Skip to main content

Outlook 2016 Exchange 2016 keeps asking for password



Outlook 2016 SOLELY relies on Autodiscover….

You need to make sure your OutlookAnywhere and AutoDiscover settings are setup properly along with Split-DNS. OutlookAnywhere and Split-DNS are vital for future-proofing your Exchange configuration and making it work properly now, regardless if you use Exchange 2007, 2010, 2013, or 2016. For Exchange 2013+, OutlookAnywhere is a requirement and Split-DNS is Best Practice. If you are on Exchange 2007 or 2010, and you do not have OutlookAnywhere enabled, enable OutlookAnywhere and follow this guide.

First thing is first, make a backup of your environment’s configuration. Run the following commands in Exchange Management Shell to backup your configuration. Don’t forget to change the RESOLVE-DNSNAME commands at the bottom so that they reflect your current OWA URL hostname and the Autodiscover record for your external domain name. The Start-Transcript/Stop-Transcript lines will output all of this to a text file in the current folder, as well as on screen.

Start-Transcript EnvironmentBackup.txt
Get-OutlookProvider | Format-List
Get-OutlookAnywhere | Format-List
Get-ClientAccessServer | Format-List
Get-ActiveSyncVirtualDirectory | Format-List
Get-AutodiscoverVirtualDirectory | Format-List
Get-EcpVirtualDirectory | Format-List
Get-OabVirtualDirectory | Format-List
Get-OwaVirtualDirectory | Format-List
Get-MapiVirtualDirectory | Format-List
Get-PowerShellVirtualDirectory | Format-List
Get-WebServicesVirtualDirectory | Format-List
Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Format-List
Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Get-ADPermission | Where-Object { $_.extendedrights -like ‘*routing*’ } | fl identity, user, *rights
Resolve-DnsName -Type A -Name
Resolve-DnsName -Type A -Name
Resolve-DnsName -Type A -Name -Server
Resolve-DnsName -Type A -Name -Server
Resolve-DnsName -Type MX -Name -Server
Resolve-DnsName -Type TXT -Name -Server
Resolve-DnsName -Type A -Name -Server

NOTE: If you get errors on the Resolve-DnsName commands, please use the following NSLookup Commands instead.

nslookup -type=a
nslookup -type=a
nslookup -type=a
nslookup -type=a
nslookup -type=mx
nslookup -type=txt
nslookup -type=a

Now that we have an Environment Backup, let’s proceed with the steps to fix your environment.

As DNS is a vital component in any network, please make sure that Split-DNS is setup first before doing anything else. To make sure Split-DNS is working properly, review the Environment Backup – The 7 Resolve-DnsName commands at the end.

The first 2 Resolve-DnsName commands should both respond from an internal computer to the internal IP of your Exchange server (eg.
To fix the internal records, the easiest way to do this is to create a DNS Zone (Active Directory – Integrated) for (assuming that is your OWA URL) and then create a blank A Record and point it to your internal IP Address for your mail server (eg. Then create another DNS Zone (Active Directory – Integrated) for and create a blank A record and point it to the internal IP Address of your mail server (eg.

The next 2 Resolve-DnsName commands should both respond externally (Via Google’s DNS) to your external IP of the mail server (eg.
To fix the external records (more than likely, autodiscover is the one that doesn’t exist and needs to be created), on your domain’s external DNS Manager create an A record for and point it to the external IP of your mail server (eg.

The 5th Resolve-DnsName command will show you your MX records on the internet. MX Records should NOT point to an IP Address as stated in RFC1035 ( They should have a priority at the beginning where the lowest number is the preference. If you are directing inbound mail traffic to an Anti-Spam 3rd party provider, this will be the hostname(s) associated with them. In the case of an onsite appliance, create a new A record called and give it the IP for your Anti-Spam Appliance, and then set the MX Records to 10

The 6th Resolve-DnsName command will show you your TXT records – these records are used for extra information in DNS, and one of the extra pieces of information you should have in there is an SPF record. A Sender Policy Framework (SPF) record identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server. You should use an SPF Generator to get the proper syntax for your SPF Record (

And the 7th Resolve-DnsName command should respond that this record does NOT EXIST. If it does resolve to an IP, there is likely a wildcard record on your domain (* that is pointing to your webserver. Some webhosting companies do this for subdomain management instead of putting an explicit hostname in their DNS records. It actually causes more problems than it fixes, so where possible, you should log into your domain’s external DNS Manager and remove the wildcard record.

