ESP + KCD + Exchange 2013 does not pass Remote Connectivity Analyser Test



I setup Kemp Loadmaster for Exchange 2013, with KCD. I can connect with Outlook 2013 to the VIP, and also can connect though the browser.
But when I use the Microsoft Remote Connectivity Analyser the test fails at step "Testing the MAPI Address Book endpoint on the Exchange server."

The error is
===================== output =====================
An error occurred while testing the address book endpoint.
Testing the address book "Check Name" operation for user <user email> against server <server>.
An error occurred while attempting to resolve the name.

Additional Details

A protocol layer error occured. HttpStatusCode: 401
FailureLID: 47372

###### REQUEST [2016-09-27T12:13:00.6632645Z] ######

POST /mapi/nspi/?mailboxId=<mg guid>@XXXXXXX HTTP/1.1
Content-Type: application/octet-stream
User-Agent: MapiHttpClient
X-ClientApplication: MapiHttpClient/15.1.636.0
X-RequestType: Bind
Authorization: Negotiate [truncated]

Content-Length: 0

--- REQUEST BODY [+0.435] ---
..[BODY SIZE: 45]

--- REQUEST SENT [+0.435] ---

###### RESPONSE [+0.575] ######

HTTP/1.1 401 Authorization Required
Connection: close
Content-Length: 139
Content-Type: text/html
Date: Tue, 27 Sep 2016 12:13:01 GMT
WWW-Authenticate: NTLM

--- RESPONSE BODY [+0.575] ---
..[BODY SIZE: 139]
<html><head><title>401 Authorization Required</title></head><body>You do not have authorization to perform the requested operation</body>

--- RESPONSE DONE [+0.575] ---

###### EXCEPTION THROWN [+0.575] ######

HTTP Response Headers:
Connection: close
Content-Length: 139
Content-Type: text/html
Date: Tue, 27 Sep 2016 12:13:01 GMT
WWW-Authenticate: NTLM
HttpStatusCode: 401 Unauthorized
Elapsed Time: 578 ms.

Start OverRun Test Again


The same Exchange Servers pass the same test when I replace the Kemp Loadmaster with my TMG (also using KCD / pre-auth), so the problem shouln't be on either the servers or the Microsoft Remote Connectivity Test.


Any idea what can be the problem? Is there anybody using KCD and pre-auth with MAPI and RPC SubVS and passing the Microsoft Remote Connectivity Test?




Mark Deegan


When running the Microsoft RCA it is best practice to use the manual instead of the automatic server details and please note that this was originally written for exchange 2010 and therefore uses rpc/http as opposed to rpc/https. While the TMG will allow the http connection we will not entertain any connection that is not secured over https. This is usually nothing to worry about as the client will use RPC/HTTPS and this does not normally come up as an issue.





Can you be more specific?

My clients are all connecting to HTTPS, and so does Microsoft RCA. I disallow HTTPs on my firewall and the errors are the same. RCA gets 401 unauthorized.

Also, Outlook is always asking for a password and does not connect.

If I use a browser, the KCD preauth sites work fine (ex.: https://server/mapi/emsmbd). I also have some other services, again with KCD, and they also work.

So I wonder if it is it even possible to use preauth with Exchange with kemp. Do you know a working installation that do pass RCA and allows clients to connect, with preauth of /OAB, /MAPI and /RPC ?