Skip to main content

    Outlook 2016 Exchange 2016 keeps asking for password



    Outlook 2016 SOLELY relies on Autodiscover….

    You need to make sure your OutlookAnywhere and AutoDiscover settings are setup properly along with Split-DNS. OutlookAnywhere and Split-DNS are vital for future-proofing your Exchange configuration and making it work properly now, regardless if you use Exchange 2007, 2010, 2013, or 2016. For Exchange 2013+, OutlookAnywhere is a requirement and Split-DNS is Best Practice. If you are on Exchange 2007 or 2010, and you do not have OutlookAnywhere enabled, enable OutlookAnywhere and follow this guide.

    First thing is first, make a backup of your environment’s configuration. Run the following commands in Exchange Management Shell to backup your configuration. Don’t forget to change the RESOLVE-DNSNAME commands at the bottom so that they reflect your current OWA URL hostname and the Autodiscover record for your external domain name. The Start-Transcript/Stop-Transcript lines will output all of this to a text file in the current folder, as well as on screen.

    Start-Transcript EnvironmentBackup.txt
    Get-OutlookProvider | Format-List
    Get-OutlookAnywhere | Format-List
    Get-ClientAccessServer | Format-List
    Get-ActiveSyncVirtualDirectory | Format-List
    Get-AutodiscoverVirtualDirectory | Format-List
    Get-EcpVirtualDirectory | Format-List
    Get-OabVirtualDirectory | Format-List
    Get-OwaVirtualDirectory | Format-List
    Get-MapiVirtualDirectory | Format-List
    Get-PowerShellVirtualDirectory | Format-List
    Get-WebServicesVirtualDirectory | Format-List
    Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Format-List
    Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Get-ADPermission | Where-Object { $_.extendedrights -like ‘*routing*’ } | fl identity, user, *rights
    Resolve-DnsName -Type A -Name
    Resolve-DnsName -Type A -Name
    Resolve-DnsName -Type A -Name -Server
    Resolve-DnsName -Type A -Name -Server
    Resolve-DnsName -Type MX -Name -Server
    Resolve-DnsName -Type TXT -Name -Server
    Resolve-DnsName -Type A -Name -Server

    NOTE: If you get errors on the Resolve-DnsName commands, please use the following NSLookup Commands instead.

    nslookup -type=a
    nslookup -type=a
    nslookup -type=a
    nslookup -type=a
    nslookup -type=mx
    nslookup -type=txt
    nslookup -type=a

    Now that we have an Environment Backup, let’s proceed with the steps to fix your environment.

    As DNS is a vital component in any network, please make sure that Split-DNS is setup first before doing anything else. To make sure Split-DNS is working properly, review the Environment Backup – The 7 Resolve-DnsName commands at the end.

    The first 2 Resolve-DnsName commands should both respond from an internal computer to the internal IP of your Exchange server (eg.
    To fix the internal records, the easiest way to do this is to create a DNS Zone (Active Directory – Integrated) for (assuming that is your OWA URL) and then create a blank A Record and point it to your internal IP Address for your mail server (eg. Then create another DNS Zone (Active Directory – Integrated) for and create a blank A record and point it to the internal IP Address of your mail server (eg.

    The next 2 Resolve-DnsName commands should both respond externally (Via Google’s DNS) to your external IP of the mail server (eg.
    To fix the external records (more than likely, autodiscover is the one that doesn’t exist and needs to be created), on your domain’s external DNS Manager create an A record for and point it to the external IP of your mail server (eg.

