Exchange 2013 Outlook Anywhere Considerations


With Exchange 2013 deployments already in place, I’ve wanted to share with you all some “new” behaviors, tips and more to help you prevent headaches and issues ๐Ÿ™‚

With regards to two previously posts – Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover and also Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere – this post is some sort of a follow-up.

With Exchange 2013, Outlook Anywhere (aka RPC over HTTP/s) is the default method for Outlook clients connections – that is no more direct RPC connections to the servers for Outlook clients. Exchange 2013 will essentially require you to utilize Autodiscover and Outlook Anywhere to actually get your Outlook client connected. This is the main reason for writing this post. This information will come useful if you are getting ready or already started to deploy Exchange 2013, I’ll try to keep it simple and write this down as a list of things to consider so this will be rather easy to all.

  1. If you followed my post about how to prevent Outlook Anywhere from being configured and removed the EXPR outlook provider, start with restoring it. Run the following powershell command to restore it:
    New-OutlookProvider -Name:EXPR
  2. If you’re using any additional methods to configure Outlook Clients or Outlook Anywhere like, static XML files, Registry settings or Group Policy settings make sure to revise or even remove them. See also
  3. Pay attention to publishing guides for Exchange 2013 – see Publishing Exchange Server 2013 using TMG and also Exchange 2013 Client Access Server Configuration
  4. When enabling Outlook Anywhere on Exchange 2013 notice the following:
    1. Retain the current External authentication method (Basic,NTLM) your internal authentication method should always be NTLM.
      Get-OutlookAnywhere โ€“Server (hostname) | Set-OutlookAnywhere -InternalHostname "" -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -ExternalHostname "" -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl $true -IISAuthenticationMethods NTLM,Basic -ssloffloading:$false
    2. Enable NTLM on the IIS /rpc directory of your Exchange 2007/2010 servers
      Get-OutlookAnywhere | ?{ $_.AdminDisplayVersion -notlike "Version 15.*"} | Set-OutlookAnywhere -IISAuthenticationMethods NTLM,Basic
  5. Plan the CertPrincipalName value you will use, that is the certificate Subject Name that your clients will use to populate the value – both internally and externally (reminding you to see the note above). My personal best practice is to use the same Subject Name on the certificate you will use on your External TMG/UAG/Juniper/F5 reverse proxy and your internal server or servers.
    Once you are aware of this value you can configure your Outlook Provider accordingly (you can refer to this post for more information on the subject).
  6. If you installed a wildcard certificate on your Exchange 2013 server – you must perform the following:
    1. Update your EXPR setting – Set-OutlookProvider EXPR -CertPrincipalName msstd:*
    2. Update your EXCH setting (yes!) – Set-OutlookProvider EXCH -CertPrincipalName msstd:*
  7. Don’t freak out when you see Exchange 2013 “new” server name – it’s value is actually the Mailbox GUID value, and will be unique for all users. This means that – you must use the Autodiscover wizard to configure outlooks from now on, Email, password and click next.
    If you have full mailbox access to a different mailbox – that’s great- just type it’s email address and enter whatever you want for password. (will work only inside the LAN…)
  8. Don’t forget to update your Outlook clients – or else they will not connect to Exchange 2013 – see Exchange 2013 System Requirements for the exact information.

That’s it for now, while deployments continue I will update this topic with new “gotchas”.

Hope this helps anyone out there.

112 thoughts on “Exchange 2013 Outlook Anywhere Considerations”

  1. hey,
    in exchange 2010 we create CAS Arry and in that array we add CAS servers of the Site so that user connect to that array for RPC/outlook and then we configure out mailbox databases to use that array for high avilibility.
    in exchange 2013 what we have to do because after running the command

    Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto
    i only see one CAS server which mean if that CAS server goes down my client will not connect to
    exchange any you know there is not more CAS array and exchange use outlook anywhere for communication with client.
    do we have other method to make this work ?

    1. Hi Ali,
      The RpcClientAccessServer property doesn’t affect client connectivity with Exchange 2013.
      With Exchange 2013 you create a DNS record which will point to your CAS (Front End) Server/s, then using Autodiscover – clients use RPC over HTTP to access the server. The mail profile is then configured to point to their mailbox GUID instead of the “old fashion” RPC endpoint.

      That’s basically it. Then no “cas array” in Exchange 2013.. well not in the form of an RPC endpoint anyhow.

      You can read more about it here:

      Hope this clears this out for you,

  2. I’m upgrading from Exch 2007 to Exch 2013 – all the clients default to Anonymous Authentication and this wrecks havoc – ran steps 4 and 6 – and then it updates to Negotiate Authentication automatically, but for some unknown reason, unless I go into Control Panel, Mail, Email Accounts, Security (see that Negotiate Authentication is selected and Encrypt Data is checked) then click OK, and then click NEXT – the clients will still ask for password. This is not the ideal solution as it requires me to touch all the clients, but on the upside, it works when I do it that way..
    Thanks for the post – a definite improvement over the clients not authenticating properly.

    1. Hi,
      The authentication settings on clients end is not controlled by Exchange.. I think you could go either via GPO or create a custom PRF file to update clients via script as you see fit.

      Good luck!

  3. After installing Exchange 2013 and using wild card certificate , from outlook 2013 working fine.When we connected from outlook 2007 and 2010, always asking passoword . Even if we type right password, was not accepting. When we are configuring manually for outlook 2007 and 2010
    without msstd , working fine.

          1. #6 instruction above does not appear to indicate this. It shows not * yet you state that the config is for wild card certs.

  4. Nice article. But when you say “you must use the Autodiscover wizard to configure outlooks from now on”, does that mean you can’t use a PRF file anymore? The reason I ask is I’m trying to get a PRF file from the Office 2013 DVD to work, but no matter what I type in I get errors when Outlook starts. If I don’t import the PRF file then Outlook auto configures itself perfectly. Thanks!

    1. I guess you are referring to what exactly to type in the “servername” ? i’d advise to use the “Automatically configure profile based on Active Directory Primary SMTP address” setting , see the link look for zeroconfigexchange , that’s what you want to do.

  5. Hi Ilan,

    A good article indeed.

    I have one question with no cas array. For internal clients, we can create a DNS record and map it to point to the 2 or 3 cas servers so that the client connectivity is a kind of load balanced one.

    So how to achieve the load balanced architecture for external clients?

    1. Well, keep in mind that DNS isn’t really load balancing, with current versions DNS round robin will always return to the client the IP by subnet mask ordering which will probably render to the “lowest” IP value…
      for external clients you can use any reverse proxy that supports a FARM configuration. the new server 2012 R2 Web Application Proxy will do the job great – or any other solution (TMG/F5/Juniper etc..)

  6. I was having problems with XP/Outlook 2010 clients connecting to Exchange 2013. I have spent all day trying to figure this out. Step 6B above fixed the problem. Your blog is the only place I have seen this step published. Thank you!

  7. Great article, thank you. Just one question – In a site currently co-existing with 2010, do you think that setting the EXCH provider to msstd:* break the 2010 connectivity?

  8. The 2010 site already has a wildcard certificate, but we haven’t needed to set the EXCH provider, only EXPR.

    Only when I hostfile a computer directly to the 2013 CAS for testing that I’ve found the popup appears – obviously I want to get that licked before I change from the 2010 to 2013 CAS properly.

    Based on other reading I think i’ll just get a SAN cert anyway, given Microsoft’s seemingly reluctant support of wildcards as should I need support down the track I suspect it’ll be easier.

    Thanks again.

  9. Hi, thanks for the helpful information. Am having a problem with my exchange 2013 environment. When users using outlook 2010 are connected they will get disconnected if they close and reopen outlook. I also notice that the connect to Microsoft using http is unchecked. Ay idea why?

