CodeTwo Base.title

How to set up IIS for CodeTwo Exchange Sync and CodeTwo migration software

Problem:

You get one of the pop-up windows shown below or you know for sure that your IIS settings have been modified.

iis-window
Fig. 1. A window that pops up if SSL or Windows authentication in IIS are not set up properly.

287-1a
Fig. 2. A window that pops up if ASP.NET Impersonation is enabled for Autodiscover authentication.

Exchange Migration - MAPI E LOGON FAIL
Fig. 3. A window that pops up if ASP.NET Impersonation is enabled for Rpc authentication.

Failed to open mailbox 'Private Folders'.
MAPI logon failed (MAPI_E_LOGON_FAILED)(0x80040111).

Solution:

CodeTwo Exchange Sync and CodeTwo Exchange/Office 365 Migration require the following settings of IIS:

  • SSL encryption for the Rpc service in IIS - disabled.
  • ASP.NET Impersonation for Autodiscover - disabled (only Exchange Sync versions prior to 2.6).
  • Windows authentication for Autodiscover - enabled.
  • NTLM provider for Windows authentication for Autodiscover - enabled, located at the very top.
  • ASP.NET Impersonation for Rpc - disabled.
  • Windows authentication for Rpc - enabled.
  • NTLM provider for Windows authentication for Rpc - enabled, located at the very top.

The settings above are default for most Windows environments and it is rather uncommon for them to be set differently. If you, however, get any of the pop-up windows shown above, please follow these steps to set your IIS properly:

  1. Open your IIS Manager, expand your server tree, expand Sites, expand Default Web Site.
  2. Go to Rpc, in the IIS section double-click on SSL Settings, uncheck Require SSL, and click Apply in the Actions pane on the right side of the screen.

287-2
Fig. 4. SSL Settings for Rpc in IIS.

  1. Go to Rpc, in the IIS section:
    • double-click on Authentication, make sure that ASP.NET Impersonation is disabled and Windows Authentication is enabled,
    • in the same window, click on Windows Authentication, then click on Providers in the Actions pane on the right and make sure NTLM is present on the list of Enabled Providers and located at the very top,
    • close the window and click Apply in the Actions pane on the right side of the screen.

287-3-1<
Fig. 5. Authentication Settings for Rpc in IIS.

KB287-4
Fig. 6. Configuration of the Enabled Providers list.

  1. Go to Autodiscover, in the IIS section:
    • double-click on Authentication, make sure that ASP.NET Impersonation is disabled and Windows Authentication is enabled,
    • in the same window, click on Windows Authentication, then click on Providers in the Actions pane on the right and make sure NTLM is present on the list of Enabled Providers and located at the very top,
    • close the window and click Apply in the Actions pane on the right side of the screen.

287-5-2
Fig. 7. Authentication Settings for Autodiscover in IIS.

KB284-last
Fig. 8. Configuration of the Enabled Providers list.

  1. Restart your IIS by executing the following command in your Windows Command Prompt or in PowerShell:
    ​​iisreset

​In some environments the settings above will be reverted to default despite your changes. This may be caused by Outlook Anywhere enforcing its own policies. If that happens you need to change a few settings in Outlook Anywhere. The fastest way to do that is using the PowerShell cmdlets listed below in your ems Exchange Management Shell.

  1. Run your ems Exchange Management Shell and execute the following PowerShell cmdlets:
  2. To see your current settings and note the name of your server:
    Get-OutlookAnywhere
  3. Enable SSLOffloading option:
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" -SSLOffloading $true
  4. Disable SSL requirement for internal clients:
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" -internalclientsrequiressl $false
  5. Set IISAuthenticationMethods to Negotiate, ntlm
    Set-OutlookAnywhere -Identity:"<name-of-your-server>\Rpc (Default Web Site)" –IISAuthenticationMethods: Negotiate, ntlm
  6. Now go back to your IIS configuration and once again change the settings that were previously set but reverted by Outlook Anywhere.

However, if despite the steps above, your Windows still prompts you for credentials (Fig. 9.), you may also configure the mode of authentication and session security to be used for network logons on your Exchange server.

iis-window
Fig. 9. A window that pops up if the authorization mode is not compatible with the program.

You may achieve that by following these steps:

  1. Open the Registry Editor.
  2. Navigate to the following key: 
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  3. Open the LmCompatibilityLevel DWORD entry (or create one, if not present) and set the decimal value to or 2, depending on your needs. More information regarding this particular setting you may find on Microsoft TechNet.
  4. Restart the machine to apply your changes.
Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea

Partners, certificates & awards