    The 5th Resolve-DnsName command will show you your MX records on the internet. MX Records should NOT point to an IP Address as stated in RFC1035 ( They should have a priority at the beginning where the lowest number is the preference. If you are directing inbound mail traffic to an Anti-Spam 3rd party provider, this will be the hostname(s) associated with them. In the case of an onsite appliance, create a new A record called and give it the IP for your Anti-Spam Appliance, and then set the MX Records to 10

    The 6th Resolve-DnsName command will show you your TXT records – these records are used for extra information in DNS, and one of the extra pieces of information you should have in there is an SPF record. A Sender Policy Framework (SPF) record identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server. You should use an SPF Generator to get the proper syntax for your SPF Record (

    And the 7th Resolve-DnsName command should respond that this record does NOT EXIST. If it does resolve to an IP, there is likely a wildcard record on your domain (* that is pointing to your webserver. Some webhosting companies do this for subdomain management instead of putting an explicit hostname in their DNS records. It actually causes more problems than it fixes, so where possible, you should log into your domain’s external DNS Manager and remove the wildcard record.

    After Split-DNS is confirmed working, the next things to check and fix are the Virtual Directories and the Client Access Server Autodiscover URI. All InternalUrl and ExternalUrl’s should be setup using the hostname (assuming is the OWA URL that you chose). You should always use NTLM over Basic authentication as Basic sends the username and password in the clear, and NTLM doesn’t as it is Windows Authentication. On Exchange 2013+, you also have a new option called Negotiate, which is recommended, but if you have Outlook 2010 and Outlook 2007 clients, keep it with NTLM for backwards compatibility. For futureproofing, please also turn on SSLOffloading for OutlookAnywhere which is enabled by default on Exchange 2013+ (

    For Exchange 2007/2010
    Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM

    For Exchange 2013+ with backwards compatibility with Outlook 2010 and 2007
    Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM,Negotiate

    For Exchange 2013+ with Outlook 2013+
    Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ExternalClientAuthenticationMethod Negotiate -InternalClientAuthenticationMethod Negotiate -IISAuthenticationMethods Basic,NTLM,Negotiate

    Now that we’ve got OutlookAnywhere configured, let’s configure the OutlookProvider settings. By default three Outlook Providers are used to configure settings individually for Exchange RPC protocol or internal clients (EXCH), Outlook Anywhere (EXPR) and WEB.

    The EXCH setting references the Exchange RPC protocol that is used internally. This setting includes port settings and the internal URLs for the Exchange services that you have enabled.
    The EXPR setting references the Exchange HTTP protocol that is used by Outlook Anywhere. This setting includes the external URLs for the Exchange services that you have enabled, which are used by clients that access Exchange from the Internet.
    The WEB setting contains the best URL for Outlook Web Access for the user to use. This setting is not in use.

    To harden security, it is best practice to set the CertPrincipalName for each of the Outlook Providers (it is also required if you have any lingering XP Clients that will use Outlook). This will make sure that only a certificate with a specific subject name will be accepted.

    Set the CertPrincipalName for the OutlookProvider settings.

    Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:(Subject name of certificate)
    Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:(Subject name of certificate)
    Set-OutlookProvider -Identity WEB -CertPrincipalName msstd:(Subject name of certificate)

    Set the Client Access Server’s Autodiscover record to the OWA Hostname:</p>
    Set-ClientAccessServer -Identity ‘SERVER’ -AutoDiscoverServiceInternalUri ‘https://OWAHOSTNAME/Autodiscover/Autodiscover.xml

    Set all VirtualDirectories (VDs) to the OWA Hostname using HTTPS except for the AutodiscoverVirtualDirectory which gets set to blank ($null) for InternalURL and ExternalURL. We will also turn on -RequireSSL for OWA and PowerShell VDs. We also will set the InternalNLBBypassUrl to $null. For most this works fine, however if you are using multiple exchange servers in an NLB Cluster or crossing Active Directory sites, don’t set that to null. More information here:

