The test pass without any hard issue, clients from outside the organization were connecting without any problem and fast ! But from the domain network itself workstation couldn’t connect with outlook , OWA was working fine any were , so I ran:<\/p>\n
Get<\/span>-<\/span>ClientAccessServer<\/span> |<\/span> Test<\/span>-<\/span>OutlookWebServices<\/span> -<\/span>Identity <\/span>your@email.com<\/span> -<\/span>MailboxCredential<\/span> (<\/span>Get<\/span>-<\/span>Credential<\/span>) | fl\r\n<\/span><\/span><\/pre>\nTo check outlook and I got this weird error complaining about certificate missmatch issue :<\/p>\n
Result : Failure<\/span>
\n Latency : 1<\/span>
\n Error : System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL\/TLS secure channel. \u2014><\/span>
\n System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.<\/span><\/p>\nThere were no eventID in any log regarding any thing about certificate issue . At that point I figured that the authentication mechanism wasn’t working and it hand nothing to do with certificate or exchange server health . Now outlook can connect with NTLM or Kerberos to the exchange server, so I forced the workstation connecting with NTLM only -> that didn’t work ! but when I set the Kerberos as default the outlook connect in a flash, this are the registry setting for outlook 2016 :<\/p>\n
\n- Kerberos\/NTLM Password Authentication
\n\n\n\nRegistry\u00a0Hive<\/td>\n HKEY_CURRENT_USER<\/td>\n<\/tr>\n \nRegistry\u00a0Path<\/td>\n software\\policies\\microsoft\\office\\16.0\\outlook\\security<\/td>\n<\/tr>\n \nValue\u00a0Name<\/td>\n authenticationservice<\/td>\n<\/tr>\n \nValue\u00a0Type<\/td>\n REG_DWORD<\/td>\n<\/tr>\n \nValue<\/td>\n 9<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n- Kerberos Password Authentication
\n\n\n\nRegistry\u00a0Hive<\/td>\n HKEY_CURRENT_USER<\/td>\n<\/tr>\n \nRegistry\u00a0Path<\/td>\n software\\policies\\microsoft\\office\\16.0\\outlook\\security<\/td>\n<\/tr>\n \nValue\u00a0Name<\/td>\n authenticationservice<\/td>\n<\/tr>\n \nValue\u00a0Type<\/td>\n REG_DWORD<\/td>\n<\/tr>\n \nValue<\/td>\n 16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n- NTLM Password Authentication
\n\n\n\nRegistry\u00a0Hive<\/td>\n HKEY_CURRENT_USER<\/td>\n<\/tr>\n \nRegistry\u00a0Path<\/td>\n software\\policies\\microsoft\\office\\16.0\\outlook\\security<\/td>\n<\/tr>\n \nValue\u00a0Name<\/td>\n authenticationservice<\/td>\n<\/tr>\n \nValue\u00a0Type<\/td>\n REG_DWORD<\/td>\n<\/tr>\n \nValue<\/td>\n 10<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n- Insert a smart card
\n\n\n\nRegistry\u00a0Hive<\/td>\n HKEY_CURRENT_USER<\/td>\n<\/tr>\n \nRegistry\u00a0Path<\/td>\n software\\policies\\microsoft\\office\\16.0\\outlook\\security<\/td>\n<\/tr>\n \nValue\u00a0Name<\/td>\n authenticationservice<\/td>\n<\/tr>\n \nValue\u00a0Type<\/td>\n REG_DWORD<\/td>\n<\/tr>\n \nValue<\/td>\n 2147545088<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ol>\nNow to find why NTLM didn’t work ??? Turn out there was a setting in the default domain policy (GPO) denying all NTLM connection on all the computers in the domain . and it was both on Domain default policy and in the local policy :<\/p>\n
![\"\"](\"https:\/\/itsimple.info\/wp-content\/uploads\/2020\/04\/NTLM-Denied-300x192.png\")
<\/p>\n
Once I set this options to ” allow all” every think start working again !<\/p>\n
![\"\"](\"https:\/\/itsimple.info\/wp-content\/uploads\/2020\/04\/NTLM-Denied.2PNG-300x141.png\")
<\/p>\n
then run :<\/p>\n
gpupdate \/force<\/p>\n
Sync it to all the DC’s<\/p>\n
repadmin \/syncall<\/pre>\n <\/p>\n
\nGood Luck<\/h3>\n","protected":false},"excerpt":{"rendered":"
I had a weird case of organization suffering from outlook that couldn’t connect to the exchange, the security window was popping all the time regardless the credential input\u00a0 . in order to check outlook connectivity i used Microsoft Connectivity analyzer :\u00a0https:\/\/testconnectivity.microsoft.com\/ The test pass without any hard issue, clients from outside the organization were […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,8,9,21,4,12,1,14,15],"tags":[],"class_list":["post-1353","post","type-post","status-publish","format-standard","hentry","category-microsoft-exchange-2010","category-microsoft-exchange-2013","category-microsoft-exchange-2016","category-operating-systems","category-tech","category-tutorials","category-uncategorized","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/1353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1353"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/1353\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}