Template: Taking network traces with unencrypted MAPI traffic.

When Outlook 2007/2010 is setup with an Exchange profile by default it will enable RPC encryption. This prevents devices or support from reviewing the raw remote operation (ROP) sent between the client and server. Normally this is not a big deal but in some support cases vital information can be given by reviewing the ROPs.

How to disable MAPI/RPC encryption on the client. Outlook 2003/2007/2010.

1. In the Windows Control Panel, double click Mail.
2. Choose Email Accounts…
3. Highlight the Exchange account and click Change.
4. Click More Settings…
5. Click on the Security Tab.
6. Ensure "Encrypt data between Microsoft Office Outlook and Microsoft Exchange." is Unchecked.
   If the option is checked and greyed out the there is most likely a GPO applying this setting.

Now the Exchange server must allow unencrypted clients to connect. By default Exchange 2003/2007 allows unencrypted clients but Exchange 2010 does not. Exchange 2010 requires encryption.

How to check and disable the requirement of MAPI encryption on Exchange 2010.

In the Exchange Management Shell run the following commands
Get-RPCClientAccess | ft Server, EncryptionRequired
Note the setting of the servers should you want to change them back
Get-RPCClientAccess | Set-RPCClientAccess –EncryptionRequired:$False

Note. This change does not require the restarting of any services and will not cause any current clients to disconnect. Clients with MAPI encryption enabled will still be able to connect. Must be done to all CAS servers in the array and the Public Folder server.

How to check and disable the requirement of MAPI encryption on Exchange 2007.

In the Exchange Management Shell run the following commands
Get-MailboxServer | ft Name, MapiEncryptionRequired
Get-MailboxServer | Set-MailboxServer -MapiEncryptionRequired:$false

Now that the above has been done we can start taking unencrypted network trace.
Template: How to take Network traces between clients and exchange servers.

To confirm that the client has been set for unencrypted traffic you can open the trace in netmon and review the following.

Open the capture with netmon and find a MAIPI response. Review the Frame Details and drill down to the AuthVerifier. If you see the below then the client was not setup correctly.

Frame: Number = 4100, Captured Frame Length = 134, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-00-00-00-00-00],SourceAddress:[00-00-00-00-00-00]
+ Ipv4: Src = 10.10.10.10 Dest = 10.20.20.20, Next Protocol = TCP, Packet ID = 14063, Total IP Length = 120
+ Tcp: Flags=...AP..., SrcPort=7575, DstPort=54125, PayloadLen=80, Seq=2622971141 - 2622971221, Ack=3837493092, Win=255 (scale factor 0x8) = 65280
- MSRPC: c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA} Call=0x8 Context=0x0 Hint=0x18 Cancels=0x0 Warning: Octets trailer appends to authentication token
- Response:
RpcVers: 5 (0x5)
RpcVersMinor: 0 (0x0)
PType: 0x02 - Response
+ PfcFlags: 3 (0x3)
+ PackedDrep: 0x10
FragLength: 80 (0x50)
AuthLength: 16 (0x10)
CallId: 8 (0x8)
AllocHint: 24 (0x18)
PContId: 0 (0x0)
CancelCount: 0 (0x0)
Rsvd1: 0 (0x0)
- PDUBody: 24 bytes
- StubData: 0x1
MSRPCPayload: Binary Large Object (24 Bytes)
- AuthVerifier:
AuthPad: Binary Large Object (8 Bytes)
AuthType: RPC_C_AUTHN_WINNT - NTLM authentication will be used.
      AuthLevel: dce_c_authn_level_pkt_privacy - This level offers the dce_c_authn_level_pkt_integrity services plus privacy (encryption) of stub call arguments only. All run-time and lower-layer headers are still transmitted in clear text.
AuthPadLength: 8 (0x8)
AuthReserved: 0 (0x0)
AuthContextId: 0 (0x0)
+ AuthValue:

If Encryption is enabled again on the servers go back to the outlook profile an re-enable "Encrypt data between Microsoft Office Outlook and Microsoft Exchange." otherwise the client will not be able to connect again.

additional links

https://msdn.microsoft.com/en-us/library/ee200574%28v=EXCHG.80%29.aspx

remote operation (ROP): An operation that can be invoked against a server. Each ROP represents an action, such as Delete, Send, or Query. It is encoded on the wire by a ROP number, followed by parameters that are specific to the operation. More than one ROP can be packed into a single RPC request or response.

https://msdn.microsoft.com/en-us/library/aa373553%28v=vs.85%29.aspx

RPC_C_AUTHN_LEVEL_PKT_PRIVACY

Includes all previous levels, and ensures clear text data can only be seen by the sender and the receiver. In the local case, this involves using a secure channel. In the remote case, this involves encrypting the argument value of each remote procedure call.