Hello,
I've searched endlessly for a solution to this issue, but none of the fixes out there seem to work for us. We are working on migrating to Exchange 2013 from 2007. We have two Exchange 2013 CU2 servers (both in a DAG, both have mailbox and CAS roles) coexisting
with our single 2007 server (all roles). As a background, the 2007 server was setup using a single DNS namespace (mail.domain.com) and has an SSL certificate for mail.domain.com. 2007 is set to have external Outlook Anywhere (OA) clients use Basic authentication
and internal use NTLM. Our AD domain is domain2.com but our primary email addresses are @domain.com. Since we couldn't re-use mail.domain.com for our 2013 servers, we chose to temporarily use email.domain.com with the intent to switch back after the 2007 server
was offline or no longer used. We loaded a wildcard SSL cert (*.domain.com) onto the 2013 servers to cover this. Email.domain.com is setup internally using DNS round-robin.
Everything was going smoothly with the migration until we tried to connect an Outlook client (we use Outlook 2013) to a mailbox that resides on the 2013 servers. When adding the email account in Outlook it gets to to the "Logging on to the mail server" configuration step and prompts for a password. Mailboxes on the 2007 server never prompted for a password at this point. So, we enter the user credentials for the mailbox but it continuously fails and re-prompts for credentials. We've tried formatting the username as domain2\user, user@domain2.com, user@domain.com but nothing takes. It almost seems like the authentication mechanism isn't working. Logging on to 2013's OWA works fine and I'm not seeing anything in the server event logs that seem to correspond to this.
For OA, we have the 2013 servers set to use Basic for external and NTLM for internal (same as the 2007 server). We confirm this by running Get-OutlookAnywhere, and we can also see that IISAuthenticationMethods has Basic, NTLM, and Negotiate available (we've set this to different combinations with no change). Internal/external hostnames are set to email.domain.com (we have to change this back to mail.domain.com after testing, otherwise existing users using OA externally stop being able to authenticate).
Get-OutlookProvider shows EXCH and EXPR both have a CertPrincipalName of msstd:*.domain.com (again, we have to change this back to msstd:mail.domain.com after testing, otherwise existing users using OA externally stop being able to authenticate).
I've isolated each 2013 server by turning one off and keeping the other on, and the behavior is exhibited with both. All of 2013's virtual directories point to email.domain.com. I've tried uninstalling the RPC over HTTP component on each 2013 server and reinstalled but still have the same problem. I've also looked at the authentication for each virtual directory in IIS and they all are set to what they should be. This seems to me to be an issue with the fact that we're coexisting, but I can't figure out a solution. I obviously don't want to start migrating users with nothing but the hope it'll work in the end.
Any help would be greatly appreciated, and let me know what other info I can provide.