When migrating from Exchange 2010 / 2013 to Exchange 2016, there may be problems with Autodiscover in connection with Kerberos. The problems range from permanent queries of the login information in Outlook to the complete crash of Outlook when a mailbox is moved to an Exchange 2016 server.
When can the problem occur?
The problem can occur if the Exchange servers have been configured for Kerberos authentication (RollAlternateserviceAccountCredential.ps1) and the AD accounts of the users are members of many groups. "Many groups" is relative, even around 100 groups are problematic.
How does the problem manifest itself?
Mailboxes that have not yet been migrated to Exchange 2016 may permanently ask for the login information:
The autodiscover test fails and reports the http status code 400, as well as some other error codes (the error code 400 is not clear from the screenshot, but would be displayed directly after the status code 401, unfortunately I have no screenshots in which it can be seen):
When mailboxes are moved from the old Exchange servers to Exchange 2016, Outlook crashes after a restart:
The Outlook crash could be reproduced with Outlook versions 2010, 2013 and 2016.
Cause and solution
As Exchange 2016 acts as a proxy for the older Exchange versions, the Kerberos token is also forwarded in the HTTP header. With large Kerberos tokens and therefore large HTTP headers, the Exchange 2010 servers may reject the HTTP request and return the following error:
- HTTP 400 – Bad Request (Request header too long)
To fix the problem, the limits can be adjusted accordingly. The following 4 registry keys must be set on all Exchange 2010 and Exchange 2013 servers:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Name: MaxTokenSize Type: REG_DWORD (32Bit) Value: 65536 Basis: Decimal HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters Name: MaxClientRequestBuffer Type: REG_DWORD (32bit) Value: 32768 Basis: Decimal HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Name: MaxFieldLength Type: REG_DWORD (32Bit) Value: 65536 Basis: Decimal HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Name: MaxRequestBytes Type: REG_DWORD (32Bit) Data: 16777216 Value: Decimal
The following registry key must be set on all domain controllers:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Name: MaxTokenSize Type: REG_DWORD (32Bit) Value data: 65536 Basis: Decimal
The Exchange servers and domain controllers must be restarted after the registry keys have been set.