Perils of Encryption in Exchange

RPC encryption is used to secure communication between an Outlook client and an Exchange Client Access Server (CAS). Over the years, however, the Exchange development team has had an off-again on-again attitude toward the technology.

For example, in Exchange 2007, RPC encryption was turned off by default. When Microsoft released Exchange 2010 RTM, it changed its mind about RPC encryption and turned it on by default. It soon reversed itself again and turned the technology off when it released Exchange 2010 SP1. In the latest version of the software, Exchange 2013, RTP encryption is once again turned on by default.

All these changes can leave an administrator scratching his head in puzzlement, especially if their Exchange shop still uses Outlook 2003. That’s because that edition of Microsoft’s email client has MAPI encryption turned off by default.

So some administrators can find themselves in scenarios where their Outlook clients are throwing off errors because either the client or its Exchange CAS don’t see eye to eye on how to treat RPC encryption.

If your CAS has encryption enabled and your Outlook clients don’t, your users may see messages like these when they try to connect to their mail boxes:

Your Exchange Server administrator has blocked the version of Outlook that you are using. Contact your administrator for assistance.

  • Cannot start Microsoft Office Outlook. Unable to open the Outlook window. The set of folders could not be opened.
  • Unable to open your default email folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance.
  • The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.
  • Unable to open your default email folders. The information store could not be opened.
  • Outlook could not log on. Check to make sure you are connected to the network and are using the proper server and mailbox name. The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.

If you’ve configured Outlook 2003 in Cached Exchange Mode, error messages won’t appear. Instead, Outlook will open in disconnected mode.

When encountering suspected encryption problems, the first thing you’ll want to do is to make sure your version of Exchange is looking for RPC encryption. In Exchange 2007, you can do that from the management shell by inputting: Get-MailboxServer <ServerName>. If the result yields: MAPIEncryptionRequired is true, then Outlook clients connecting to the server will have to have RPC encryption enabled.

If you’re running Exchange 2010, the management shell command is this: Get-RpcClientAccess | fl Server,EncryptionRequired. If the result is EncryptionRequired is true, then your Outlook clients will need their RPC encryption support enabled.

Alternatively, you can turn off RPC encryption on your servers, although that’s probably not such a good idea. In Exchange 2007, you can shut off RPC encryption from the management shell with the command: Set-MailboxServer <ServerName> – MapiEncryptionRequired:$false.

For Exchange 2010, the management shell command for switching off RCP encryption is Set-RpcClientAccess -Server <ServerName> -EncryptionRequired $False.

Much of this rigmarole about RPC encryption is avoided when using newer versions of Exchange and Outlook. Exchange 2013 has RPC encryption enabled by default, but it only supports versions of Outlook — 2007, 2010 and 2013 — that have the technology enabled by default, too.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

Leave A Reply