    Set-ActiveSyncVirtualDirectory -Identity ‘SERVER\Microsoft-Server-ActiveSync (Default Web Site)’ -ActiveSyncServer ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync‘ -InternalUrl ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync‘ -ExternalUrl ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync
    Set-EcpVirtualDirectory -Identity ‘SERVER\ecp (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/ecp‘ -ExternalUrl ‘https://OWAHOSTNAME/ecp
    Set-OabVirtualDirectory -Identity ‘SERVER\OAB (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/OAB‘ -ExternalUrl ‘https://OWAHOSTNAME/OAB‘ -RequireSSL $true
    Set-OwaVirtualDirectory -Identity ‘SERVER\owa (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/owa‘ -ExternalUrl ‘https://OWAHOSTNAME/owa
    Set-AutodiscoverVirtualDirectory -Identity ‘SERVER\Autodiscover (Default Web Site)’ -InternalUrl $null -ExternalUrl $null
    Set-MapiVirtualDirectory -Identity ‘SERVER\mapi (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/mapi‘ -ExternalUrl ‘https://OWAHOSTNAME/mapi
    Set-PowerShellVirtualDirectory -Identity ‘SERVER\PowerShell (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/powershell‘ -ExternalUrl ‘https://OWAHOSTNAME/powershell‘ -RequireSSL $true
    Set-WebServicesVirtualDirectory -Identity ‘SERVER\EWS (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/ews/exchange.asmx‘ -ExternalUrl ‘https://OWAHOSTNAME/ews/exchange.asmx‘ -InternalNLBBypassUrl $null

    Set the FQDN option of all the enabled Send Connectors:
    Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Set-SendConnector -Fqdn OWAHOSTNAME

    If you have ever examined an email message header, you would have noticed that it contains internal Exchange server FQDN information and IP addresses. This exposes the AD domain details of your network to the outside world. To prevent this information from escaping your network onto the Internet, you can use the Exchange header firewall to hide the internal server information. You do this by taking away the rights to send the internal details in a message header (ms-Exch-Send-Headers-Routing) on the send connector you use to send email on the internet.

    Remove ms-Exch-Send-Headers-Routing rights on ALL Active Send Connectors:
    Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Remove-ADPermission –User ‘Nt Authority\Anonymous Logon’ –ExtendedRights ‘ms-Exch-Send-Headers-Routing’

    Remove ms-Exch-Send-Headers-Routing rights on specific Active Send Connectors:
    Get-SendConnector -Identity CONNECTORNAME | Remove-ADPermission –User ‘Nt Authority\Anonymous Logon’ –ExtendedRights ‘ms-Exch-Send-Headers-Routing’

    Restart IIS and the Microsoft Exchange Transport Services to make the changes take effect immediately.

    Making OWA easily accessible to users:
    Another thing that is really handy is to make OWA accessible by HTTP redirecting to HTTPS so that your users don’t have to remember to type HTTPS. The easiest and the best way that I’ve found to do this is to edit the Default Website’s Error Pages and set the 403 error to redirect to You will need to re-apply this after every Cumulative Update (CU) that you perform as the CUs will revert these settings to defaults.

    To do this:

    1. Open IIS
    2. Navigate to the Default Web Site on the left.
    3. On the right, double-click on Error Pages
    4. Double click on the 403 Status Code.
    5. Change the Response Action to ‘Respond with a 302 redirect’ and in the Absolute URL: type in
    6. Press OK and close IIS.
    7. Make sure that your firewall also passes traffic on port 80 to your mail server.
    8. In your browser, type in and hit enter. It should find it and redirect you to the OWA Login.

    SSL Certificates

    If you don’t already have a proper 3rd party certificate, I would suggest taking the plunge for $29.88 USD – – NameCheap has PositiveSSL Multi-Domain certs with the first 3 hostnames included. You’re going to need at least 2 – (OWA URL, and Subject of the Cert) and (Subject Alternative Name – or SAN). A wildcard certificate will work, but a SAN certificate is best practice as if a wildcard certificate is compromised, any name can be secured, but if a SAN certificate is compromised, then only those hostnames specified can be secured.

    The time it will take you to troubleshoot trying to use a self-signed certificate or one from an in-house CA (if you have one)… will cost your company more money in terms of time than just buying a certificate using the link I gave you above. Oh, and I don’t make any commission or anything from that link – it’s a direct link to the SSL Cert you need.

    Also, for Exchange testing, (Autodiscover and Connectivity) you can use Microsoft’s TestConnectivity site to help troubleshoot your issues.