After Split-DNS is confirmed working, the next things to check and fix are the Virtual Directories and the Client Access Server Autodiscover URI. All InternalUrl and ExternalUrl’s should be setup using the hostname (assuming is the OWA URL that you chose). You should always use NTLM over Basic authentication as Basic sends the username and password in the clear, and NTLM doesn’t as it is Windows Authentication. On Exchange 2013+, you also have a new option called Negotiate, which is recommended, but if you have Outlook 2010 and Outlook 2007 clients, keep it with NTLM for backwards compatibility. For futureproofing, please also turn on SSLOffloading for OutlookAnywhere which is enabled by default on Exchange 2013+ (

For Exchange 2007/2010
Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM

For Exchange 2013+ with backwards compatibility with Outlook 2010 and 2007
Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM,Negotiate

For Exchange 2013+ with Outlook 2013+
Set-OutlookAnywhere -Identity ‘SERVER\Rpc (Default Web Site)’ -SSLOffloading $true -ExternalClientAuthenticationMethod Negotiate -InternalClientAuthenticationMethod Negotiate -IISAuthenticationMethods Basic,NTLM,Negotiate

Now that we’ve got OutlookAnywhere configured, let’s configure the OutlookProvider settings. By default three Outlook Providers are used to configure settings individually for Exchange RPC protocol or internal clients (EXCH), Outlook Anywhere (EXPR) and WEB.

The EXCH setting references the Exchange RPC protocol that is used internally. This setting includes port settings and the internal URLs for the Exchange services that you have enabled.
The EXPR setting references the Exchange HTTP protocol that is used by Outlook Anywhere. This setting includes the external URLs for the Exchange services that you have enabled, which are used by clients that access Exchange from the Internet.
The WEB setting contains the best URL for Outlook Web Access for the user to use. This setting is not in use.

To harden security, it is best practice to set the CertPrincipalName for each of the Outlook Providers (it is also required if you have any lingering XP Clients that will use Outlook). This will make sure that only a certificate with a specific subject name will be accepted.

Set the CertPrincipalName for the OutlookProvider settings.

Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:(Subject name of certificate)
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:(Subject name of certificate)
Set-OutlookProvider -Identity WEB -CertPrincipalName msstd:(Subject name of certificate)

Set the Client Access Server’s Autodiscover record to the OWA Hostname:</p>
Set-ClientAccessServer -Identity ‘SERVER’ -AutoDiscoverServiceInternalUri ‘https://OWAHOSTNAME/Autodiscover/Autodiscover.xml

Set all VirtualDirectories (VDs) to the OWA Hostname using HTTPS except for the AutodiscoverVirtualDirectory which gets set to blank ($null) for InternalURL and ExternalURL. We will also turn on -RequireSSL for OWA and PowerShell VDs. We also will set the InternalNLBBypassUrl to $null. For most this works fine, however if you are using multiple exchange servers in an NLB Cluster or crossing Active Directory sites, don’t set that to null. More information here:

Set-ActiveSyncVirtualDirectory -Identity ‘SERVER\Microsoft-Server-ActiveSync (Default Web Site)’ -ActiveSyncServer ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync‘ -InternalUrl ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync‘ -ExternalUrl ‘https://OWAHOSTNAME/Microsoft-Server-ActiveSync
Set-EcpVirtualDirectory -Identity ‘SERVER\ecp (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/ecp‘ -ExternalUrl ‘https://OWAHOSTNAME/ecp
Set-OabVirtualDirectory -Identity ‘SERVER\OAB (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/OAB‘ -ExternalUrl ‘https://OWAHOSTNAME/OAB‘ -RequireSSL $true
Set-OwaVirtualDirectory -Identity ‘SERVER\owa (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/owa‘ -ExternalUrl ‘https://OWAHOSTNAME/owa
Set-AutodiscoverVirtualDirectory -Identity ‘SERVER\Autodiscover (Default Web Site)’ -InternalUrl $null -ExternalUrl $null
Set-MapiVirtualDirectory -Identity ‘SERVER\mapi (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/mapi‘ -ExternalUrl ‘https://OWAHOSTNAME/mapi
Set-PowerShellVirtualDirectory -Identity ‘SERVER\PowerShell (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/powershell‘ -ExternalUrl ‘https://OWAHOSTNAME/powershell‘ -RequireSSL $true
Set-WebServicesVirtualDirectory -Identity ‘SERVER\EWS (Default Web Site)’ -InternalUrl ‘https://OWAHOSTNAME/ews/exchange.asmx‘ -ExternalUrl ‘https://OWAHOSTNAME/ews/exchange.asmx‘ -InternalNLBBypassUrl $null

