Things to consider before configuring Autodiscover in Exchange 2010/2013 coexistence scenarios

Based on my experience I have collected few guidelines before configuring autodiscover in Exchange 2010/2013 coexistence.

First and the foremost step that i would recommend is

Follow the steps from Exchange server deployment guide which is pretty simple and straightforward.

We need to consider below things before we proceed with the full fledged operation of autodiscover in Exchange 2010/2013 coexistence.

First we need to decide on using which internal and external url’s in Exchange 2013.

The following Steps needs to be configured in this order:
Configure Exchange 2013 external URLs.
Configure Exchange 2013 internal URLs.
Enable and configure Outlook Anywhere in Legacy i.e, (Exchange 2010 & 2013).
Configure service connection point,Change SCP of Exchange 2010 CAS VIP to Exchange 2013 CAS VIP.
Configure DNS records.
DNS entries should be pointed to Exchange 2013 CAS from Exchange 2010 CAS.

Note: To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 

servers, you must enable and configure Outlook anywhere on all of the Exchange 2010 servers.
You can probably run Get-Outlookanywhere on both Exchange 2010 and 2013 and see all the
internal and external url’s assigned and configured accordingly.

Note: We need to have legacy url for legacy users if they want to access outlook anywhere externally.

For Outlook Anywhere
Change authentication on Exchange 2010 CAS server client auth method to NTLM

Run the following commands on Exchange 2013 server to set outlook anywhere settings

Set-outlookanywhere -InternalHostname “hostname” -identity
“serverRpc (Default Web Site)”-InternalClientAuthenticationMethod ntlm -internalclientsrequiressl $True
Set-outlookanywhere –externalHostname “hostname “ –identity
“serverRpc (Default Web Site)” -ExternalClientAuthenticationMethod ntlm -externalclientsrequiressl $true
Set-outlookanywhere -iisauthenticationmethods basic,ntlm,negotiate -identity “Rpc (Default Web Site)”

Imp Note : Exchange 2013 supports Negotiate for Outlook Anywhere HTTP authentication,
this option should only be used when all the servers in the environment are running Exchange 2013.

To configure certificate based authentication we need to ensure following things

1. Please check if Certificate Mapping Authentication is installed on the server
2. Go to IIS manager and check if Active Directory Client Certificate Authentication is enabled.
3. Check if required Client certificate is enabled on ActiveSync VD. If not, enable it.
4. Check if basic authentication is disabled on ActiveSync VD. If not, disable it.
5. Check if the ClientCertificateMappingAuth is set true.

Apply a new certificate with all the required site names included in Exchange 2013 CAS.

For OWA –
Enable FBA authentication + windows Integrated authentication on OWA VD on exchange 2010 CAS server.
Users with mailboxes still on 2010 will be connecting to CAS 2013 and then proxy to CAS 2010.

Feel free to post your comments if any other things that needs to be taken into consideration .

4 thoughts on “Things to consider before configuring Autodiscover in Exchange 2010/2013 coexistence scenarios

  1. gastroesophageal reflux July 4, 2014 at 9:59 am Reply

    I love reading an article that can make people think.
    Also, many thanks for allowing me to comment!


  2. Thrishan April 1, 2015 at 9:53 pm Reply

    Hi, we have recently installed exchange 2013 in our organization and we still in the process of migrating mailboxes from Exchange 2010 to 2013. We are noticing that users migrated to 2013 frequently receive the message “outlook is trying to connect to exchange server”. Do you have an idea to what this issue could be related?


    • sathishveerapandian April 7, 2015 at 8:41 pm Reply

      Hi please check if its happening for all migrated users or only few. Are we able to configure outlook profile for the migrated users ? Also check test outlook configuration and see the results


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: