For some time ago I stumbled upon a strange credential prompt in Outlook for an entire organization after changing the Autodiscover namespace to point to the Exchange 2016 servers.
When you search for this issue with your favorite search engine you get several hits where other administrators and users got the same error. The solutions posted in the forums, blogs and articles were all different but they were all touching the same subject, Autodiscover.
So I decided to try the top solutions i found to see if it resolves my issue.
1 Exchange 2010 CAS/HUB
1 Exchange 2010 Mailbox
2 Exchange 2016 Mailbox (Mailbox role in Exchange 2016 has all Exchange roles except Edge)
Namespace URLs for both Exchange 2010 and Exchange 2016:
Outlook Anywhere: mail.contoso.com
Autodiscover SCP: https://mail.contoso.com/Autodiscover/Autodiscover.xml
We are using a SRV-record for autodiscover instead of a A-record for the external DNS Zone.
Today I installed two new Exchange 2016 servers at one of my customers. They are going to migrate from a classic Exchange 2010 CAS+Mailbox setup.
When I tried to login at the ECP when the first Exchange server was up and running I was thrown out directly in a matter of seconds.
The first thing I did was to create a completely new Active Directory User with only the Organization Management group as permission, no mailbox either.
That didn’t solve the problem. The next step was to reset the OWA and ECP Virtual Directories (
New-OWAVirtualDirectory) but as I expected no success.
How to Reset Client Access Virtual Directories
So I turned to my favorite search engine and stumbled upon this Technet thread.
In short the problem is related to the signing of the certificate used by the Exchange IIS Service.
The signing is done with “Microsoft Software Key Storage Provider” which makes the login to loop back. To make it work you need a certificate signed by “Microsoft RSA SChannel Cryptographic Provider”.
The solution is to request a certificate with signing mechanism “Microsoft RSA SChannel Cryptographic Provider”. A more complete deep dig for this is already done by Jason Slaughter at Microsoft, “The One With The FBA Redirect Loop“.
Another nice thing I found while searching was how to change the display language on a EAC Administrator account who does not have mailbox.
Add ?mkt=EN-us after ECP. Example: https://mail.contoso.com/ecp?mkt=EN-us