Set the FQDN option of all the enabled Send Connectors:
Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Set-SendConnector -Fqdn OWAHOSTNAME

If you have ever examined an email message header, you would have noticed that it contains internal Exchange server FQDN information and IP addresses. This exposes the AD domain details of your network to the outside world. To prevent this information from escaping your network onto the Internet, you can use the Exchange header firewall to hide the internal server information. You do this by taking away the rights to send the internal details in a message header (ms-Exch-Send-Headers-Routing) on the send connector you use to send email on the internet.

Remove ms-Exch-Send-Headers-Routing rights on ALL Active Send Connectors:
Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Remove-ADPermission –User ‘Nt Authority\Anonymous Logon’ –ExtendedRights ‘ms-Exch-Send-Headers-Routing’

Remove ms-Exch-Send-Headers-Routing rights on specific Active Send Connectors:
Get-SendConnector -Identity CONNECTORNAME | Remove-ADPermission –User ‘Nt Authority\Anonymous Logon’ –ExtendedRights ‘ms-Exch-Send-Headers-Routing’

Restart IIS and the Microsoft Exchange Transport Services to make the changes take effect immediately.

Making OWA easily accessible to users:
Another thing that is really handy is to make OWA accessible by HTTP redirecting to HTTPS so that your users don’t have to remember to type HTTPS. The easiest and the best way that I’ve found to do this is to edit the Default Website’s Error Pages and set the 403 error to redirect to You will need to re-apply this after every Cumulative Update (CU) that you perform as the CUs will revert these settings to defaults.

To do this:

1. Open IIS
2. Navigate to the Default Web Site on the left.
3. On the right, double-click on Error Pages
4. Double click on the 403 Status Code.
5. Change the Response Action to ‘Respond with a 302 redirect’ and in the Absolute URL: type in
6. Press OK and close IIS.
7. Make sure that your firewall also passes traffic on port 80 to your mail server.
8. In your browser, type in and hit enter. It should find it and redirect you to the OWA Login.

SSL Certificates

If you don’t already have a proper 3rd party certificate, I would suggest taking the plunge for $29.88 USD – – NameCheap has PositiveSSL Multi-Domain certs with the first 3 hostnames included. You’re going to need at least 2 – (OWA URL, and Subject of the Cert) and (Subject Alternative Name – or SAN). A wildcard certificate will work, but a SAN certificate is best practice as if a wildcard certificate is compromised, any name can be secured, but if a SAN certificate is compromised, then only those hostnames specified can be secured.

The time it will take you to troubleshoot trying to use a self-signed certificate or one from an in-house CA (if you have one)… will cost your company more money in terms of time than just buying a certificate using the link I gave you above. Oh, and I don’t make any commission or anything from that link – it’s a direct link to the SSL Cert you need.

Also, for Exchange testing, (Autodiscover and Connectivity) you can use Microsoft’s TestConnectivity site to help troubleshoot your issues.

How to Import PST into Public Folder Exchange 2013


Learn How to Import PST into Public Folder Exchange 2013

Simon | July 9th, 2016 | Forensics
A very common necessity for Exchange server users i.e. they want to import their Outlook PST into public folder of Exchange 2013 for accomplishing their task. Generally, IT admins want to perform such activity. Therefore, the blog illustrates users with technique to perform such importing tasks.