    How to Import PST into Public Folder Exchange 2013


    Learn How to Import PST into Public Folder Exchange 2013

    Simon | July 9th, 2016 | Forensics
    A very common necessity for Exchange server users i.e. they want to import their Outlook PST into public folder of Exchange 2013 for accomplishing their task. Generally, IT admins want to perform such activity. Therefore, the blog illustrates users with technique to perform such importing tasks.

    The procedure comprises of three main tasks and they are listed below:

    1. Generating a sharing folder for performing import task
    2. Enabling permission to perform import operation
    3. Import PST into public folder of Exchange 2013

    Generating a Shared Folder

    In Exchange 2013, we require a new folder, which supports Import process and can be used in multiple other processes. Such folders are known as Shared Folder, generally named as EXUtil$. Since Exchange 2013 has reduced the usage of console environment and has adopted web interface, therefore, we require such file that can be created anywhere over the network.
    Create such folder for performing import procedure and for getting better performance add Exchange Trusted Subsystem at Share and Security level permissions of the EXUtil$ file.

    Enabling Import Permissions

    Exchange users must have permission enabled in their account for importing the PST files. Hence, before proceeding further go through the following steps to enable the import permission, which is by default disabled in Exchange 2013:
    1. Login into your Exchange 2013 admin account
    2. Click on the permissions option, from the menu appearing at left-hand side of screen import pst into public folder
    3. Click on Recipient Management and on the left window pane check the Assigned Roles list. From this list search for Mailbox Import Export option. If you find the option, then stop the procedure here and start importing procedure. Else, continue with Step (d) import pst into public folder
    4. Click on pencil icon from the middle pane of the window (as shown in screenshot) import pst into public folder
    5. Now a Role Group window for adding new roles will appear in front of you. From this window, click on + button to continue
      import pst into public folder
    6. From Select a Role window, select Mailbox Import/Export option and then click on add >> OK import pst into public folder
    7. Now again go to permissions option >> Recipient Management and you will find Mailbox Import Export option from Assigned Roles section import pst into public folder
    8. Now open PowerShell of Exchange 2013 on your machine and execute the following command:
      New-ManagementRoleAssignment -Role “Mailbox Import Export” -User (user_name)
      NOTE: Fill the bracket with relevant user name. import pst into public folder
    9. Now log-out from your Exchange account and then again log-in into it.

    Steps to Import PST into Public Folder Exchange 2013

    1. Click on … icon and then select Import PST option from the dropped down list import pst into public folder
    2. From the import wizard, mention the location of PST file that was saved in shared folder and then click on Next button.
    3. Select the destination mailbox, where you want to archive the imported data and then click on Next.
    4. If you want that no email should be generated after completion of importing procedure, then click on Finishbutton; else go to step 5.
    5. Tick mark on the Send email option and select the mailboxes where you want to send the process completion mail. Now at the end, click on Finish button to import PST into public folder Exchange 2013.


    In this blog, we covered complete steps for importing PST files into Public folder by making use of Exchange server 2013. One should have the knowledge to use Exchange Admin Center (EAC), which is the web interface of Exchange 2013 to import PST into public folder of Exchange 2013.

    How to find NT Service\MSSQLSERVER and NT Service\SQLSERVERAGENT accounts?


    You have installed SQL Server and it is up and running without any issue. Later, you need to change some permission given to either SQL Server engine or agent. You look for accounts, searched in local users, searched in local groups but you cannot find them.
    Are you experiencing above issues? If yes, first understand the what are these accounts. These are called Virtual Accounts that are created during the installation of SQL Server. These accounts are managed by the Operating System itself, hence they are not visible when you browse Local Users and Groups window. Similarly, there is another type of accounts called Managed Service Accounts that are created at domain level and assigned to SQL Server services.
    Now, for some reason, if you changed the service account of your SQL Server service to another account, and later you want to use the same Virtual Account, this is what you have to do.
    1. Get the properties of the services.
    2. Easiest way is, just type the account and leave the password blank. If the instance is default, type it as NT Service\MSSQLSERVER or if it is a named instance, type NT Service\MSSQL$.
    3. Click on to get the service restarted. It will work as you expected.
    4. Or, if you want to search the account, click on Browse to open Select User or Group window. Type nt service\ms in Enter the object name to select input box and click on Check Names. If you are setting the Agent Service, look for nt service\sql word.
    5. You get Multiple Names Found window opened. Select the account from the list and continue. Do not enter a password, click on OK and get the service restarted.
    Just like this, if you need to add these accounts to some other groups for granting more permissions, example, adding Agent Service Account to Administrators Group (not recommended), follow the same steps.

