Outlook Android App error occurred during authentication. Please try again later.

Question

Hi,

I am migrating mailboxes between on-premises Exchange forests using ADMT automated calls in SC Orchestrator 2019.

1-Prepare-MoveRequest;

2-Migrate-ADMTUser;

3-MoveMailbox;

4-Set-Resources;

Problem: Outlook mobile app using ActiveSync does not configure the same account after the mailbox is migrated from the source forest to the target forest with the email address in the "Username" field. Only using DOMAIN\Login or NETBIOS\SamAccountName. This happens with some accounts, but there are cases where it does not happen, even though the migration method is the same for all cases.

Error message in the app: Outlook Android App error occurred during authentication. Please try again later.

Workaround to configure post-migrated accounts:

Email address: login@domain

Password: User's forest password 

Server: FQDN of the NEW on-premises Exchange server 

Domain: Empty 

User Name: DOMAIN\SamAccountName

PS: I can connect normally with 'Email - Fast & Secure Mail' and 'Gmail App ActiveSync'. This problem doesn't occur, and I can use the email address in the Username field."

Troubleshooting performed:

Enabled ActiveSync Logging: Set-CASMailbox -Identity "login@domain" -ActiveSyncDebugLogging:$true

Get-Mailbox login@domain | Set-User -LinkedMasterAccount $Null

Set-CASMailbox login@domain -ActiveSyncBlockedDeviceIDs $null

Compared all attributes in Active Directory of an account with issues with another that does not have this problem;

Compared all attributes in Exchange Server of an account with issues with another that does not have this problem;

Both Exchange Server 2019 in the source and target forest with the latest CU14 and SUv2 from November.

The Outlook Android App Support is very very complicated. It practically doesn't exist because no one ever responds.

Answer 1

Hi, @Evandro Boa Semedo

The issue appears to be related to how specific accounts are authenticated in the Outlook mobile app after migration. Since other ActiveSync clients are working fine, the problem may be on the Outlook side and how it handles authentication properties during migration.

I will only give the following common suggestions for mobile authentication errors from the perspective of Exchange:

1. Remove the affected account from the Outlook mobile app and add it again. This helps to flush any cached credentials or configurations.
2. Ensure that the Exchange server's SPN is properly registered in Active Directory.
3. Ensure that authentication methods and policies are consistent across both forests. Compare OAuth settings and make sure they are configured correctly.
4. Make sure that Autodiscover is properly configured for the new environment, and verify that the Autodiscover SCP records in AD point to the correct Exchange server.

It's important to emphasize that Exchange ActiveSync auto-redirection isn't supported when moving mailboxes between on-premises Exchange organisations. Exchange ActiveSync device settings with Exchange hybrid deployments | Microsoft Learn

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 2

Hi @Xintao Qiao-MSFT

Step 1 - I had before posting on this forum, and I can confirm that I got the same error on more than one phone. I cleared the app cache on the phone and tested it, same error. Then I removed the app from the phone and reinstalled it, same error. Finally, I entered the advanced boot mode of Android and cleared the app cache, same problem after reinstall again.

Step 2 - All Exchange and Active Directory servers have their SPNs correct. Here is an example:

SPN.png

Step 3 - I don't use modern authentication on-premises with OAuth or any third-party authentication. I continue to use the same basic on-premises authentication model in both on-premises Exchange forests.
ActSync.png

Step 4 - They all point to the same URL.

Autodisc.png

Additional steps 1 - Another test I did was, I prepared the account via Prepare-MoveRequest.ps1, ran ADMT, merged the password, didn't copy the SidHistory, moved the mailbox to the new forest, and tried to reconfigure it in the app, but the same error occurred.

Additional steps 2 - I have already tried renaming the UPN and reverting to the original UPN, renaming the SamAccountName and reverting to the original, and even changing the UPN to another one.

Is there any workaround I can do on the Exchange server side or on the user's app to clear any issues and allow using the email in the username field? For accounts created in the destination environment, it has always been like this. Workaround to configure post-migrated accounts:

Email address: login@domain

Password: User's forest password

Server: FQDN of the NEW on-premises Exchange server

Domain: Empty

User Name: login@domain (Expected, objective)

User Name: DOMAIN\SamAccountName (Workaround, bad config)

Note: If I change the user's UPN attribute domain in Active Directory, for example: I rename from login@domainA.com to login@domainB.com in the UPN attribute and in the "Username" field I change login@domainA.com to the email login@domainB.com, it works. There is something exclusively with this Outlook Mobile App that does not handle the UPN correctly after migration.