The procedure comprises of three main tasks and they are listed below:

  1. Generating a sharing folder for performing import task
  2. Enabling permission to perform import operation
  3. Import PST into public folder of Exchange 2013

Generating a Shared Folder

In Exchange 2013, we require a new folder, which supports Import process and can be used in multiple other processes. Such folders are known as Shared Folder, generally named as EXUtil$. Since Exchange 2013 has reduced the usage of console environment and has adopted web interface, therefore, we require such file that can be created anywhere over the network.
Create such folder for performing import procedure and for getting better performance add Exchange Trusted Subsystem at Share and Security level permissions of the EXUtil$ file.

Enabling Import Permissions

Exchange users must have permission enabled in their account for importing the PST files. Hence, before proceeding further go through the following steps to enable the import permission, which is by default disabled in Exchange 2013:
  1. Login into your Exchange 2013 admin account
  2. Click on the permissions option, from the menu appearing at left-hand side of screen import pst into public folder
  3. Click on Recipient Management and on the left window pane check the Assigned Roles list. From this list search for Mailbox Import Export option. If you find the option, then stop the procedure here and start importing procedure. Else, continue with Step (d) import pst into public folder
  4. Click on pencil icon from the middle pane of the window (as shown in screenshot) import pst into public folder
  5. Now a Role Group window for adding new roles will appear in front of you. From this window, click on + button to continue
    import pst into public folder
  6. From Select a Role window, select Mailbox Import/Export option and then click on add >> OK import pst into public folder
  7. Now again go to permissions option >> Recipient Management and you will find Mailbox Import Export option from Assigned Roles section import pst into public folder
  8. Now open PowerShell of Exchange 2013 on your machine and execute the following command:
    New-ManagementRoleAssignment -Role “Mailbox Import Export” -User (user_name)
    NOTE: Fill the bracket with relevant user name. import pst into public folder
  9. Now log-out from your Exchange account and then again log-in into it.

Steps to Import PST into Public Folder Exchange 2013

  1. Click on … icon and then select Import PST option from the dropped down list import pst into public folder
  2. From the import wizard, mention the location of PST file that was saved in shared folder and then click on Next button.
  3. Select the destination mailbox, where you want to archive the imported data and then click on Next.
  4. If you want that no email should be generated after completion of importing procedure, then click on Finishbutton; else go to step 5.
  5. Tick mark on the Send email option and select the mailboxes where you want to send the process completion mail. Now at the end, click on Finish button to import PST into public folder Exchange 2013.


In this blog, we covered complete steps for importing PST files into Public folder by making use of Exchange server 2013. One should have the knowledge to use Exchange Admin Center (EAC), which is the web interface of Exchange 2013 to import PST into public folder of Exchange 2013.

Setting up signature or disclaimer for all users in Office 365 Exchange online


In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.
To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign

Click on “Apply disclaimers…”

When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one


but here’s what mine looks like,
I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details

after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.

Now the disclaimer code is as following and you may want to configure it or customize it according to your needs.


<div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”>
<div><img alt=”Logo” src=”“><p><p><p>Tel: %%PhoneNumber%%</br>
Gsm: %%MobileNumber%%</br>
Fax: %%FaxNumber%%</br>
<span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br>
<p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=””></a></span></br></div>

<span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span>
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=>Company Name </a></span></br></br>

I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you.
The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything

Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.

If you’re an HTML noob , you can use the following links for testing and changing colors..etc
For color changing

Using the website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane


Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.


To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user.


Mail is empty as you can see


Configure External and Internal URL in Exchange 2016


Posted on  by  in  with 10 Comments

After installing and configuring Exchange 2016, setting up URLs is another important step. Exchange 2016 use IIS web virtual directories to provide various Exchange services. These virtual directories have different URLs and can be same or different for internal and external users depending upon installation scenario. In this post, I will show steps to configure external and internal URL in Exchange 2016.

Configure External and Internal URL in Exchange 2016

Before you start URL configuration, you need to plan what domain names you will use to access Exchange services from inside the network and from the Internet. The diagram below shows very simple Exchange deployment. We have split-DNS where internal users hit internal DNS server and external (Internet) users hit external DNS (example GoDaddy DNS) servers. Here, internal domain is (root domain of AD forest). So, for internal users the domain name to access outlook on the web can be and we can use same domain name for Internet users as well. Add CNAME record for domain name in both internal and external DNS server. Similarly, add MX record for domain in external DNS server using control panel of hosting provider (example GoDaddy). You can perform NAT (Network Address Translation) on the router to translate required public IP and ports to MBG-EX01 host.