    Setting up signature or disclaimer for all users in Office 365 Exchange online


    In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.
    To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign

    Click on “Apply disclaimers…”

    When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one


    but here’s what mine looks like,
    I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details

    after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.

    Now the disclaimer code is as following and you may want to configure it or customize it according to your needs.


    <div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”>
    <div><img alt=”Logo” src=”“><p><p><p>Tel: %%PhoneNumber%%</br>
    Gsm: %%MobileNumber%%</br>
    Fax: %%FaxNumber%%</br>
    <span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br>
    <p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________
    <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=””></a></span></br></div>

    <span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span>
    <span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=>Company Name </a></span></br></br>

    I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you.
    The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything

    Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.

    If you’re an HTML noob , you can use the following links for testing and changing colors..etc
    For color changing

    Using the website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane


    Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.


    To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user.


    Mail is empty as you can see


    Configure External and Internal URL in Exchange 2016


    Posted on  by  in  with 10 Comments

    After installing and configuring Exchange 2016, setting up URLs is another important step. Exchange 2016 use IIS web virtual directories to provide various Exchange services. These virtual directories have different URLs and can be same or different for internal and external users depending upon installation scenario. In this post, I will show steps to configure external and internal URL in Exchange 2016.

    Configure External and Internal URL in Exchange 2016

    Before you start URL configuration, you need to plan what domain names you will use to access Exchange services from inside the network and from the Internet. The diagram below shows very simple Exchange deployment. We have split-DNS where internal users hit internal DNS server and external (Internet) users hit external DNS (example GoDaddy DNS) servers. Here, internal domain is (root domain of AD forest). So, for internal users the domain name to access outlook on the web can be and we can use same domain name for Internet users as well. Add CNAME record for domain name in both internal and external DNS server. Similarly, add MX record for domain in external DNS server using control panel of hosting provider (example GoDaddy). You can perform NAT (Network Address Translation) on the router to translate required public IP and ports to MBG-EX01 host.

    Configure External and Internal URL in Exchange 2016

    Important virtual directories are, OWAactivesyncautodiscover, ECP and outlook anywhere. You can view all the virtual directories in Internet Information Services (IIS) as shown below.

    virtual directories

    Exchange 2016 consists of two roles, Mailbox and Edge Transport role. Mailbox role has three service, client access servicetransport serviceand mailbox service. Client access service is also called front end and transport and mailbox service is called back end. As you can see above, there are two websites, Default Web Site and Exchange Back End. Default Web Site corresponds to client access service (Front End) and Exchange Back End corresponds to mailbox service (Back End).

    So, here I will configure single domain to access various Exchange services. For example, to access outlook on the web from internal and external network. Similarly, to access Exchange Admin Center from internal and external network. We will use same domain name for other Exchange services as well, like EWS, ActiveSync, etc.

    Logon to Exchange Admin Center(EAC). Click servers in the features pane. Select virtual directories tab. Here you can configure URL of various virtual directories.

    edit virtual directories

    Step 1: Outlook Web Access

    Outlook web access virtual directory is used to access outlook on the web service of Exchange 2016. To configure URL of OWA double-click owa (Default Web Site).


    In the general page, type for both Internal and External URL as shown above. Click save. Users will now have to type in their browsers to access outlook on the web.

