RPC Client Encryption in Exchange 2013

Saturday, October 27, 2012
Exchange 2013 enables RPC client encryption by default (again). 

I say "again" because it was an option in Exchange 2007 and became the default setting in Exchange 2010 RTM.  This caused a fair amount of trouble for organizations using Outlook 2003, since MAPI encryption was disabled in Outlook 2003 by default. 

Symptoms of this problem include the following error messages:
  • Cannot start Microsoft Office Outlook. Unable to open the Office window. The set of folders could not be opened.
  • Unable to open your default e-mail folders. The information store could not be opened.
If your users are using Cached Exchange Mode, Outlook won't display an error, but will start in disconnected mode.

It was easy to workaround this issue by either disabling RPC encryption on the Client Access Servers or, better yet, enable encryption in Outlook 2003 via Group Policy.  Outlook 2007 and later have encryption enabled by default.

Encryption is enabled by default in Outlook 2013
For some reason, the Exchange product team decided to reverse the decision to require RPC encryption in Exchange 2010 SP1 until now in Exchange 2010.  I suspect encryption is enabled by default again because Exchange 2013 does not support Outlook 2003 or earlier.
If your organization has upgraded to Outlook 2007/2010/2013, you'll probably want to remove or reconfigure Group Policy to enable encryption in Outlook and re-enable it on your CAS servers, if needed. 

The cmdlet to check RPC MAPI encryption on your CAS servers is:

Get-ClientAccessServer | Get-RPCClientAccess | fl server,enc*

And the cmdlet to enable RPC MAPI encryption on all your CAS servers is:

Get-ClientAccessServer | Set-RPCClientAccess -EncryptionRequired $True

When RPC encryption is enabled, the Exchange Remote Connectivity Analyzer (ExRCA) will report a harmless warning that the Name Service Provider Interface (NSPI) bind operation failed due to the encryption requirement.  NspiBind then tries again with encryption enabled and succeeds.  This is expected behavior.