Exchange 2013 - Outlook 2010 prompts for password;Outlook 2007 connects, OWA, Activesync fine

Test config autodiscovery here: https://www.testexchangeconnectivity.com/

if you are using cached mode, then it maybe your authentication mismatch for Outlook Anywhere -- NTLM or Basic will be set in the advanced Outlook account settings, Connection tab.

you will need to pick one and stick with it for your client settings.  check what the Outlook 2007 clients have set.  We found that initially 2010 wouldn't save our passwords until we applied SP1 for Office 2010 and some Win 7 updates.

Update: It appears now that the issue is with XP machines and Outlook 2010. Windows 7 and Outlook 2010 machines are working fine.

The connectivity analyzer shows this error:

The HTTP authentication test failed.
Not all the required authentication methods were found.
Methods Found: Negotiate
Methods Required: NTLM

Exchange 2013 is currently set to Negotiate/Offload SSL.

This issue could be due to one or more of the following:
To resolve, try this: http://support.microsoft.com/kb/290684 and
http://www.msoutlook.info/question/481

Is Outlook 2010 on SP1 with the Outlook 2010 November 2012 update (14.0.6126.5000)? If not, you need to update to SP1 & Nov '12 update. Exch 2013 does not support Outlook 2010 otherwise.  After you upgrade to SP1 install the Nov '12 update: http://support.microsoft.com/?kbid=2687623.

Are credentials being cached?

To check, follow these instructions.
1. Click Start and select Run
2. In the Open field type "rundll32.exe keymgr.dll, KRShowKeyMgr"
3. Once the Stored Usernames and Passwords interface opens you can select any of the entries and select Properties to view the existing information
4. To remove a saved password you can select one of the entries and select Remove. A confirmation screen will appear. Click on OK and the account will be removed
5. You can add additional saved passwords as well by clicking on the Add button and entering the appropriate information
6. Repeat the steps above as needed to add, remove or edit saved passwords
7. When you are done using the interface click the Close button

Thanks diverseit. I checked all of the things you mentioned and all are good.

The issue still persists.

as i said above, in the Advanced user mail profile tab, check your authentication type, what it is set to (i'd bet its NTLM).

If you switch it to Basic, does Outlook behave??

IainNIX, I was hoping it was NTLM, but it was Basic.

I checked a Windows 7/Outlook 2007 machine (working) with an XP/Outlook 2010 machine (not working) and both have identical settings in their Outlook account.

The XP machine just keeps prompting for the password.

Are you connecting RPC/HTTPS? If so, you are going to want to look as MSSTD entry, NTLM authentication & Credential manager entries. Follow below:

1. In Outlook, navigate to File > Info > Account Settings > Account Settings > highlight your profile and click Change:
2. Navigate to More Settings > Connection tab > Exchange Proxy Settings.
3. Specify the settings as follows:
    Connect using SSL only: checked,
    Only connect to proxy servers that have this principal name in their certificate: checked, with the server specified as: msstd:owa.domain.com (this is just an example)
    NTLM authentication.
4. In More Settings, on Security tab, make sure the checkbox "Always prompt for logon credentials" is *not* checked.
5. Save the changes. Restart Outlook.
6. Enter your credentials, check Remember Password and log in to Outlook 2010. Outlook will create the entries in the Credential manager.
7. Restart Outlook to make sure the Credential Manager entries work. If you are prompted for a Password again, proceed to modifying Credential Manager entries.

For the Credential Manager:

1. Navigate to Start > Run and type in "control keymgr.dll" without the quotes and hit Enter:
2. If there already are entries, remove all that pertain to Outlook. If there are no entries, you need to add them. You may add up to 3 entries for a mailbox that is on Exchange 2013 server.
5. Save the changes and start Outlook to see if the changes work.
6. Reboot your computer and start Outlook to make sure the entries work.

If this still fails you may need to check/modify the registry.
Important: Administrator rights are required to edit Windows Registry.
1. In Windows, click Start > Run. In the command box, type regedit.
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
3. Find the DisableDomainCreds entry. A value of 1 (enabled) will prevent you from saving new credentials.
4. Change the value to 0 and reboot. You should now have the Add button available. Note that the value of 0 is the default value.
5. Also check the LmCompatibilityLevel entry. It should be set to 3, which is the default value. If you have another value, change it to 3. If it does not work with 3, then change the value to 2 and retry.
6. Reboot the computer to apply changes.