Configure External and Internal URL in Exchange 2016

Important virtual directories are, OWAactivesyncautodiscover, ECP and outlook anywhere. You can view all the virtual directories in Internet Information Services (IIS) as shown below.

virtual directories

Exchange 2016 consists of two roles, Mailbox and Edge Transport role. Mailbox role has three service, client access servicetransport serviceand mailbox service. Client access service is also called front end and transport and mailbox service is called back end. As you can see above, there are two websites, Default Web Site and Exchange Back End. Default Web Site corresponds to client access service (Front End) and Exchange Back End corresponds to mailbox service (Back End).

So, here I will configure single domain to access various Exchange services. For example, to access outlook on the web from internal and external network. Similarly, to access Exchange Admin Center from internal and external network. We will use same domain name for other Exchange services as well, like EWS, ActiveSync, etc.

Logon to Exchange Admin Center(EAC). Click servers in the features pane. Select virtual directories tab. Here you can configure URL of various virtual directories.

edit virtual directories

Step 1: Outlook Web Access

Outlook web access virtual directory is used to access outlook on the web service of Exchange 2016. To configure URL of OWA double-click owa (Default Web Site).


In the general page, type for both Internal and External URL as shown above. Click save. Users will now have to type in their browsers to access outlook on the web.

Step 2: Exchange Control Panel

Exchange Control Panel virtual directory is used to access Exchange Admin Center to manage Exchange server. Double-click ecp(Default Web Site).


Configure internal and external URL. Administrators now need to type to access Exchange Admin Center.

Step 3: ActiveSync

ActiveSync is used by mobile phones to send and receive emails, calendar info, etc. Double-click Microsoft-Server-ActiveSync(Default Web Site).

active sync

Type for both internal and external URL. Click save.

Step 4: Offline Address Book (OAB)

OAB virtual directory is used by outlook clients in cache mode to download address lists so that they can browse address lists even when they are not connected to Exchange server. Double-click OAB (Default Web Site).

OAB directory

Configure external and internal URLs. Type for both URLs. Click save.

Step 5: Exchange Web Services (EWS)

EWS virtual directory provides many services like service availability, calendar sharing, automatic reply, mail tips etc. Double-click EWS (Default Web Site).


Type for both external and internal URL. Click save.

Step 6: Outlook Anywhere

Exchange 2016 uses MAPI over HTTP protocol by default. Outlook Anywhere (RPC over HTTP) is now fallback method and is used if clients doesn’t support MAPI over HTTP. Outlook anywhere is used by office outlook to connect to Exchange server directly from Internet. Click servers tab. Double-click server from the list. Click Outlook Anywhere from the page.

outlook anywhere directory

Type for both internal and external. Click save.

Step 7: MAPI over HTTP

MAPI over HTTP was introduced in Exchange 2013 SP1. It is now default protocol and enabled by default in Exchange 2016. You can configure URL for MAPI over HTTP using Exchange Management Shell (EMS) only. Open EMS and type following cmdlet to set external and internal URL for MAPI virtual directory.

[PS] C:\> Set-MapiVirtualDirectory -Identity "MBG-EX01\mapi (Default Web Site)" -InternalUrl -ExternalUrl -IISAuthenticationMethods Negotiate

To verify MAPI URLs type following cmdlet in EMS as shown below,

[PS] C:\>Get-MapiVirtualDirectory -Identity "MBG-EX01\mapi (Default Web Site)" | fl server, internalurl, externalurl

verify map directory

To verify if MAPI is actually enabled. Type, Get-OrganizationConfig | fl *mapi*

mapi enabled

Step 8: Auto Discover

Auto Discover virtual directory lets Outlook application to discover mailbox settings automatically so that users don’t have to deal with manual configuration of advanced settings of Outlook. Auto Discover feature automatically discovers mailbox settings and setup Outlook. This feature also works for mobile phones. In Exchange 2016, you can configure SCP for AutoDiscover virtual directory from Exchange Management Shell (EMS). The command below will update SCP (Service Connection Point) object. SCP is active directory object and is used by internal domain-joined clients to retrieve autodiscover URL.

