RPC Client Encryption in Exchange 2013

Saturday, October 27, 2012
Exchange 2013 enables RPC client encryption by default (again). 

I say "again" because it was an option in Exchange 2007 and became the default setting in Exchange 2010 RTM.  This caused a fair amount of trouble for organizations using Outlook 2003, since MAPI encryption was disabled in Outlook 2003 by default. 

Symptoms of this problem include the following error messages:
  • Cannot start Microsoft Office Outlook. Unable to open the Office window. The set of folders could not be opened.
  • Unable to open your default e-mail folders. The information store could not be opened.
If your users are using Cached Exchange Mode, Outlook won't display an error, but will start in disconnected mode.

It was easy to workaround this issue by either disabling RPC encryption on the Client Access Servers or, better yet, enable encryption in Outlook 2003 via Group Policy.  Outlook 2007 and later have encryption enabled by default.

Encryption is enabled by default in Outlook 2013
For some reason, the Exchange product team decided to reverse the decision to require RPC encryption in Exchange 2010 SP1 until now in Exchange 2010.  I suspect encryption is enabled by default again because Exchange 2013 does not support Outlook 2003 or earlier.
 
If your organization has upgraded to Outlook 2007/2010/2013, you'll probably want to remove or reconfigure Group Policy to enable encryption in Outlook and re-enable it on your CAS servers, if needed. 

The cmdlet to check RPC MAPI encryption on your CAS servers is:

Get-ClientAccessServer | Get-RPCClientAccess | fl server,enc*

And the cmdlet to enable RPC MAPI encryption on all your CAS servers is:

Get-ClientAccessServer | Set-RPCClientAccess -EncryptionRequired $True

When RPC encryption is enabled, the Exchange Remote Connectivity Analyzer (ExRCA) will report a harmless warning that the Name Service Provider Interface (NSPI) bind operation failed due to the encryption requirement.  NspiBind then tries again with encryption enabled and succeeds.  This is expected behavior.

by at
Tags , , , ,

4 comments:

  1. Benoit BoudevilleDecember 20, 2012 at 1:52 PM

    >> For some reason, the Exchange product team decided to reverse the decision to require RPC encryption in Exchange 2010 SP1 until now in Exchange 2010. <<

    You mean Exchange 2013 :)
    That being said, the topic isn't new and the change in SP1 doesn't affect the client. Since encryption is enabled by default on the clients, the effect is that encryption is used anyway because it's negotiated. Now if indeed encryption is forced on the server, then a client set to not use encryption will indeed be rejected to connect. That's the whole principle of "possible" versus "mandatory".

    ReplyDelete
  2. UnknownFebruary 12, 2013 at 9:03 AM

    Hi,

    does thia mean that you can connect an outlook 2003 client to exchange 2013? i know its not supported but will it be possible to connect?

    thanks in advance
    aj

    ReplyDelete
    Replies
    1. Jeff Guillet - @exptaFebruary 12, 2013 at 9:05 AM

      No, Outlook 2003 cannot connect to Exchange 2013 at all. There's a hard block on this.

      Delete
  3. UnknownApril 8, 2013 at 7:34 AM

    BTW - thank you for this. My Exchange 2013 didn't come with the encryption of default - and you helped me find out where I needed to look to turn it on!

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.

Subscribe to: Post Comments (Atom)