Based on my experience I have collected few guidelines before configuring autodiscover in Exchange 2010/2013 coexistence.
First and the foremost step that i would recommend is
Follow the steps from Exchange server deployment guide which is pretty simple and straightforward.
We need to consider below things before we proceed with the full fledged operation of autodiscover in Exchange 2010/2013 coexistence.
First we need to decide on using which internal and external url’s in Exchange 2013.
The following Steps needs to be configured in this order:
Configure Exchange 2013 external URLs.
Configure Exchange 2013 internal URLs.
Enable and configure Outlook Anywhere in Legacy i.e, (Exchange 2010 & 2013).
Configure service connection point,Change SCP of Exchange 2010 CAS VIP to Exchange 2013 CAS VIP.
Configure DNS records.
DNS entries should be pointed to Exchange 2013 CAS from Exchange 2010 CAS.
Note: To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010
servers, you must enable and configure Outlook anywhere on all of the Exchange 2010 servers.
You can probably run Get-Outlookanywhere on both Exchange 2010 and 2013 and see all the
internal and external url’s assigned and configured accordingly.
Note: We need to have legacy url for legacy users if they want to access outlook anywhere externally.
For Outlook Anywhere
Change authentication on Exchange 2010 CAS server client auth method to NTLM
Run the following commands on Exchange 2013 server to set outlook anywhere settings
Set-outlookanywhere -InternalHostname “hostname” -identity
“serverRpc (Default Web Site)”-InternalClientAuthenticationMethod ntlm -internalclientsrequiressl $True
Set-outlookanywhere –externalHostname “hostname “ –identity
“serverRpc (Default Web Site)” -ExternalClientAuthenticationMethod ntlm -externalclientsrequiressl $true
Set-outlookanywhere -iisauthenticationmethods basic,ntlm,negotiate -identity “Rpc (Default Web Site)”
Imp Note : Exchange 2013 supports Negotiate for Outlook Anywhere HTTP authentication,
this option should only be used when all the servers in the environment are running Exchange 2013.
To configure certificate based authentication we need to ensure following things
1. Please check if Certificate Mapping Authentication is installed on the server
2. Go to IIS manager and check if Active Directory Client Certificate Authentication is enabled.
3. Check if required Client certificate is enabled on ActiveSync VD. If not, enable it.
4. Check if basic authentication is disabled on ActiveSync VD. If not, disable it.
5. Check if the ClientCertificateMappingAuth is set true.
Apply a new certificate with all the required site names included in Exchange 2013 CAS.
For OWA –
Enable FBA authentication + windows Integrated authentication on OWA VD on exchange 2010 CAS server.
Users with mailboxes still on 2010 will be connecting to CAS 2013 and then proxy to CAS 2010.
Feel free to post your comments if any other things that needs to be taken into consideration .