I have a Exchange 2013 environment that is also running Exchange 2010 coexistence (migrating). What is happening is autodiscover is handing out NTLM for the proxy settings and not basic. However when it is using NTLM we seem to get the password prompt over and over. If I manually changed it to Basic then it works fine, but when autodiscover goes again it changes back to NTLM and prompts that the Administrator made a change and you need to restart Outlook.

I checked Outlook Anywhere and all my servers have Basic set for external users and NTLM set for internal.

I only have a few mailboxes on 2013 and 2010 mailboxes seem not to have a problem.

Here is an output for Outlook Anywhere on all six servers:

Identity                           : CAS01\Rpc (Default Web Site)
ExchangeVersion                    : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Identity                           : CAS02\Rpc (Default Web Site)
ExchangeVersion                    : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Identity                           : CAS03\Rpc (Default Web Site)
ExchangeVersion                    : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Identity                           : EXCH2K13-01\Rpc (Default Web Site)
ExchangeVersion                    : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Identity                           : EXCH2K13-02\Rpc (Default Web Site)
ExchangeVersion                    : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Identity                           : EXCH2K13-03\Rpc (Default Web Site)
ExchangeVersion                    : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

What is the internalhostname and externalhostname set to on the 2013 servers?

This is the output. I changed my domain to just domain.com and internal is cloud.local:

Identity         : CAS01\Rpc (Default Web Site)
ExchangeVersion  : 0.10 (14.0.100.0)
InternalHostname : 
ExternalHostname : mail.domain.com

Identity         : CAS02\Rpc (Default Web Site)
ExchangeVersion  : 0.10 (14.0.100.0)
InternalHostname : 
ExternalHostname : mail.domain.com

Identity         : CAS03\Rpc (Default Web Site)
ExchangeVersion  : 0.10 (14.0.100.0)
InternalHostname : 
ExternalHostname : mail.domain.com

Identity         : EXCH2K13-01\Rpc (Default Web Site)
ExchangeVersion  : 0.20 (15.0.0.0)
InternalHostname : mail.domain.com
ExternalHostname : mail.domain.com

Identity         : EXCH2K13-02\Rpc (Default Web Site)
ExchangeVersion  : 0.20 (15.0.0.0)
InternalHostname : mail.domain.com
ExternalHostname : mail.domain.com

Identity         : EXCH2K13-03\Rpc (Default Web Site)
ExchangeVersion  : 0.20 (15.0.0.0)
InternalHostname : mail.domain.com
ExternalHostname : mail.domain.com

Is it because it can't tell if the user is external or internal since I have the internal and external hostname the same? The issue is i need internally everyone to point to mail.domain.com also because of the SSL prompts.

I have a zone for domain.com internally that points it to the load balancer IP internally (which is Citrix Netscaler)

Is it because it can't tell if the user is external or internal since I have the internal and external hostname the same? The issue is i need internally everyone to point to mail.domain.com also because of the SSL prompts.

I have a zone for domain.com internally that points it to the load balancer IP internally (which is Citrix Netscaler)

If the internal and external match, then it uses the internalhostname and the internal auth, yes

Awesome let me change internal auth to Basic and try that.

Awesome let me change internal auth to Basic and try that.

That will cause password prompts and if you are using legacy Public Folders it should be set to NTLM.

Don't know why external is getting prompted for NTLM unless you are doing some reverse proxy or something.

I'm not using a reverse proxy.

Uhm... So I have internal and external users but my SSL is a wildcard for *.domain.com. I'm trying to get it to work both internally and externally without SSL prompts. The devices connecting internally will never go outside of the internal network and the devices connecting externaly will never come inside the network.

I do not have any internal users using legacy public folders but I do have external users using them.

Hi,

Please refer to the following KB to set the Outlook Anywhere settings on Exchange Server 2013 Client Access servers:

http://support.microsoft.com/en-us/kb/2834139

If it doesnt work with the resolution above, please do the following checking in ADSI Edit:

1. In Adsiedit, expand Configuration-->CN=Services -> CN=Microsoft Exchange -> CN=domain -> CN=Administrative Groups -> CN=Exchange Administrative Group -> CN=Databases.

2. Right-click the listed database > Properties.

3. Check whether the msExchHomePublicMDB value is set to an available value. Please change the value to <not set>.

4. Click OK.

Then check whether the issue persists.

Regards,