[PS] C:\Windows\system32>Set-ClientAccessService -Identity MBG-EX01 -AutoDiscoverServiceInternalUri

To verify the URL type following command in Exchange Management Shell.

[PS] C:\Windows\system32>Get-ClientAccessService | fl AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri :

For external clients you don’t have to configure autodiscover URL as they will try different autodiscover URLs based on combination of user’s email address. In this way you can configure URL for various virtual directories. You can now configure digital certificate and setup HTTP to HTTPS redirection.



With Microsoft Exchange Server 2016 CU4, OWA in Exchange 2016 could not be opened with Mozilla Firefox or Google Chrome browser, but it will work with IE and Microsoft Edge. Using Firefox or Chrome browser the error *NS_ERROR_NET_INADEQUATE_SECURITY’ will be displayed in the browser. The reason for this for this error is the integration of the HTTP/2-Standard in the Windows Server IIS components by Microsoft.

To fix the problem download the tool ‘IISCrypto” on your Exchange Server 2016 CU4. Both Exchange installations, on Windows Server 2012 R2 and Windows Server 2016, could be fixed with that tool by NARTAC SOFTWARE.
Download IISCrypto

Afterwards run the downloaded ‘IISCrypto.exe*’ file on your Exchage Server 2016. Maximize the appliacation window and choose thr button “Best Practices”. To start the changes press “Apply”.


The programm will give you the hint to reboot the Exchage Server.


After the reboot of the related Exchange Server, Outlook on the web (OWA) will be reachable by any supported browser vendor.

Le mail rimangono bloccate nella cartella bozze in Exchange 2010/2013


Potrebbe capitare nell’uso di Exchange 2010/2013 che i messaggi di posta elettronica rimangano bloccati nella cartella bozze della cassetta postale mentre in osta inviata non ve n’è traccia.

Quando l’utente manda il comando di invio della mail lo “store driver” la processa e la gira al servizio di trasporto ma se questo processo non avviene (il servizio non è disponibile oppure non è in grado di processare la posta in uscita) la mail rimane nelle bozze.


L’inconveniente potrebbe essere dato da una non corretta configurazione nei DNS quindi basta collegarsi alla Exchange Admin Center, selezionare “server” sulla sinistra e modificare il server in oggetto. Nella voce “Ricerche DNS” selezionare “impostazioni personalizzate” e compilate sia la sezione “ricerche nel dns esterno” sia “ricerche nel dns interno”. Riavviate il servizio di trasporto di exchange e vedrete la posta inviata senza problemi.

How to manually purge Exchange server logs – clean and easy

This example will show you how to purge the logs for a database that is located on Drive D. we will “fake backup” drive D and this will trigger the logs to be purged.

  1. Open Command prompt
  2. Launch Diskshadow
    1. Add volume d:
    2. Begin Backup
    3. Create
    4. End Backup
  3. At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted.

Here’s some screenshots from the process:

Diskshadow commands for the example

Upgrade Exchange 2010 SP1 or SP2 to SP3 for SBS 2011 Standard


Install Exchange 2010 SP3 on SBS 2011


1) Ensure that there is a good, full backup of VM or server

2) Make sure that you DO NOT have Windows Management Framework (WMF) 3.0      installed on the server

  • From a command prompt run –  wmic qfe list | findstr “2506143”
  • or look for KB2506143. You will need to uninstall this patch and then reboot the server before you install the SP3 upgrade

3) Ensure the account running the update is a member of Schema Admins and Enterprise Admins as SP3 involves an AD schema update

4) Reboot server before upgrading if not already rebooted from above step – Definitely recommended

  • Not required but allows for a clean start up, frees up resources and releases connections
  • Also ensures that in the event any “Previous installations” were attempted and NOT completed the server is rebooted to a ready state

5) Export current Certificate for mail services with private key

  • If the mail server certificate isn’t already fully exported and nicely tucked away somewhere safe and accessible then do so before performing the upgrade….JUST IN CASE

6) Stop Backup Exec services if in use

7) Turn off SBS manager in services

8) Stop BES services (if applicable) in correct order

To stop the services:

BlackBerry Controller

BlackBerry Dispatcher

BlackBerry Router

All remaining BlackBerry Enterprise Server services

9) Disable Anti Virus services

  • Disable don’t just Stop “real time scanning”. This will cause the Languages install phase to stall and I have seen users report times of up to 1.5 hours to complete…JUST THIS PHASE

