How to Enable MAPI over HTTP (MAPI/HTTP) in Exchange Server 2013 SP1

Client Access, Exchange 2013, Managed Availability, Netscaler, Security

Decided to take the new SP1 for a spin tonight in the lab, and the first thing I wanted to play with was the new MAPI over HTTP functionality introduced in SP1 for Exchange Server 2013.  There are a couple of things we are going to need to get this setup:

There are a couple of things to note. 

  • Currently the ONLY Outlook clients that support this are Outlook 2013 SP1
  • There CAN be issues connecting to Public Folders if they are NOT running on Exchange 2013 Modern Public Folders (more on that later)
  • There can be issues connecting BACK to Exchange 2010 mailboxes through Exchange 2013 SP1 CAS servers if you JUST have MAPI/HTTP enabled.  RPC over HTTPS or Outlook Anywhere is here to stay for a bit.

Alright, so let’s set this up.  It’s actually really simple.  First, on your Exchange 2013 SP1 CAS servers, note that we have a new virtual directory named MAPI:

image

Okay, so open up the Exchange Management Shell.  We can inspect the setup of the MAPI virtual directory with the new Get-MapiVirtualDirectory command:

Get-MapiVirtualDirectory

image

So, the first thing we need to do is configure the directory.  We need to set the URL’s and the authentication method.  In our case, we will set both the internal and external url’s to https://mapi.accessabacus.com/mapi and the IISAuthenticationMethods to NTLM and Negotiate.  In my lab the name of my CAS server is PHDC-SOAE13CAS1.  So my command looks like the following command:

Set-MapiVirtualDirectory –Identity “PHDC-SOAE13CAS1\mapi (Default Web Site)” -InternalUrl https://mapi.accessabacus.com/mapi –ExternalUrl https://mapi.accessabacus.com/mapi -IISAuthenticationMethods NTLM,Negotiate

 

image

Next thing we should do is reset IIS.  Remember this will cause a disconnect so run it after hours:

IISRESET /noforce

After that is completed, we need to enable MAPI/HTTP for the organization.  Ensure that this will not cause issues in your Exchange Organization before you do it.

From the Exchange Management Shell run the following command:

Set-OrganizationConfig -MapiHttpEnabled $true

image

If you have an existing Outlook 2013 SP1 session open, you will most likely see the message: “An Exchange Administrator has made a change that requires you to restart your outlook”.

After you restart it, and go to connection status (hold the Control Key and right click the Outlook icon) you should see a set of connections using “HTTP” instead of “RPC/HTTP”.  RPC/HTTP is Outlook Anywhere, where HTTP is MAPI/HTTP.

image

image

Notice all my connections are going to Server name https://mapi.accessabacus.com and using the Protocol HTTP.

If you check the Autodiscover Log we will see there is a new provider from Autodiscovery:

image

Notice the Protocol is Exchange MAPI HTTP.  You can see the Exchange HTTP below it.  Exchange HTTP is Outlook Anywhere, where Exchange MAPI HTTP is the new MAPI/HTTP.

What else is interesting is if we go to the Outlook Anywhere Settings we see the screen is now removed from Outlook:

Outlook 2013 SP1 using MAPI/HTTP:

 

image

Outlook 2010 using Outlook Anywhere:

image

Note that the connection tab is missing.

Also, remember how I said you MAY have connection issues to legacy based Public Folders?  Well in my lab, I still have Exchange 2010 running public folders.  And since I have Outlook Anywhere, Outlook actually created one Outlook Anywhere connection for Public Folders:

image

Notice how the proxy server is “email-ph.lab.accessabacus.com”, the server name is PHDC-SOAEXC01, which is my Exchange 2010 Mailbox Server with a legacy public folder database.  Lastly note the protocol is RPC/HTTP.  Now, I in NO way think this is ideal, as we are straddling not only two protocols (MAPI/HTTP and Outlook Anywhere), two namespaces (email-ph.lab.accessabacus.com and mapi.accessabacus.com), but look at the screenshot.  We are using two separate authentication methods where MAPI/HTTP is Negotiating, where Outlook Anywhere is using NTLM.  Care should be taken again to ensure your organization can properly support connections so that they are using one or the other.

I also checked and of course the new MAPI virtual directory does respond to the Managed Availability URL check.  This can help when using load balancers that do health checks like the Citrix Netscalers.  I outline that in my article here (http://port25guy.com/2013/07/24/how-to-use-managed-availability-in-exchange-2013-with-your-load-balancer/)  If you go to https://hostnameofyourcas/mapi/healthcheck.htm and everything is working, you should get a 200 OK response back:

image

Lastly, if you want to disable Outlook 2013 SP1 from using the new MAPI/HTTP for any reason, you can do so using the registry.  Create the following key:

HKCU\Software\Microsoft\Exchange

Create a new DWORD value named MapiHttpDisabled and set the value to 1

You can also use that to troubleshoot.  If for some reason MAPI/HTTP is not working, check that key.  If its set to value 1 and you want to ENABLE it, you can do so by setting the value to 0.  If you need to mass deploy this you can so with a script, or Group Policy.

We will see how the performance of the new protocol works, as well as any other changes that need to happen as a result of this new architecture.

Comments;

  1. Ishtvan Balint

    I have done all that. My connection in Outlook still shows RPC/HTTP and I also checked the registry and there is no file to disable. Thanks.

    Reply
    1. Port25Guy Post author

      Have you upgraded your office to 2013 sp1? Is your certificate name right and trusted?

      Reply
      1. Jeff

        I’m having the exact same problem. The certificate appears to be valid, and SP1 is currently installed. I’ve checked and triple checked, but unless I explicitly set the ‘Use RPC on fast networks’ setting in Outlook, clients cannot connect.

        this creates a small problem, becuase the autoconfigure does not work, and addtionally throws an error. It requires going into the ‘more settings’ screen and selecting RPC over HTTP and also specifying a prxoy. Quite annoying.

        Any ideas?

        Reply
  2. Bengt

    Thanks for great post.
    I have MAPI/HTTP working just fine when connected at Office. But when I’m connected through Direct Access (VPN) it doesn’t work. The Connection status shows Error in the Authn column. Before MAPI/HTTP was turned on Outlook connected just fine over DA.
    Do you have any experience / idé what could be the problem using MAPI/HTTP over DA?
    Thanks

    Reply
  3. Alek

    Hello,

    Not sure if you have solved this by now but we had exactly the same issue. GPO policy needs to have “Enable RPC encryption” tuned on. Administrative Templates ADMX files

    Reply
  4. JSP

    Hi. Great post!

    So, if im not misunderstood, the same namespace as the one used for RPC/HTTP can be used for MAPI/HTTP?

    Reply
  5. Im only asking this because when we applied the command, looked like nothing happened, then when we applied the command, Set-OrganizationConfig -MapiHttpEnabled $true, we got errors all over. When we look on Microsoft, the accessabacus.com URL is not mentioned anywhere. Please explain what this is. Thank you.

    Reply
        1. Port25Guy Post author

          George,

          You should replace accessabacus.com with your own domain name. Also, you will need an A record that resolves mapi.yourdomain.com to your exchange server (or your hardware load balancer if you are using one).

          Paul

          Reply
  6. Paul, You’re amazing. This works GREAT with ALL the Outlook 2013 clients and connects like a charm! And the Outlook Clients aren’t even SP1

    Reply

Leave a Reply to Ishtvan Balint Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>