    1. Hi Michael,
      all Exchange 2013 users’ profiles must be configured to use Outlook Anywhere, did you try to create a new profile for those Outlook 2010 users? also double check that you are using the supported Outlook version with Exchange 2013, the outlook.exe should at minimum in 14.0.6126.5000 – see
      let me know what came up…

  10. Ilantz, thanks for replying. We have created new profile many times and that didn’t work. We are using outlook.exe 14.7015.1000. When the users are connected the outlook anywhere is showing checked where the “connect to Microsoft Exchange using Http in outlook connection tab but this is unchecked and grayed out when the users are disconnected. Noticed as well that am always connect with owa and active syn when this happened. One of my staff is using a virtual windows 7 and he is always connected so it seems like it only happen with the physical machine. Your help is greatly appreciated.

    1. Sorry for the delay michael,
      the settings looks okay. i mixed HTTP with the WEB entry.

      Try isolating the problem, use a fresh, non domain joined machine, clean office clean windows update. no gpo’s and see if it sticks on that.
      move up from there….

  11. Around the Authentication do you HAVE to set the ExternalClientAuthenticationMethod to Basic? Or would the following still be ok:
    – ExternalClientAuthenticationMethod = Negotiate
    – InternalClientAuthenticationMethod = Ntlm
    – IISAuthenticationMethods = {Basic, Ntlm, Negotiate}

    I’d much prefer that, if it works.

  12. I have exchange 2013 installed and with office 2010 outlook when I tried to configure my account it shows an error “Your e-mail server rejected your user name. Verify your user name for this account in Account Settings. The server responded: -ERR Command is not valid in this state” tried every thing you told but no resuld plz share some solution

      1. Not sure How to do this still facing same problem and error I am stuck here for last few week no solution works … m new for this plz send steps ..and help me to resolve this error Your e-mail server rejected your user name. Verify your user name for this account in Account Settings. The server responded: -ERR Command is not valid in this stateโ€

  13. Great post Ilan, thank you very much.

    I’ve read your article carefully, and so many articles as well, but I am still confused by something. You mentioned this: “With exchange 2013 make sure you use only Autodiscover to configure a profile, not entering name and server name.” Can you confirm that this is correct?

    The reason I ask this is that I have a test Ex2013 deployment where both CAS and MBX roles have been deployed to a single server. I have been able to configure Outlook profile for OUtlook Anywhere manually for this deployment.

    On the other hand, I have another Ex2013 deployment where CAS and MBX are located on separate dedicated servers. Autodiscover works just fine, but I am not able to use Outlook Anywhere profiles created manually for the same mailbox. OA does work for mailboxes located on Exchange 2010 MBX server, even when I use Ex2013 CAS as a proxy server.

    The strange thing is that during profile creation server name and mailbox name do get resolved properly, but once I try to start Outlook with that profile, I get an error Microsoft Exchange Server is unavailable…this is driving me nuts ๐Ÿ™ do you have any clues what could be the problem here? I use the same internal & external URL and a simple public SSL cert with this name in it. For Autodiscover I use HTTP redirection method, and this is working perfectly OK.

    On a side note, can you also confirm whether it is mandatory to populate CertPrincipalName values in Set-OutlookProvider? Mine have been empty ever since in an Exchange 2010 deployment and I never noticed a single problem…

    1. Update: On one of your other posts, I found your tip to use ExchangeGUID instead of “normal” Exchange server name during manual setup. I tried it and it worked, thank you ๐Ÿ™‚ however, this is not very convenient for end-users…is there a way to use the “normal” server name?

      1. Hi Srdjan, as noted, with Exchange 2013 there isn’t really a ServerName. Your profile is configured to use your mailbox GUID as the server name… As you said the manual approach is not straight forward, and autodiscover is the way to go ๐Ÿ™‚
        Glad you’ve worked it out!

  14. Hi Ilan, I was hoping your excellent articles would help me with this pain in the *ss problems with Exchange 2010 to Exchange 2013 migration. We have a user whose mailbox is already on Exchange 2013 and he is using Outlook 2013 as client. Despite following some of your articles this user still has problems accessing his mailbox.

    Het gets a logon popup and although he fills it in correctly, the popup won’t go away it will return immediatley after pressing OK. and he is unable to use outlook. He also gets a certificate error (name does not match the name on the certificate). We are using a wildcard certificate.

