Need help on this.

E2013 CU8 + E2007 CU13

Owa works fine for both migrated and non migrated mailbox

Outlook anywhere works only for migrated (externally) and work for both internally (pointing CAS2013).

Externally I'm not able to connect to non-migrated mailbox with OA (Outlook 2010 and 2013) - error say exchange is not connected.

On CAS 2007 I got this

2015-05-11 21:41:00 W3SVC1 10.120.10.9 HEAD /Autodiscover - 443 - 10.120.10.91 HttpProxy.ClientAccessServer2010Ping 401 2 2148074254 on a non migrated user attempting to connect through outlook.

Virtual Dir are ok

Providers on Authenticatio Backend\Rpc is ok

Got any idea..

really appreciate.

Gio.

Typo, E2013 CU8 + E2007 RU15

Experiencing a similar issue myself.  Ex2013 CU8, and Ex2007 RU15.  Ex2013 CU8 was a brand new install.  OWA redirects just fine, EAS proxies fine for 2007 mailbox.  Autodiscover and Outlook Anywhere are dead in the water for 2007 mailboxes, both internally and externally.  401 errors for Autodiscover.  2013 mailboxes work just fine.

Is your legacy E2007 environment on Win2003 or Win2008? I think the problem is at the authentication level during proxing from E2013 to E2007. Mine is on Win2003, checked the Rpc Virtual Directory / Security / Authentication Settings on IIS6 and I got "Anonymous" enabled and should not. But, according to Microsoft Technet https://technet.microsoft.com/en-us/library/bb124892%28v=exchg.65%29.aspx -- RPC over HTTP does not allow anonymous access by default, despite what the user interface shows. So I don't know what to check...

Hi Giociva,

On Exchange 2007 management shell have you run the following commands.

Outlook Anywhere:

Set-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" -IISAuthenticationMethods Basic,Ntlm


Get-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" | fl Id, IISAuthenticationMethods 

Moreover the Guide I referred, says it needs separete TMG (reverse proxy) listener for Ex2007.

Public DNS

Record	Comment
mail.contoso.com	Point to TMG Listener
autodiscover.contoso.com	Point to TMG Listener
Legacy.contoso.com	New record Point to TMG Listener

You can go through the below link to confirm if you have everything in place.

Also I would like to know which guide did you follow for the migration. Exchange Deployment Assistant?

References:

Part 3: Step-by-Step Exchange 2007 to 2013 Migration

Hi

IISAuthenticationMethods is already set with Basic,Ntlm

Id                       : CAS\Rpc (Default Web Site)
IISAuthenticationMethods : {Basic, Ntlm}

Since my E2013 is not published yet, i'm testing using Local host file. I'm following the same guide.

Thanks,

Hi Giociva,

Try this out as well

The Microsoft Remote Connectivity Analyzer tool is a free Web-based tool that helps you troubleshoot connectivity issues. The tool simulates several client logon and mail flow scenarios. When a test fails, troubleshooting tips can assist you in correcting the problem.

Take a look at: Microsoft Remote Connectivity Analyzer Tool

I cannot use MRCAT...the E2013 is not published yet. I'm testing everything before publishing.

Tx

Hi Giociva,

On Exchange 2007 management shell have you run the following commands.

Outlook Anywhere:

Set-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" -IISAuthenticationMethods Basic,Ntlm


Get-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" | fl Id, IISAuthenticationMethods 

External Outlook Connectivity

In order to support access for Outlook Anywhere clients whose mailboxes are on legacy versions of Exchange, you will need to make some changes to your environment which are documented in the steps within the Exchange Deployment Assistant. Specifically, you will need to enable Outlook Anywhere on your legacy Client Access servers and enable NTLM in addition to basic authentication for the IIS Authentication Method.

• The Outlook Anywhere external URL is set to the external hostname of the Exchange 2013 server.

• Client authentication, which is used to allow clients like Outlook 2013 to authenticate with Exchange, is set to Basic.

• Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate, set to NTLM and Basic.

• Set the SCP object on every Exchange 2007 server to the AutoDiscover URL of the new Exchange 2013 server.

Run the following command to view the Outlook Anywhere configuration on your Exchange 2007 servers:

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-OutlookAnywhere | Format-Table AutoDiscoverServiceInternalUri, Server, ClientAuthenticationMethod, IISAuthenticationMethods, SSLOffloading, ExternalHostname -Wrap

Moreover the Guide I referred, says it needs separete TMG (reverse proxy) listener for Ex2007.(Might not be applicable for your issue though)

Public DNS

Record	Comment
mail.contoso.com	Point to TMG Listener
autodiscover.contoso.com	Point to TMG Listener
Legacy.contoso.com	New record Point to TMG Listener

You can go through the below link to confirm if you have everything in place.

Also I would like to know which guide did you follow for the migration. Exchange Deployment Assistant?

References:

Part 3: Step-by-Step Exchange 2007 to 2013 Migration

My legacy Ex2007 server is Server 2008.  NTLM across the board for Outlook Anywhere. 

Check the IIS logs on the Ex2013 and Ex2007 to figure out what is happening.

If you had followed the guide, hope your Ex2007 AutoDiscoverServiceInternalUri and Outlook Anywhere external URL are updated with Ex201

I guess I should have RTFM of the Exchange Deployment Assistant.  I clearly missed the note about needing to set basic auth for the clientauthenticationmethod for 2007 OA.  Once I set that, OA works both internally and externally for me.  However, Autodiscover still gives me a 401 when front-ended to a 2013 server for a 2007 mailbox. 

Thank you Jerome, but I already checked that, 

[PS] C:\>Get-OutlookAnywhere -Server Cas | fl *auth*


ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic, Ntlm}

Already checked also that Satyajit, 

autodiscoverinternaluri and externalhostname for E2007 are updated with E2013 external hostname

Hi,

Please run the following command to check the Outlook Anywhere configuration in your Exchange 2013 and Exchange 2007:

Get-OutlookAnywhere | fl Identity,*auth*,*host*,*SSL*

Also make sure the autodiscover.domain.com is available and pointed to your external mail server for external Outlook Anywhere users accessing. 

Regards,

David

Hi Giociva,

You can test two things here.

Configure a machine inside, then move it out and access. - Outlook Anywhere will be used directly.

Configure a machine Outsite. - This will require Autodiscover via DNS to work.

From Outside are you able to access

https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

Every roads point me to this: despite on CAS2007 I got Auth Basic, NTLM when I look into IIS6 interface I got Anonymous Access flagged...

What do you think about?

many thanks...

giovanni

Hi Giovanni,

This appears to be default settings for Ex2013\2010 as well.

Default settings for Exchange virtual directories:

https://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/gg247612(v=exchg.141).aspx

This one says disable it:

https://technet.microsoft.com/en-us/library/ff360825(v=exchg.140).aspx

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=2&EvtSrc=MSExchange+Autodiscover

How does Autodiscover service retrieve Outlook Anywhere ClientAuthenticationMethod in Exchange 2010?

http://blogs.technet.com/b/ehlro/archive/2013/11/13/how-does-autodiscover-service-retrieve-outlook-anywhere-clientauthenticationmethod-in-exchange-2010.aspx

This might be related to your issue:

The issue is triggered when the setting for Logon network security in the Outlook Profile is set to Anonymous Authentication.

This setting cannot be manually changed because Autodiscover will change it back.

http://blog.gothamtg.com/2013/10/15/users-constantly-prompted-for-credentials-after-being-migrated-to-exchange-2013/