Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Thank you for reaching out to Microsoft Q&A
From my perspective view and as states in Default settings for Exchange virtual directories in Exchange Server, this behavior arises from inconsistent authentication settings across servers, like defaulting to Basic Authentication in some directories, create security risks such as credential theft and man-in-the-middle attacks.
This is especially problematic in mixed setups (Windows Server 2016/Exchange 2016 and 2025/Exchange SE) where blank settings rely on insecure defaults. As Basic Authentication is being deprecated, this could disrupt connectivity and compliance.
Therefore, to address this behavior, may you can try the following approach to see if it can resolve your concern:
1. Backup current configurations
Before making any changes, export your current settings. Use Exchange Management Shell (EMS) commands like:
Get-AutodiscoverVirtualDirectory | fl > Backup.txt
Do this for each directory type (Autodiscover, ECP, EWS, ActiveSync, OWA, RPC) on all your servers.
2. Assess and standardize settings
- Autodiscover: Set to NTLM or Negotiate (disable Basic) using this command:
Set-AutodiscoverVirtualDirectory -Identity "<Server>\Autodiscover (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $true
- ECP and OWA: Use Forms-Based Authentication (FBA), but move to ADFS for better security since FBA uses Basic Authentication in the background.
- EWS: Enable NTLM, Windows Integrated, and OAuth.
- ActiveSync: Disable Basic Authentication. Enable Certificate-Based Authentication (CBA) if you have a PKI or use NTLM as a fallback.
- RPC (Outlook Anywhere): Standardize to Negotiate/NTLM. Consider disabling if your clients use MAPI/HTTP.
3. Enable modern authentication
For better security, switch to OAuth-based Modern Authentication. This works in Exchange SE (via ADFS) and hybrid setups for Exchange 2016. You’ll need to set up an Authentication Policy and enable it for each directory. Link instructions
4. Test and Apply Changes: After updates, restart IIS (iisreset /noforce), test connectivity with tools like Test-OutlookWebServices, and monitor event logs for issues. Apply changes during maintenance windows to minimize disruption.
5. Ongoing security measures: Enable Extended Protection for Windows Authentication and ensure all traffic uses TLS 1.2+ with valid certificates as states in Configure Windows Extended Protection in Exchange Server
Additionally, I have found the document about the best practice in setting security in Exchange Sever, you can read at: CSI_MICROSOFT_EXCHANGE_SERVER_SECURITY_BEST_PRACTICES.PDF
Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.
Hope my answer will help you, for any further concern, kindly let me know in the comment section.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.