    – All URL’s off the exchange services/vdirs point to
    – i installed the * on both 2013 CAS servers
    – outlookprovider EXCH and EXPR are set to msstd:*
    – outlook anywhere authentication methods are set according your article(s)

    The only way this specific user can access his outlook is de-selecting “HTTP on fast networks”. He then only needs to put in his credentials once and he is able to use Outlook. But after a while settings will be pushed from the server again and the problem starts all over again. It is driving me crazy!

    Do you have any clue or idea where I can look next?

      1. Hi Ilan, thanks for your reply. An important thing to note and maybe nice to add to your article(s) (or did I miss it while reading?) is that if you change one or more settings with Outlook Anywhere, it can take several hours before every client has picked it up.

        After being done with it (meaning you could almost take me to an mental hospital), I just left the Outlook Anywhere settings configured as recommended by you, and called it a day. Now that I have returned to the office all issues seem to be gone.
        – certificate errors -> gone
        – one time credentials popup -> gone
        – infinite credentials popup -> gone

        There is one additional step I made on the Exchange 2013 CAS servers; I removed the self-signed certificate. The IIS service was enabled on both 3rd part certificate and the self-signed certificate, assuming (assumptions, I know…) that could be causing a problem and being unable to remove the IIS service from the self-signed certificate, I decided to completely remove it. (After researching on how to correctly removing it).

        To cut short:
        – Outlook Anywhere settings take a while, several hours, to fully propagate
        – Your articles were/are very helpful!
        – Everything seems to be working fine now!

        Thanks a million!!!

  15. Thanks for the information.
    Now I am wondering how to disable rpc over http for specific users in exchange2013. So it should only allow connecting with direct rpc, not using outlook anywhere.

    I would like to disabled outlook anywhere for some users (using the MAPIBlockOutlookRpcHttp setting) but still allow acces when connected on LAN network.

    The users are on windows 7 pro with outlook 2013.

    Can this be done in some GPO setting, or something else?

  16. hello there…. im having issues with autodiscover using outlook 2010 with Exchange 2010/2013 coexistence…. whether the user has a mailbox on 2010 or 2013, outlook will not automatically create the users profile…. its keeps on trying to connect to its mailboxes’ respective server and never configures… what am i missing? The environment is as follows:
    1 Exchange 2010 HUB/CAS/MBX
    2 Exchange 2013 CAS/MBX
    OutlookAnywhere is enabled on all servers w/ NTLM configured

    1. additionally, what DNS records do i need to create if any? And i believe i have the AutoDiscoverServiceInteralURI set correctly on all 3 servers.

        1. yes. im able to connect to users mailboxes by configuring their outlook 2010 client whether their mailbox resides on 2010 or 2013

      1. I did restart IIS and no go… outlook still tries to connect to the servers and never configures…. this network is strictly internal only, any user who connects to exchange will be physically connected to the LAN

      2. i should also mention that i dont have any certificates installed just yet and i noticed that i dont have any DNS record for autodiscover

        1. You mean that the website doesn’t have an SSL certificate selected for the 443 binding? That sounds like your root cause.

          You need autodiscover in DNS when you have non domain joined clients. All domain joined use the SCP location ( the autodiscoverserviceinternaluri value )

          1. Correct…. i currently do not have an SSL cert on any of the Exchange servers as this is my test environment.

            So since all my clients are domain joined, i do not need any internal DNS records for Autodiscover?

  17. Just wanted to say this was a life saver. I was banging my head against the wall searching for a solution. Mixed 2007 and 2013 environment. Tested everything (moves,autodiscover, etc) and thought this is easy. All testing was done with Windows 7.

    Problem is we have 2003 terminal servers and kept getting the proxy certificate error with code 0. I hoped when I read another comment about it solving the issue for XP it would apply to me.

    Step 6 fixed it.

    Thanks again.

