One of my clients is running Exchange 2010 in hybrid mode, and they have Outlook 2010 and Outlook 365 ProPlus client. For testing purposes, I have two VMs, one with Windows 7 and Office 2010 and one with Windows 10 and Office 365 ProPlus. And every Monday morning I run the Windows 7 VM for an hour or so to see if everything is working fine π
This morning my Outlook 2010 was working offline, and it didnβt want to go online (OWA and Outlook 365 ProPlus were working fine). Remove the Outlook profile but creating a new Outlook profile didnβt work. After a minute the dreaded an encrypted connection to your mail server is not available error message appeared:
Mostly this is caused by Autodiscover that goes wrong somewhere, the Remote Connectivity Analyzer shows that Autodiscover to the on-premises Exchange 2010 goes well, but that the redirect to Exchange Online goes wrong and it generates the following error message:
An HTTP 456 Unauthorized response was received from the remote Unknown server. This indicates that the user may not have logged on for the first time, or the account may be locked. To logon, go to http://portal.microsoftonline.com.
And further down more details are revealed:
X-AutoDiscovery-Error: LiveIdBasicAuth:AppPasswordRequired:<RequestId=8a51c25b-9213-4873-aff8-ebc1da40544f>;
The AppPasswordRequired explains more. Last week I changed the MFA settings (see previous authenticator app for Office 365 blogpost). This works fine for OWA and Office 365 ProPlus, but not for Outlook 2010. Since Outlook 2010 does not work with Office 365 MFA, especially not in a hybrid environment (not even with an App Password).
The only workaround here was to temporarily disable MFA for my user account, create a new Outlook profile (which worked fine without MFA) and re-enable MFA. Again, Outlook 2010 does not recognize the MFA and still works with Exchange Online using basic authentication, but all other Office 365 services work fine with Office 365 MFA (both SMS and Authenticator authentication).
What about creating an MFA app password? Thats what they are for , apps that dont onderstand MFA.
LikeLike
My first try was to use an app password (this was in my original draft post) but the app password is not accepted on-premises. In a hybrid environment Outlook checks autodiscover.domain.com first, and this is where the app password is rejected. It just didn’t work.
But the main thing is (or looks like) that Outlook continues to work without any additional questions, after you enable MFA.
LikeLike
You are correct π But why not pointing autodiscover to o365 and $null the ecp? π
LikeLike
There are still more than 1000 mailboxes in Exchange 2010, so pointing to O365 will generate a lot of helpdesk calls π
LikeLike
Correct once again π Time to migrate (fast) then.
LikeLike
Or move everything to Office 365 ProPlus (even better :-))
LikeLike
Yup. You should become consultant π You already done Office Assessment with the Readiness Toolkit for compatibility for docs etc?
LikeLike