Wednesday, July 29, 2020

Issues with Exchange 2010 and Exchange 2016 coexistence

This one is primarily notes to myself...

  • When Exchange 2016 is installed with Exchange 2010, MAPI over HTTP is enabled by default for the organization.
  • Exchange 2010 mailboxes continue to accessed via RPC.
  • Exchange 2016 mailboxes will use MAPI over HTTP
  • If Exchange 2016 mailboxes have Full Access to an Exchange 2010 mailbox then Outlook Anywhere is used to connect to that secondary mailbox.
  • If using a wildcard cert you need to set the certificate name for the EXPR outlook provider for Outlook Anywhere as msstd:*

Authentication prompts

Exchange 2010 on Windows Server 2008 R2 requires a security update for Outlook Anywhere to function properly. This is a security update from 2016 (KB3140410). It "should" already be in place, but if it's not then Outlook Anywhere will cause tons of authentication popups in Outlook.

I saw this manifest as Exchange 2016 mailboxes with a secondary mailbox on Exchange 2010 getting the popups. Only an Exchange 2016 mailbox was fine because it used only MAPI over HTTP on  Exchange 2016. Only an Exchange 2010 mailbox was fine because it used only RPC to Exchange 2010.

If the update is not in place and you don't have the opportunity to apply the update quickly, you can modify DefaultAppPool in IIS Manager to use the identity Network Service. Recycle DefaultAppPool for the the change to take effect. Recycling DefaultAppPool does not affect users.

Error message that you will likely see in RpcHTTP proxy log (C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\RpcHttp):

Complete=PrepareServerRequest;,WebExceptionStatus=ProtocolError;ResponseStatusCode= 401; WebException=System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at
Microsoft.Exchange.HttpProxy.RpcHttpProxyRequestHandler.c__DisplayClass1.nullb__0(); HttpException=System.Web.HttpException (0x80004005): NegotiateSecurityContext failed with for host '' with status 'InvalidToken' at Microsoft.Exchange.HttpProxy.KerberosUtilities.GenerateKerberosAuthHeader.

Win7 certificate errors

Windows 7 clients that don't have TLS 1.1 and 1.2 enabled might see a certificate error when connecting to Exchange 2016 for web services (not necessarily mailbox). To enable TLS 1.1 and 1.2 on Windows 7, you need to ensure that update KB3140245 is installed. With the update installed, you need to create additional registry entries.
The registry keys created by the quickfix utility distributed with this update by Microsoft are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    • Create DWORD: DefaultSecureProtocols
    • Value: 0xA00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    • Create DWORD: DefaultSecureProtocols
    • Value: 0xA00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • Create DWORD: SecureProtocols
    • Value: 0xA8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • Create DWORD: SecureProtocols
    • Value: 0xA8
The DefaultSecureProtocols key is used by the Office Apps and the value 0xA00 designates TLS 1.1 and TLS 1.2.

The SecureProtocols key is used by Internet Explorer and the value 0xA08 designates TLS 1.0, TLS 1.1, and TLS 1.2.


  1. Another note for me. Common to require restart of autodiscoverapppool and ExchangeServicesAppPool after mailbox moves. Restarting autodiscover allows profile to be correctly configured after move. Restarting ExchangeServices required for free/busy search.

  2. Hey there. I use a free tool called IISCrypto to easily change protocol and cypher settings on server to lock down old cyphers and open up new protocols. It should work just as well for Windows 7 workstations.