10) Install  Exchange SP3

11) Upon SP3 completion launch Exchange Management Shell and execute:

get-exchangeserver | fl name,edition,admindisplayversion


12) In Internet Explorer deselect “Check for Publisher’s certificate” and “Check for server certificate revocation”


When you install an update rollup package, Exchange tries to connect to the certificate revocation list (CRL) Web site. Exchange examines the CRL list to verify the code signing certificate. If Exchange can’t connect to the CRL Web site, the following symptoms may occur:

  • The installation takes a long time to complete.
  • You receive the following message during the installation: Creating native images for .Net assemblies


  • Start Internet Explorer
  • On the Tools menu, click Internet Options
  • Click the Advanced tab, and then locate the Security section
  • Clear the Check for publisher’s certificate revocation check box, and then click OK


13) Update to latest rollup

14) Enable Anti Virus “real time scanning” to automatic (or previous startup state)

15) In Internet Explorer select “Check for Publisher’s certificate” and “Check for server certificate revocation”

16) Reboot server

17) Ensure all required services are running

Exchange 2013 Step by Step Configuration


Written by Allen White on. Posted in Exchange 2013

exchang 2013 install guide
This guide is a combination of all the Exchange 2013 guides already on the site but in the order I wouldconfigure Exchange 2013 in. From out of the box installation through to spam configuration and setting up an SSL cert in Exchange 2013.Treat this article as your main Exchange 2013 configuration guide. All the pages will open in a new window.

Deployment Scenario

This solution is based on a new Exchange 2013 environment, no previous Exchange servers have been installed on this domain previously. If you are migrating from Exchange 2010 then the version of Exchange 2013 you will need is Exchange 2013 Cu2 at minimum find that here and your exchange 2010 will need to be at service pack 3 before you install Exchange 2013 into your organization , find that here . This deployment is greenfield and will work on Server 2008 R2 or as Ive wrote it for Server 2012.

First we need to actually install Exchange 2013, this is on Server 2012. This article is located here

How Do I Configure Exchange 2013?

Once Exchange 2013 is installed we then need to enter the product key for Exchange 2013 to enable certain features and be licensed correctly.

Now that the Exchange 2013 product key is entered we are ready to configure Exchange 2013, we will firstsetup the Send Connector so we cant send mail out.

If you decided you want to put a limit on the size of email you send out on the send connector then use this guide.

Once that is done we need to configure and check that Exchange 2013 is ready to accept mail for your domain the receive connector is set to receive mail by default from external domains, we now need to tell Exchange 2013 what domains to accept mail for.

As we are sending and receiving mail now we should really think about anti-spam measures, lets now setup Exchange 2013 anti spam to stop users getting lots of junk mail.

Now that our email is secure and safe we can add users to Exchange 2013 so they can start to send a receive mail. First so Outlook or your email client can connect to Exchange and configure automatically create an A record called Autodiscover in DNS and point it to the IP address of the Exchange server with the CAS role. Then use the guide below to create your users.

As users are sending email now to and from the domain we realy should add a disclaimer to Exchange 2013.

So email is now flowing, we are protected from spam and we also issue a disclaimer when sending email out. Lets think about when users attach through owa, we need to secure exchange 2013 with an SSL certificate.

Now you have followed all the Exchange 2013 guides you will have a fully functioning Exchange 2013 enviroment. If you want to optimize Exchange 2013 even more then check out the Exchange 2013 category for more articles such as catch all mailboxes and many more. Hope this helps.

FINALLY!..for much more information on what you can and cannot do in Exchange 2013 check out the whats new section for Exchange 2013 from Microsoft.
Whats new in Exchange 2013.

Send on Behalf and Send As


Send on Behalf and Send As

Send on Behalf and Send As are similar in fashion. Send on Behalf will allow a user to send as another user while showing the recipient that it was sent from a specific user on behalf of another user. What this means, is that the recipient is cognitive of who actually initiated the sending message, regardless of who it was sent on behalf of. This may not be what you are looking to accomplish. In many cases, you may want to send as another person and you do not want the recipient to be cognitive about who initiated the message. Of course, a possible downside to this, is that if the recipient replies, it may go to a user who did not initiate the sent message and might be confused depending on the circumstances. Send As can be useful in a scenario where you are sending as a mail-enabled distribution group. If someone replies, it will go to that distribution group which ultimately gets sent to every user who is a part of that distribution group. This article will explains how to use both methods.