  18. Hi,

    we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 and 2013 in europe and one 2007 CAS Server in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate * and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:* as described in your article. Everything in Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this server has a different non-wildcard certificate and a different domain name ( instead Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
    If not the other solution would be to register the chinese cas server in our domain and use the same wildcard certificate on this system right ?
    Any help would be appreciate….

    1. Yeah, you got it right. The EXPR is global. Once you are using a wildcard somewhere your in a pickle ๐Ÿ™‚ so either or the two, have China on the same domain , or move back to a Multi SAN/ single name cert.


      1. But what about the autodiscover process then, because they still use their email-Adresses of …. So they will connect to But this is then also the wrong certificate when I register this server to… I think we have to go to a Multi SAN Certificate….

  19. I have exact issue like above where i have follow above steps but still failed. My environment is exchange 2010 sp3/exchange 2013 cu8. I cant connect using both outlook 2010/2013 to exchange 2013, while user in exchange 2010 have no issue. New or migrated user in exchange 2013 having this issue. We used san public cert and already set outlookprovider to
    Our exchange 2010 is using cas array. The weird part is i’m able to create outlook profile but it resolve to cas array name of exch 2010. Pls help me

      1. I’m able to resolve my problem using that article. :-). However, do i need to setup EXCH and EXPR using set-outlookprovider ? What for this setting ? i thought user is using autodiscover service to lookup for the mailbox. i may not understand that setting at all.

          1. Hi, I’ve the same issue and my Exchange 2010 CAS Array is not ambiguous i.e.. Unique namespace. Still while configuring the Exchange 2013 mailbox resolves to the CAS Array for Exchange 2010 in Outlook 2013 SP1 with all the updates. Scenario is same what Ismail mentioned. Please help

          2. Any chance you guys have a custom office install? Or a GPO with some setting applied?

            Also double check your DNS values. See if the hostname used for outlook anywhere resolves to the 2010 servers…

  20. Great information. I have no problems internally, but if a user goes outside the network and is connected through DirectAccess, Outlook continues to prompt for a password. Does that have something to do with the authentication? It is set to:

    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

    Outlook Provider is EXCH, EXPR, WEB. Server & CertPrincipalName is blank on all 3. Don’t really want to break anything internally, but wondering if you see anything glaring?

    Thanks much

      1. I believe so. Assuming by url you mean the domain name that exchange uses to connect through autodiscover to Exchange. The domain name is in the Infrastructure Servers in DirectAccess.

  21. Hi Ilantz

    I am in the process of migrating 2010 to 2013 exchange server 3:3 (CAS:MBX). Clients are mixed of outlook 2007, 2010, 2013. single domain, single forest

    Exchange 2013 is internet facing one now. In a co-existence mode started migrating the mailbox. Actually we are using a SAN cert on Exchange 2010 and new wild card on Exchange 2013.

    After the mailbox movement, mailboxes which are sitting in exchange 2013 are not connecting to OA except outlook 2013 clients. while mailboxes still not migrated are working fine with all clients. EXCH & EXPR are configured with *.wildcard. pl. advice. is it breaking OA?

    Configuring new wild card certificate on exchange 2010 will work? if so is there any impacts?

    1. Hi pete, sorry for the delay. Exchange 2013 should proxy your requests for all clients. Including your 2010 ones with Exchange 2010 as the back end.
      Make sure you did setup the required authentication settings on the 2010 side, mainly enabling Windows Authentication on the /rpc vdir.


  22. Hi Ilantz,

    Great explanation of some of the causes of the pesky Authentication issues you can get with Exchange 2013.

    My Outlook Clients (connecting to Exchange 2013 (CAS with 2 node DAG mailbox servers) were all good UNTIL I started playing around with a trial Office 365 Migration. I cannot be sure what the security settings were in Outlook BEFORE I started introducing an ADFS Server and Dirsync but it is certainly set at “Anonymous Logon” now (which I gather is what Office 365 SSO needs). Anyway, I’m not 100% sure whether this setting has changed but certainly now you can no longer get past the request for credentials pop-up (although external clients are fine) and none of the Exchange ( or Office365 ( forums are clear about the problem.

