MAPI Virtual Directory Bug in Exchange 2016 CU2

Wednesday, June 29, 2016
I discovered a bug in Exchange 2016 CU2 where if you change the MAPI virtual directory URLs using the Exchange Admin Center (EAC), it clears all forms of authentication from the MAPI virtual directory. This will cause all Outlook clients to constantly prompt for credentials because there are no ways for Outlook to authenticate.

All authentication methods are disabled

The default IISAuthenticationMethods for the MAPI virtual directory are NTLM, Negotiate, and OAUTH.

Steps to reproduce the issue:
  • Double-click the MAPI virtual directory from the Exchange Admin Center to confirm that authentication is set to NTLM and Negotiate. Note that OAUTH is not shown as an authentication method in EAC. Click Cancel to close the dialog box.
  • Double-click the MAPI virtual directory and change the internal and/or external URL and click Save.
    • Observing the command console, the cmdlet executed is: Set-MapiVirtualDirectory -ExternalUrl '' -IISAuthenticationMethods @() -Identity 'fe29d135-6f9c-4191-a68e-b028d94bd7ff'
  • If you examine the authentication settings before you click Save, the authentication settings will be written as NTLM and Negotiate (missing OAUTH).
    • Observing the command console, the cmdlet executed is: Set-MapiVirtualDirectory -ExternalUrl '' -IISAuthenticationMethods @(Ntlm,Negotiate) -Identity 'fe29d135-6f9c-4191-a68e-b028d94bd7ff'

This bug affects both Exchange 2013 and Exchange 2016 MAPI virtual directories configured using the Exchange 2016 CU2 EAC. Note that the MAPI virtual directory was not exposed in the EAC until Exchange 2016 RTM, so you won't see it in the Exchange 2013 EAC.

If you change the URLs via the Exchange Management Shell (without using the -IISAuthenticationMethods parameter) the URLs are updated without affecting the authentication methods.

To set the authentication methods for all MAPI virtual directories back to their defaults, run the following cmdlet from EMS:
Get-MapiVirtualDirectory | Set-MapiVirtualDirectory -IISAuthenticationMethods @(Ntlm,Negotiate,OAuth)
All MAPI virtual directories set back to default authentication methods

I reported this bug on Connect and Microsoft confirmed this is an issue with Exchange Server 2016 CU2.