Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


OWA 2003 Presents multiple logon prompts

Posted on 2004-09-14
Medium Priority
Last Modified: 2008-01-09
I've searched the solutions here and found a similar, if not exact match to my problem in Q_20732632.  I've reviewed and re-reviewed this solution and the referenced MS KB articles.  I've followed, carefully, the MS KB directions for setting permissions.  Yet my problem persists.

I have two servers in the environment.  Server1 is running 2000sp4, AD, and Exchange 2003.  I know, not recommended, but our only option.  Server2 is running 2000sp4, MS Proxy 2.0.  I'm running only a single SMTP domain.

Most accounts in my exchange environment are prompted 4-5 times for their logon information.  After the last prompt, the users are presented with a 4.01 error.  If they refresh the browser the inbox/account is displayed properly.  I say most accounts because my account works fine (admin level permissions) as to a small number of other accounts.  The other kicker is that accounts that prompt multiple times when accessed via the LAN logon fine from outside the LAN on the public internet.

This issue has been on going for a long time.  Your thoughts, time, effort, and suggestions are all appreciated.
Question by:danielbourdeau
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 12

Expert Comment

ID: 12055162

Make sure you set all of the Exchange virtual directories have basic and integrated authentication enabled. Also make sure /exchweb has anonymous enabled.
LVL 12

Expert Comment

ID: 12055221

You will also want to check the directory security settings on the BIN virtual directory for /exchweb. The domain should match on both /exchweb and /bin ... seems like I saw that as a potential fix for this problem ... (I'd check the permissions first) ...

Author Comment

ID: 12063352
I'm sure the Exchange VD's have basic and I know they do NOT have integrated set.  Can you help me understand the need for integrated?  I'll check the settings on the folders you've recommended.  Thanks for taking the time to help out.
LVL 12

Accepted Solution

BNettles73 earned 1500 total points
ID: 12064746

Integrated Windows Authentication

Integrated Windows AuthenticationIntegrated Windows authentication (formerly called NTLM, and also referred to as Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are hashed before being sent across the network. When you enable Integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing. Integrated Windows authentication is the default authentication method used in members of the Windows Server 2003 family.

Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. If Active Directory Services is installed on a Windows 2000 or later domain controller and the user's browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.

Integrated Windows authentication includes the Negotiate, Kerberos, and NTLM authentication methods. Negotiate, a wrapper for Kerberos and NTLM, is a good choice for connecting to clients on the Internet because each lacks a capability, as follows:

NTLM can get past a firewall, but is generally stopped by proxies.
Kerberos can get past a proxy, but is generally stopped by firewalls.
For Kerberos v5 authentication to be successful, both the client and the server must have a trusted connection to a Key Distribution Center (KDC) and be Active Directory Services compatible.

Client Authentication Process

The following steps outline how a client is authenticated using Integrated Windows authentication:

Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client computer is used for Integrated Windows authentication.
 Note Microsoft Internet Explorer versions 4.0 and later can be configured to initially prompt for user information if needed. For more information, see Internet Explorer Help.

If the authentication exchange initially fails to identify the user, the browser prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication.
Internet Explorer continues to prompt the user until the user either enters a valid user name and password or closes the prompt dialog box.
Although Integrated Windows authentication is secure, it does have two limitations:

Only Microsoft Internet Explorer versions 2.0 and later support this authentication method.
It does not work over HTTP proxy connections.
Therefore, Integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same domain and where administrators can ensure that every user has Internet Explorer version 2.0 or later.If Integrated Windows authentication fails due to improper user credentials or some other problem, the browser prompts the user to enter a user name and password.

Integrated Windows authentication uses Kerberos. Before the Kerberos authentication service can authenticate a service, the service must be registered on only one account object. If the logon account of a service instance changes, the service must be reregistered under the new account. Therefore, only one application pool that has the service registered can authenticate with Kerberos. As a result of this, you cannot isolate sites from each other on the virtual directory level in an application pool. There is a work around, however. The customer can isolate these sites based on domain name. For example, and

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question