Exchange Hybrid Migration underway, but clients experience Outlook authentication loop
Hi,
This is a fairly long story but hoping someone can help troubleshoot what might be going wrong.
Essentially we have a single AD domain, 2 x Exchange 2013 servers in a DAG and everything was running OK. One peculiar feature is that although this AD/Exchange is a single domain, we are trying to split some users out into separate M365 tenancies (and eventually separate AD domains, etc..). As a result, we run multiple EntraID Connect servers synchronizing specific OU’s to the various tenants.
We were advised that in order to split a single AD/Exchange into multiple M365 tenants, we would require an Exchange 2019 server licensed as a Hybrid server for the Hybrid Configuration Wizard to run against. Exchange 2013 on its own could not accomplish this single to multiple configuration.
That was completed, and indeed we have the capability to migrate mailboxes from on-prem to any of the desired 365 tenancies (there are a lot of intricacies to it, but it can work).
The problem we have is that some Outlook users began experiencing Outlook credential prompts over and over again. This seems to have started around the same time as the Exchange 2019 Hybrid server was introduced to the network.
Looking at the connection status on Outlook, we can see that some connections are now going via the new Exchange server – which being licensed for Hybrid only, does not contain any mailboxes or etc.
Initially, I suspected this might be some sort of TLS compatibility issue between the new server and the old servers, and when the new server tries to proxy a user request to an old mailbox server, something is going wrong. I assumed this after seeing a lot of SCHANNEL errors in the event log of the new server. But these do not match up with Outlook authentication failures. At lot of troubleshooting at this point has been focused on enabling the older TLS versions for the system and for .NET on the 2019 Exchange server, but it does not seem to have improved things.
In any case, this is causing major headaches for some users. After some time, the credential prompts will generally stop and the users can work, but often this can take 20+ minutes to settle down.
At this point, would appreciate any advice on where to look for more detailed logging of what is going on with clients when this happens or anything else you might be able to recommend.
Thanks in advance
Hi,This is a fairly long story but hoping someone can help troubleshoot what might be going wrong.Essentially we have a single AD domain, 2 x Exchange 2013 servers in a DAG and everything was running OK. One peculiar feature is that although this AD/Exchange is a single domain, we are trying to split some users out into separate M365 tenancies (and eventually separate AD domains, etc..). As a result, we run multiple EntraID Connect servers synchronizing specific OU’s to the various tenants. We were advised that in order to split a single AD/Exchange into multiple M365 tenants, we would require an Exchange 2019 server licensed as a Hybrid server for the Hybrid Configuration Wizard to run against. Exchange 2013 on its own could not accomplish this single to multiple configuration. That was completed, and indeed we have the capability to migrate mailboxes from on-prem to any of the desired 365 tenancies (there are a lot of intricacies to it, but it can work). The problem we have is that some Outlook users began experiencing Outlook credential prompts over and over again. This seems to have started around the same time as the Exchange 2019 Hybrid server was introduced to the network. Looking at the connection status on Outlook, we can see that some connections are now going via the new Exchange server – which being licensed for Hybrid only, does not contain any mailboxes or etc. Initially, I suspected this might be some sort of TLS compatibility issue between the new server and the old servers, and when the new server tries to proxy a user request to an old mailbox server, something is going wrong. I assumed this after seeing a lot of SCHANNEL errors in the event log of the new server. But these do not match up with Outlook authentication failures. At lot of troubleshooting at this point has been focused on enabling the older TLS versions for the system and for .NET on the 2019 Exchange server, but it does not seem to have improved things. In any case, this is causing major headaches for some users. After some time, the credential prompts will generally stop and the users can work, but often this can take 20+ minutes to settle down. At this point, would appreciate any advice on where to look for more detailed logging of what is going on with clients when this happens or anything else you might be able to recommend. Thanks in advance Read More