    Step 2: Exchange Control Panel

    Exchange Control Panel virtual directory is used to access Exchange Admin Center to manage Exchange server. Double-click ecp(Default Web Site).


    Configure internal and external URL. Administrators now need to type to access Exchange Admin Center.

    Step 3: ActiveSync

    ActiveSync is used by mobile phones to send and receive emails, calendar info, etc. Double-click Microsoft-Server-ActiveSync(Default Web Site).

    active sync

    Type for both internal and external URL. Click save.

    Step 4: Offline Address Book (OAB)

    OAB virtual directory is used by outlook clients in cache mode to download address lists so that they can browse address lists even when they are not connected to Exchange server. Double-click OAB (Default Web Site).

    OAB directory

    Configure external and internal URLs. Type for both URLs. Click save.

    Step 5: Exchange Web Services (EWS)

    EWS virtual directory provides many services like service availability, calendar sharing, automatic reply, mail tips etc. Double-click EWS (Default Web Site).


    Type for both external and internal URL. Click save.

    Step 6: Outlook Anywhere

    Exchange 2016 uses MAPI over HTTP protocol by default. Outlook Anywhere (RPC over HTTP) is now fallback method and is used if clients doesn’t support MAPI over HTTP. Outlook anywhere is used by office outlook to connect to Exchange server directly from Internet. Click servers tab. Double-click server from the list. Click Outlook Anywhere from the page.

    outlook anywhere directory

    Type for both internal and external. Click save.

    Step 7: MAPI over HTTP

    MAPI over HTTP was introduced in Exchange 2013 SP1. It is now default protocol and enabled by default in Exchange 2016. You can configure URL for MAPI over HTTP using Exchange Management Shell (EMS) only. Open EMS and type following cmdlet to set external and internal URL for MAPI virtual directory.

    [PS] C:\> Set-MapiVirtualDirectory -Identity "MBG-EX01\mapi (Default Web Site)" -InternalUrl -ExternalUrl -IISAuthenticationMethods Negotiate

    To verify MAPI URLs type following cmdlet in EMS as shown below,

    [PS] C:\>Get-MapiVirtualDirectory -Identity "MBG-EX01\mapi (Default Web Site)" | fl server, internalurl, externalurl

    verify map directory

    To verify if MAPI is actually enabled. Type, Get-OrganizationConfig | fl *mapi*

    mapi enabled

    Step 8: Auto Discover

    Auto Discover virtual directory lets Outlook application to discover mailbox settings automatically so that users don’t have to deal with manual configuration of advanced settings of Outlook. Auto Discover feature automatically discovers mailbox settings and setup Outlook. This feature also works for mobile phones. In Exchange 2016, you can configure SCP for AutoDiscover virtual directory from Exchange Management Shell (EMS). The command below will update SCP (Service Connection Point) object. SCP is active directory object and is used by internal domain-joined clients to retrieve autodiscover URL.

    [PS] C:\Windows\system32>Set-ClientAccessService -Identity MBG-EX01 -AutoDiscoverServiceInternalUri

    To verify the URL type following command in Exchange Management Shell.

    [PS] C:\Windows\system32>Get-ClientAccessService | fl AutoDiscoverServiceInternalUri
    AutoDiscoverServiceInternalUri :

    For external clients you don’t have to configure autodiscover URL as they will try different autodiscover URLs based on combination of user’s email address. In this way you can configure URL for various virtual directories. You can now configure digital certificate and setup HTTP to HTTPS redirection.

    PID 4 Using Port 80 – IIS Unable To Bind


    IIS su Windows Server 2016, porta 80 impegnata da PID 4 System!!!

    eseguendo un: netstat -o -n -a |findstr 0.0:80


    TCP                 LISTENING       4

    La soluzione è:

    fermare è disabilitare il servizio “Windows Sync share” in italiano “Condivisione di sincronizzazione Windows”

    Su Windows Server 2012 R2  Essentials ho risolto con:

    netsh http add iplisten ipaddress=:: vedi anche:

    How To Activate Windows 10 / Server 2016 Through Command Line

    If you are having problems activating Windows 10, Server 2016, Windows 8, or Server 2012 one of these three solutions below should get you through:

    This is handy if the GUI won’t start and you want to skip some steps to get it to work.