Let me know how it goes!
Security-AlwaysPromptforLogonCre.jpg

Thank you diverseit, but still no go.

I've attached two screenshots of working Windows 7/ Outlook 2007 and the ECP 2013 screenshot showing Basic...

On a newly created Outlook profile on XP, copying the settings from the working machine, I'm prompted for password forever, then "The connection to Microsoft Exchange is unavailable...." when I click Cancel
OutlookAnywhere-Exchange2013.PNG
OLK-2007-Exchange-Proxy-settings.PNG
OLK-2007-Security-Tab-settings--.PNG

if it on Basic and you have tried the MSSTD trick, then you have an issue with your certificate -- XP needs the full FQDN name of the Exchange server to match the CN entry if i recall, not just listed as an alt domain.

i have heard of a fix involving importing the certificate into XP systems and placing it in the Trusted Root Certification Authorities Certificate Store, or use GPO to push the cert to all XP systems if you have them in a separate OU.

Check this link -- http://social.technet.microsoft.com/Forums/exchange/en-US/a7c25d6a-7cfc-40a1-a17e-a1f05f637d53/exchange-2010outlook-anywherewindows-xp-not-working-together

My main cert name is owa.newschoolname.org, but one of the SANs (and name of the server) is ex01.old-schoolname.org.

SoI need to, on an XP workstation, in the Certificates MMC, install the other Starfield Intermediate cert thing, just like I did on the server. Should I just put the regular cert on there too? (I tried this in IE like one does with untrusted certs; it didn't have any effect.)

Then, if this works, create a GPO to push the Starfield Intermediate out to the machines.

install the certs and test -- it needs to be the one with the server name i think.

I have the cert installed (owa.newschoolname.org) and have verified it is listed in certmgr.msc

Outlook 2010 is still prompting for the password....

Update... "some" XP machines with Outlook 2010 are working... still gathering data.

Your SSL should also have autodiscover.domain.com listed in it for exchange to work properly. Is it included?

@diverseit, yes, we have autodiscover.domain in the SSL.

Here's where it gets interesting:

We had an old machine (not the network for some time) with Office 2010/XP. Fired it up, and every account we threw at it would connect. It was a machine not in production so had missed months of updates.

After three rounds of patches, including Office 2010 SP1/kbid=2687623, Outlook will not connect again - continues to prompt for a password - both with the accounts that were working and any new accounts we try to set up.

That is interesting... nice troubleshooting too.

What about GPOs? Did that test machine connect to the domain during this testing... maybe there is some funkie GPO targeting XP machines that is active not allowing saved credentials. Also, check user/group permissions. I've seen weird things like this with erroneous printing permissions not that its related but silar cause.

Try to rollback and pinpoint which patch is the culprit testing each time a rollback is completed.

Yes, it had been joined to the domain. Our GPOs are pretty minimal, like setting the home page, a few favorites, and password policies, that's about it. I'll run a GP results wizard to see.

My counterpart sugg. the patch removal method, heh. I'll remove SP1 and see what that does.

How's it going with the process of elimination on the installed Patches?

Wow...awesome! I'm glad you got everything working now! I would close this Question with http:#a39349975 as the answer.

Thanks for the update.

thanks for the update.

This solution was from Microsoft Product Support Services. Hope it helps someone else out there.

Yes, it helped me today.

Thank you for sharing..

nice one, thanks.

Glad you were able to get it resolved.

i had the exact same issue.  migrated from exchange 2007 to exchange 2013.     External users would work just fine.  All users INTERNAL users would get password prompts.  just clicking on cancel will still connect outlook to exchange, but will still constantly nag for the password.   after calling microsoft support, they determined that public folders was still on exchange 2007 server and outlook was looking at the 2007 server for password.    they went into adsiedit.msc and removed the public folders and now all is good.  only took 12 hours of hair pulling to figure it out!