    I have tried the Powershell command to force NTLM (see below) but no change

    Set-OutlookAnywhere -Identity โ€œ\RPC (Default Web Site)โ€ -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl $true

    Is there a simple way of forcing an Outlook client to use NTLM ?

  23. Great article Ilan, I was wondering how to prevent external users from working on outlook, but they will still have access through OWA and ActiveSync Mobile Phones.

    I understand that OAW should be enabled all the time. But their should be some way.

          1. Thanks Ilan, actually what we could find in the WAF is RPC_IN_DATA and RPC_OUT_DATA.

            If I deny these 2 methods will It affect any other Mail Connections like Outlook Internally, ActiveSync Mobile, OWA.

            Also how can we deny /rpc.

            We found /rpc/rpcproxy.dll

          2. I’m not familiar with the barracuda WAF that much, but I guess the approach should be that /rpc/* should be disabled for all external client. Maybe ip based filtering might work as well?

  24. Hi, I have migrate mailbox from 2010 to 2013, after migration my outlook 2013 ask me my username/pwd.
    And is that for all my new user in 2013 server.
    I do all your step and my problem is still present.
    Do you have a idea ?
    Tk for you help

  25. Hi Lanz,

    I was going through your article and found very informative and impressive. In my situation my company having Exchange 2010, 2013 in mix mode, different urls and placed in different geographic, in same exchange organization.

    The region having E2k10 is planned to upgrade to Exchange 2013. Now during investigation i found that there are multiple DNS names configured for this region along with different OWA urls and autodiscover from E2k13 site.

    Below are the queries.

    1. How to tackle multiple DNS names like , 13 smtp name space.
    2. in current i can see EXPR , WEB & EXCH details are blank but TTL value is 1.
    3. expr settings are applied through group ploicy?

    Seeing above information can you guide me best for Exchange 2013.

    1. Amit, a thumb rule will be minimize url’s so I vote pro changing all 2010 url’s to the one you will set the 2013 too.
      So – install and setup 2013, and then test, then change all to point to 2013. It will proxy everything to 2010 so you should be okay.

      As to autodiscover, I would recommend the redirection approach either with an HTTP redirection or the SRV. I like http much better.


  26. I am migrating Exchange 2010 to Exchange 2013:
    The structure as follows:
    1. Exchange 2010 structure: MB x 2, CAS x 2 and Hub x 2
    2. Exchange 2013 structure: MB x 2 and CAS x 2
    3. Client MS Outlook 2007, 2010 and 2013
    the exchange servers are in Data Center and everything works fine with Exchange 2010. But an Exchange 2013 user mailbox from internal network Outlook Anywhere (RPC/TCP fails to connect to the inbox folder using outlook 2007. The error message looks like this, “cannot open your default e-mail folders. you must connect to Microsoft Exchange with the current profile before you can synchronize your offline folder file”

    Appreciate your assistance finding a solution



      1. thx Ilan.. yes, eliminating office 2007 will resolve all the issue together, eventually that is the plan but it will be very difficult to do so as it will take time. .
        the latest public update for office 2007 was updated but with no luck.

  27. Excellent post, i have three days thinking as resolve the problem the exchange 2013 connection client. Thank for writing step for step the solution.

  28. good article. i’m running into an issue. i’m in the process of migrating from exch2010 to 2016. i have a cas array in my dmz for external connections ( and another cas array on lan for internal client connections ( split dns setup correctly. when i enable outlook anywhere on the internal cas servers I’m prompted to add an external hostname for cas servers that aren’t internet facing. so I input the CAS array dns hostname – with ntlm auth. I then set outlookanywhere iis auth to basic, ntlm, no ssloffloading. i reset IIS on the CAS servers and restart the MSExchADTopo Service.

    works fine from internal outlook clients. for external outlook clients, autoconfig shows it’s trying to directly access the internal CAS servers and not the external CAS array, therefore it won’t work. It should proxy from external CAS array to internal CAS array right?

    what am I missing?

    thanks much!

Leave a Reply