    1. click START (gets you to the tiles)4-no-change-product-key-link-missing-dns-error-0x8007232b-dns-error-activate
    2. type RUN
    3. type slui 3 and press ENTER
      1. yes, SLUI: which stands for SOFTWARE LICENSING USER INTERFACE
        1. SLUI 1 brings up the activation status window
        2. SLUI 2 brings up the activation window
        3. SLUI 3 brings up the CHANGE PRODUCT KEY window
        4. SLUI 4 brings up the CALL MICROSOFT & MANUALLY ACTIVATE window
    4. Type in your product key
    5. Have a nice day.

    1. Launch a CMD as an Administratorcommand-line-to-activate-windows-slmgr-slui
    2. Type: slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
    3. Press Enter

    If your key is valid and you are connected to the internet, it should activate within a second or two.

    In Canada and the US, call the support line directly at 1 800-936-4900, otherwise, use this table of Microsoft Activation Phone Numbers to do the deed.

    You also might find some of our previous posts on activation problems to be helpful:

    Non è stato possibile recapitare il messaggio in una cartella pubblica perché il recapito a questo indirizzo è limitato ai mittenti autenticati

    The message could not be delivered to a public folder because the delivery to this address is limited to authenticated senders

    In Exchange 2013 e Exchange 2016 occorre abilitare i permessi per gli utenti anonimi nelle Public Folder

    controllare gli attuale permessi con:

    Get-PublicFolder “\” -Recurse | Get-PublicFolderClientPermission | Out-File -FilePath “c:\Temp\PFPerms.txt”

    Assegnare i permessi all’utente anonimo:

    Get-PublicFolder “\” –Recurse | Add-PublicFolderClientPermission -User Anonymous -AccessRights “CreateItems”


    vedi anche:




    With Microsoft Exchange Server 2016 CU4, OWA in Exchange 2016 could not be opened with Mozilla Firefox or Google Chrome browser, but it will work with IE and Microsoft Edge. Using Firefox or Chrome browser the error *NS_ERROR_NET_INADEQUATE_SECURITY’ will be displayed in the browser. The reason for this for this error is the integration of the HTTP/2-Standard in the Windows Server IIS components by Microsoft.

    To fix the problem download the tool ‘IISCrypto” on your Exchange Server 2016 CU4. Both Exchange installations, on Windows Server 2012 R2 and Windows Server 2016, could be fixed with that tool by NARTAC SOFTWARE.
    Download IISCrypto

    Afterwards run the downloaded ‘IISCrypto.exe*’ file on your Exchage Server 2016. Maximize the appliacation window and choose thr button “Best Practices”. To start the changes press “Apply”.


    The programm will give you the hint to reboot the Exchage Server.


    After the reboot of the related Exchange Server, Outlook on the web (OWA) will be reachable by any supported browser vendor.

    Le mail rimangono bloccate nella cartella bozze in Exchange 2010/2013


    Potrebbe capitare nell’uso di Exchange 2010/2013 che i messaggi di posta elettronica rimangano bloccati nella cartella bozze della cassetta postale mentre in osta inviata non ve n’è traccia.

    Quando l’utente manda il comando di invio della mail lo “store driver” la processa e la gira al servizio di trasporto ma se questo processo non avviene (il servizio non è disponibile oppure non è in grado di processare la posta in uscita) la mail rimane nelle bozze.


    L’inconveniente potrebbe essere dato da una non corretta configurazione nei DNS quindi basta collegarsi alla Exchange Admin Center, selezionare “server” sulla sinistra e modificare il server in oggetto. Nella voce “Ricerche DNS” selezionare “impostazioni personalizzate” e compilate sia la sezione “ricerche nel dns esterno” sia “ricerche nel dns interno”. Riavviate il servizio di trasporto di exchange e vedrete la posta inviata senza problemi.