CodeTwo Base.title

Setting up the IIS for Exchange Sync and Exchange / Office 365 Migration

Problem:

You get one of the window pop-ups shown below or you know for sure that your IIS settings have been modified.

iis-window
Fig. 1. A window that pops-up if SSL or Windows authentication in IIS are not set up properly.

287-1a
Fig. 2. A window that pops-up if ASP.NET Impersonation is enabled for Autodiscover authentication.

Exchange Migration - MAPI E LOGON FAIL
Fig. 3. A window that pops-up if ASP.NET Impersonation is enabled for Rpc authentication.

Failed to open mailbox 'Private Folders'.
MAPI logon failed (MAPI_E_LOGON_FAILED)(0x80040111).

Solution:

CodeTwo Exchange Sync and CodeTwo Exchange / Office 365 Migration products require the following settings of IIS to be configured as follows:

  • SSL encryption for Rpc service in IIS - disabled.
  • ASP.NET Impersonation for Autodiscover - disabled (only Exchange Sync versions prior to 2.6).
  • Windows authentication for Autodiscover - enabled.
  • NTLM provider for Windows authentication for Autodiscover - enabled, located at the very top.
  • ASP.NET Impersonation for Rpc - disabled.
  • Windows authentication for Rpc - enabled.
  • NTLM provider for Windows authentication for Rpc - enabled, located at the very top.

These settings are default for most of Windows environments and it is rather uncommon for those to be set differently. However, if you get any of window pop-ups shown above, please follow these steps to set the IIS properly.

  1. Open your IIS Manager, expand your server tree, expand Sites, expand Default Web Site,
  2. Go to RPC, in IIS section double click on SSL Settings, uncheck “Require SSL”, click Apply in Actions on the right side of the screen

287-2
Fig. 4. Location of the SSL Settings for RPC in the IIS.

  1. Go to RPC, in IIS section:
    • double click on Authentication, make sure ASP.NET Impersonation is disabled,
    • double click on Authentication, make sure Windows Authentication is enabled,
    • click on Providers and make sure NTLM is present on the list of enabled providers and located at the very top,
    • close the window, click Apply in Actions on the right side of the screen.

287-3-1<
Fig. 5. Location of the Authentication Settings for RPC in the IIS.

287-4
Fig. 6. Location of the enabled Providers list.

  1. Go to Autodiscover, in IIS section:
    • double click on Authentication, make sure ASP.NET Impersonation is disabled,
    • double click on Authentication, make sure Windows Authentication is enabled,
    • click on Providers and make sure NTLM is present on the list of enabled providers and located at the very top,
    • close the window, click Apply in Actions on the right side of the screen.

287-5-2
Fig. 7. Location of the Authentication Settings for Autodiscover in the IIS.

287-6
Fig. 8. Location of the enabled Providers list.

  1. Restart the IIS by executing the below command in your Windows Command Prompt or in PowerShell:
    ​​iisreset

​In some environments the above settings will be reverted to the original ones despite your changes. This may be caused by Outlook Anywhere enforcing its own policies. If that happens you need to change a few settings in Outlook Anywhere. The fastest way to do that is using PowerShell cmdlets listed below in your ems Exchange Management Shell.

  1. Run your ems Exchange Management Shell and execute following PowerShell cmdlets:
  2. To see your current settings and note the name of your server:
    Get-OutlookAnywhere
  3. Enable SSLOffloading option:
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" -SSLOffloading $true
  4. Disable SSL requirement for internal clients:
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" -internalclientsrequiressl $false
  5. Set IISAuthenticationMethods to Negotiate, ntlm
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" –IISAuthenticationMethods: Negotiate, ntlm
  6. Now go back to your IIS configuration and change again settings that were previously set but reverted due to Outlook Anywhere settings.

However, if despite the steps above, Windows still prompts you for credentials (Fig. 9), you may also configure the mode of authentication and session security to be used for network logons on your Exchange server.

iis-window
Fig. 9. A window that pops-up if the authorization mode is not compatible with the program.

You may achieve that by following these steps:

  1. Open the Registry Editor.
  2. Navigate to the following key: 
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  3. Open the LmCompatibilityLevel DWORD entry (or create if not present) and set the decimal value to or 2, depending on your needs. More information regarding this particular setting you may find on the Microsoft TechNet.
  4. Restart the machine to apply your changes.
Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea

Partners, certificates & awards