Hi,

I wondered in anyone could offer any guidance on a problem we are seeing with a cross forest Exchange 2010 (domain A) to Exchange 2013 (domain b)migration.

Our problem is based around the fact that the users are still logging into 'windows clients' in the source domain (domain A). We have configured mail enabled users in the source to enable auto discover to work correctly and the user can successfully connect to their own mailbox once it is provisioned in Exchange 2013 (domain B). Our main Outlook client being 2010 SP2.

The user is not prompted to login at this stage, which is preferred.

However the problem is that they cannot connect to any other resource in the Exchange 2013 (domain B) environment. (We have no interest in them accessing resources in the Exchange 2010 environment as this is a major switchover). When attempting to connect to public folders (2013) they receive only those permissions provided by the 'Default' user permission. When trying to expand a mailbox where full access has been granted they receive the 'Unable to expand. An attempt to logon to Microsoft Exchange has failed' error.

If we change Outlook to 'Always prompt for logon credentials' and then login with credentials from the target domain (domain B, all resources can be accessed successfully.

As part of our migration we have used ADMT, a two way trust is in place, SID history has been migrated and SID filtering is turned off in both directions. Passwords in both domains are matching by virtue of an Identity management solution. Outlook anywhere on exchange 2013 is set to negotiate (internal and external) with IIS configured with 'Basic, NTLM and Negotiate' as authentication types.

Whilst the obvious answer is simply to get the users to login to the target domain (domain B), it is unfortunately a requirement that users continue to login to the source domain (domain a) for a while after the Exchange migration has completed.

Would anyone be able to advise if this is just something we have to live with and find a way to force users to login every time they open outlook, or is there perhaps a way to configure this to work so that users are not prompted to login but can access all their resources.

Many thanks for any assistance or opinions.

Kind Regards,

Mark Needham

Hi Mark,

Please try to clean up the cached credential in your computer. Then fill in with new domain information (domainB\user) when it prompted for credentials next time and check the Remember my credential to save it. About how to remove cached credentials, please follow these steps:

1. Launch the Credential Manager from Control Panel > All Control Panel Items > Credential Manager.

2. In the Generic Credentials section youll see a setting for [MS Outlook] which will include your SSO details. Click the downward-pointing arrow to the right of that value.

3. In the expand details, click Remove from vault. Then Outlook will no longer have a stored copy of your old login information (domainA\user).

If it doesnt work, please change the windows account with domainB\user information to have a try.

Regards,

Hi Mark,

I had some trouble like that with another migration. Please check the shared mailbox ACL in your new Environment. I guess it is either not set up, or it does grant permission to your new account only. So Access for the users logon account is not allowed.

The only way I know how to solve that issue is like that:
1. please add the objectSID from your new Domain to the SIDHstory on your old Domains user account.
   preferred solution.
2. run a powershell script to match the names - when you added Access to your newdomain-mailbox-account please also set Access for your old logon account.
3. use a linked Mailbox in a cross-forest scenario and choose UseWindowsUserCredentials: 0 to use Mailbox credentials to Access resources in your target Environment (instead of Windows credentials)

Please let me know if one of that solved your issue.

Regards,
Martin