Send on Behalf

There are three ways to configure Send on Behalf. The first method is by using Outlook Delegates which allows a user to grant another user to Send on Behalf of their mailbox. The second method is having an Exchange Administrator go into the Exchange Management Shell (EMS) and grant a specific user to Send on Behalf of another user. The third and final method is using the Exchange Management Console (EMC).

Outlook Delegates

There are major steps in order to use Outlook Delegates. The first is to select the user and add him as a delegate. You then must share your mailbox to that user.

  1. Go to Tools and choose Options
  2. Go to the Delegates Tab and click Add
  3. Select the user who wish to grant access to and click Add and then Ok

Note: There are more options you can choose from once you select OK after adding that user. Nothing in the next window is necessary to grant send on behalf.

  1. When back at the main Outlook window, in the Folder List, choose your mailbox at the root level. This will appear as Mailbox – Full Name
  2. Right-click and choose Change Sharing Permissions
  3. Click the Add button
  4. Select the user who wish to grant access to and click Add and then Ok
  5. In the permissions section, you must grant the user at minimum, Non-editing Author.

Exchange Management Shell (EMS)

This is a fairly simple process to complete. It consists of running only the following command and you are finished. The command is as follows:

Set-Mailbox UserMailbox -GrantSendOnBehalfTo UserWhoSends

Exchange Management Console (EMC)

  1. Go to Recipient Management and choose Mailbox
  2. Choose the mailbox and choose Properties in Action Pane
  3. Go to the Mail Flow Settings Tab and choose Delivery Options
  4. Click the Add button
  5. Select the user who wish to grant access to and click Add and then Ok

Send As

As of Exchange 2007 SP1, there are two ways to configure SendAs. The first method is having an Exchange Administrator go into the Exchange Management Shell (EMS) and grant a specific user to SendAs of another user. The second and final method (added in SP1) is using the Exchange Management Console (EMC).

Exchange Management Shell (EMS)

The first method is to grant a specific user the ability to SendAs as another user. It consists of running only the following command and you are finished. The command is as follows:

Add-ADPermission UserMailbox -ExtendedRights Send-As -user UserWhoSends

Exchange Management Console (EMC)

  1. Go to Recipient Management and choose Mailbox
  2. Choose the mailbox and choose Manage Send As Permissions in Action Pane
  3. Select the user who wish to grant access to and click Add and then Ok

Miscellaneous Information

No “From:” Button

In order for a user to Send on Behalf or Send As another user, their Outlook profile must be configured to show a From: button. By default, Outlook does not show the From: button. In order to configure a user’s Outlook profile to show the From: button:


If you are sending as another user, the recipient user might reply. By default, Outlook is configured to set the reply address to whoever is configured as the sending address. So if I am user A sending on behalf of user B, the reply address will be set to user B. If you are the user initiating the sending message, you can configure your Outlook profile to manually configure the reply address.

Conflicting Methods

If you are configuring Send on Behalf permissions on the Exchange Server, ensure that the user is not trying to use the Outlook delegates at the same time. Recently, at a client, I was given the task to configure Send As as well as Send on Behalf. As I was configuring Send As on the server, I found out that the client was attempting to use Outlook Delegates at the same time. Send As would not work. Once the user removed the user from Outlook Delegates and removed permissions for that user at the root level of your mailbox that appears as Mailbox – Full Name, Send As began to work. So keep in mind, if you are configuring Send As or Send on Behalf, use only one method for a specific user.

SendAs Disappearing

If you are in a Protected Group, something in Active Directory called SDProp will come by every hour and remove SendAs permissions on users in these protected groups.  What security rights are configured on these security accounts are determined based on what security rights are assigned on the adminSDHolder object which exists in each domain.  The important part for you to remember is that every hour, inheritance on these protected groups will be removed and SendAs will be wiped away.

A good blog article explaining what adminSDHolder and SDprop are and what Protected Groups  is located here.