Jump to content
Welcome to our new Citrix community!

Exchange 2016 CS with RPC and AAA Authentication


Recommended Posts

Trying to setup Outlook 2016 or ProPlus to work with NetScaler AAA Authentication.  Everything is setup and works for OWA/ECP but the 401 auth seems to be failing for ECP.  Basic authentication is enabled on the backend exchange.  Whenever a user authenticates I can see the NetScaler aaad.debug log succeed authentication but then end-user receives a error saying "Failed to log on to Exchange" if we attempt to setup a brand new Outlook profile or "The information store could not be opened" if we are using an existing Outlook profile. 

 

If I disable 401Auth on the RPC lb vserver, then end-users can open outlook fine, but obviously I want to force AAA for that vServer.  Any ideas?  

Edited by jonathanbclark1
Updated to say RPC instead of ECP in last sentence.
Link to comment
Share on other sites

Hi,

 

I think you mean RPC instead of ECP, so your Problem is with Outlook Anywhere, right? Which ADC Version are you using? I can recommend the following Blogpost from Julian https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

 

Used this setup several times and it works fine.

 

Did you try to test sAMAccountName and UPN for the 401 Auth Popup from Outlook?

 

Regards

Julian

 

  • Like 1
Link to comment
Share on other sites

On 6/25/2019 at 5:01 AM, Julian Jakob said:

Hi,

 

I think you mean RPC instead of ECP, so your Problem is with Outlook Anywhere, right? Which ADC Version are you using? I can recommend the following Blogpost from Julian https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

 

Used this setup several times and it works fine.

 

Did you try to test sAMAccountName and UPN for the 401 Auth Popup from Outlook?

 

Regards

Julian

 

Yes I have tried that article and we get the same thing.  I think the problem maybe that External Traffic on Exchange is configured for NTLM instead of Basic.  I will follow-up with my post once we are able to test and verify. 

Link to comment
Share on other sites

  • 1 month later...
  • 1 year later...
On 7/31/2019 at 5:39 PM, Jonathan Clark1709155079 said:

Discovered the issue was actually MAPI vs RPC.  As soon as we switched my Exchange account to MAPI it worked fine.

Hi Jonathan

Can you expand on what you did please? Did you leave the external authentication method as NTLM, or did you change to basic? What do you mean by "As soon as I switched my Exchange account to MAPI it worked fine". I am seeing the exact same issue as you and banging my head against the wall at the moment!

Thank you!

Link to comment
Share on other sites

1 minute ago, Chris Gundry said:

Hi Jonathan

Can you expand on what you did please? Did you leave the external authentication method as NTLM, or did you change to basic? What do you mean by "As soon as I switched my Exchange account to MAPI it worked fine". I am seeing the exact same issue as you and banging my head against the wall at the moment!

Thank you!

This was a change on the backend exchange server.  You can set a global policy to force either MAPI or RPC or you can set it by user.  The later version of exchange use MAPI by default but we had done several upgrades over the years and therefore RPC was enabled by default.  You can read more about it here: https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http?view=exchserver-2016 and how to change the setting here: https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2016

Link to comment
Share on other sites

Just now, Jonathan Clark1709155079 said:

This was a change on the backend exchange server.  You can set a global policy to force either MAPI or RPC or you can set it by user.  The later version of exchange use MAPI by default but we had done several upgrades over the years and therefore RPC was enabled by default.  You can read more about it here: https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http?view=exchserver-2016 and how to change the setting here: https://docs.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2016

Thank you for the quick reply! I thought that was what you were refering to, unfortunatly all our accounts are already on MAPI, not RPC :( Can you confirm if you have the Exchange external auth methods still on NTLM or did you change to basic? Did you setup a kerberos delegation account?

Many thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...