it back to Anonymous Authentication. (Refer the following screen shot)
If Outlook Anywhere is configured by using one of the following combinations, the Autodiscover service sends "Anonymous" to the Outlook clients as the Logon network security option:
"ExternalHostName" is set, and "ExternalClientAuthenticationMethod" is set to Negotiate. (Refer the following screen shot)
"InternaClientlAuthenticationMethod" is set to Negotiate, and "InternalClientRequireSSL" is set to True. (Refer the following screen shot)
To resolve this issue, follow these steps:
Run the Get-OutlookAnywhere cmdlet to verify the Outlook Anywhere settings on the Exchange server. The following example retrieves all Outlook Anywhere settings on the Exch1 server.
Get-OutlookAnywhere -Server Exch1
If "ExternalHostName" is set, and "ExternalClientAuthenticationMethod" is Negotiate, change "ExternalClientAuthenticationMethod" to something other than Negotiate. The following example sets "ExternalClientAuthenticationMethod" to NTLM for the Exch1 server.
If "InternaClientlAuthenticationMethod" is set to Negotiate, and "InternalRequireSSL" is True, change "InternalClientAuthenticationMethod" to something other than Negotiate, or change "InternalRequireSSL" to False. The following example sets "InternalClientAuthenticationMethod" to NTLM for the Exch1 server: