Solved

SBS 2008 prompting XP users to enter password

Posted on 2010-08-24
57
680 Views
Last Modified: 2012-05-10
Hello everyone,

I just recently installed a SBS 2008 w/Exchange 2007. I joined the domain the proper way by using http://connect and everything seemed ok at first, but now it's prompting users to enter their password.

The odd thing about it is it's coming from the remote.domainname.com I use to connect remotely. In other words, the box pops up asking for credentials for remote.domainname.com NOT the actual Exchange server name.

I've read a bunch of stuff on here as well as in general on the Internet, but nothing seems to point me in the direction needed to fix it except to install Exchange SP1 Rollup 9, but that fails to install saying it doesn't have rights to modify the RelNotes.HTM. I am logged into the server as an administrator so I'm a little confused as to why it doesn't have access.

Please help as we are in production and the constant interuptions for passwords (which never works even after you type the correct password) is really starting to raise a stink.

Thanks!!!

Joe
0
Comment
Question by:JoeBarbone
  • 30
  • 22
  • 4
57 Comments
 

Author Comment

by:JoeBarbone
ID: 33510720
CORRECTION:  The prompt is coming from the actual mail server, NOT the outside access remote.servername.com I previously thought.

If I had to find a pattern, I'd guess one would be that it seems to be happening on Outlook 2007 users. Outlook 2003 users do not seem to have an issue, but I will update if Outlook 2003 starts becoming a problem.

Thanks again.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33510836
you need to check the configuration of your autodiscover services and the associated virtual directories

take a look at the following
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:JoeBarbone
ID: 33511012
According to the links you provided, I found the following: "a new virtual directory named Autodiscover is created under the Default Web Site in Internet Information Services (IIS). This virtual directory handles Autodiscover service requests from Outlook 2007 clients in the following circumstances:"

When I go to IIS and expand the Default Website, I do NOT show a virtual directory named AutoDiscover.

SBS 2008 was setup as it comes on the disc, no customization was made to the standard installation. Is this the problem? How do I install/setup/start Autodiscover?

From what I can see, it seems that I need to have my ISP create an AutoDiscover A Record. Is this correct??

I was using SBS 2003 and never had any issues with email. I did not get a certificate so there was always the warning when I would access the server remotely, I would click continue and I was able to get it with no problems. I never had a problem with mail as my ISP has an A Record for Mail.MyDomain.com and the public WAN address. mail came and went with no drama.

Again, forgive my ignorance, but are these autodiscover services necessary for internal email?

Also, I cannot find a service, server or exchange that is AutoDiscover.

Thanks again!

Joe
0
 

Author Comment

by:JoeBarbone
ID: 33511079
"Again, forgive my ignorance, but are these autodiscover services necessary for internal email?"

By the way, we do send/receive email inhouse as well as SMTP, my statement was made regarding outside access to email. We do not have remote users. IF someone needs to check email, they can go to the remote.domain.com and check it from there.

Does that make sense?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33511136
yes, SBS is slightly different
it uses a Web Applications Site instead of the Default Web Site

The autodiscover A record must be created both internally and externally (depending on where clients are connecting)

yes, these are necessary as Outlook 2007 and later use the exchange web services for oof, oab, and free/busy information

autodiscover is not a running service, but a feature

you can use an internal certificate and set your clients to trust it
0
 

Author Comment

by:JoeBarbone
ID: 33511256
Ok, I found the Autodiscover under Web Applications, thanks.

Now, if I create the A record in dns and contact my ISP for the A record with them, according to the papers I've read, that will fix the problem of Outlook 2007 users being prompted for credentials??

Also, do the clients actually need to be set to trust the internal certificate or was that done automatically when it was installed?

Thanks again, I really appreciate your help!!!

Joe
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33511357
since you're only using it internally, you only need to create one on your server

the prompt for credentials is based on where your URLs fall into Internet Explorer zones
yourserver.yourdomain.com should fall into the local intranet zone which allows windows authentication to work

by default, exchange uses a self signed certificate
you should either install the CA role on your server and get a third party cert
you'll need a SAN certificate
here's an article on generating the request (can be used by either CA)
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

0
 

Author Comment

by:JoeBarbone
ID: 33511435
Why are the Internet zones important if we are connected to the local domain? Shouldn't it connect based on the local domain info and not xxx.com?

regarding the A record, where should it be created? Autodiscover.domain.local or autodiscover._msdcs.domain.local?

Thanks!

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33511539
because you want to leverage windows integrated authentication so there are no prompts for credentials. by default the local intranet zone allows for automatic logon.

under the domain.local forward lookup zone
0
 

Author Comment

by:JoeBarbone
ID: 33512227
Ok, I added the record and it seems to have stopped prompting me for the password from the server name, but now it is prompting me for a password from remote.domainname.com

What would the reason for this be? What is trying to get authenticated to remote.domain.com?? and why?

I pinged autodiscover.domain.local and it responded with the server IP so it seems to be working properly.

I flushed DNS on the workstation but it still prompts me for the user credentials for remote.domain.com.

Thanks again.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33512354
from the exchange management shell run the following and post please

get-webservicesvirtualdirectory | fl *URL
get-oabvirtualdirectory | fl *URL
get-clientaccessserver | fl AutoDiscoverServiceInternalUri
get-outlookprovider
0
 

Author Comment

by:JoeBarbone
ID: 33512529
Well, this is probably part of the problem. :)

[PS] C:\Windows\System32>get-webservicesvirtualdirectory | fl *URL
Get-WebServicesVirtualDirectory : Unable to create Internet Information Service
s (IIS) directory entry. Error message is: Access is denied.
. HResult = -2147024891.
At line:1 char:32
+ get-webservicesvirtualdirectory  <<<< | fl *URL
[PS] C:\Windows\System32>
0
 

Author Comment

by:JoeBarbone
ID: 33512811
[PS] C:\Windows\System32>get-clientaccessserver | fl AutoDiscoverServiceInternalUri


AutoDiscoverServiceInternalUri : https://remote.coastalpaincenter.com/Autodisco
                                 ver/Autodiscover.xml



[PS] C:\Windows\System32>
0
 

Author Comment

by:JoeBarbone
ID: 33512822
[PS] C:\Windows\System32>get-outlookprovider

Name                Server              CertPrincipalName   TTL
----                ------              -----------------   ---
EXCH                                                        1
EXPR                                                        1
WEB                                                         1


[PS] C:\Windows\System32>
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33513089
as the article stated, the internal outlook client will use the value from AutoDiscoverServiceInternalUri : https://remote.coastalpaincenter.com/Autodisco
                                 ver/Autodiscover.xml

to discover the web service urls
that's why you would be prompted with remote.domain.com

you'd want to update this value to your expected value

your error getting the web services is something to look at, and i will post more shortly
0
 

Author Comment

by:JoeBarbone
ID: 33513542
So regardless if the PC is connected locally to the domain or not, it will always look for the value in autodiscovery?

Now, remote.coastalpaincenter.com is valid and is the way I connect remotely. Having said that, what do I need to change and where should I change it in order for it to get what it needs? Even when I type in the correct password for the user, it still doesn't work.

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33513703
when it is connected to the domain it will look for the scp which is this uri value
when it cannot find the scp it will use the default domain.com and autodiscover.domain.com

you could create an internal dns record for that fqdn that uses an internal ip address
0
 

Author Comment

by:JoeBarbone
ID: 33513720
oh, in other words, create an A Record in my local DNS for remote.domain.com and point to the internal file server?

0
 

Author Comment

by:JoeBarbone
ID: 33513753
Oh wait, that wont work. The email domain is different from the local domain and the message that pops up is looking for the email domain (which used to be the local domain until the server upgrade)
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33513766
yes, then autodiscover should work for the outlook client
then it will be a matter of web services
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33513791
do you have an internal dnz zone from the email domain, and if not can you create one that contains all external dns records
0
 

Author Comment

by:JoeBarbone
ID: 33514073
I'm not sure what happened just now, but I tried to create an A Record for remote.coastalpaincenter.com, but forgot it's not the same zone so it created a record in the com portion of coastal.local which is the name of our local domain.

I do not recall if remote.coastalpaincenter.com existed as a seperate zone or not and I deleted it. Then I realized it may have been there because that is what our email domain is named, so I recreated the zone and pointed the address to the file server.

However, from WITHIN the domain environment, when I ping remote.coastalpaincenter.com it returns the address of the file server.  Pinging the same address from outside of the environment provides the outside WAN address. Is this how it should be?
0
 

Author Comment

by:JoeBarbone
ID: 33514164
DNZ or DMZ? Either way, I do not believe so. Where/how does that get created?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33514218
yes, inside should have the LAN address and outside the WAN
0
 

Author Comment

by:JoeBarbone
ID: 33514332
Then yes, it seems to be working properly.
0
 

Author Comment

by:JoeBarbone
ID: 33514479
however, all of that being said, I'm still receiving the request to login.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33514568
now try browsing to
https://yourserver.domain.local/ews/exchange.asmx

you should get no certificate errors or login prompt, otherwise we need to look at the settings (which gave an error earlier)
0
 

Author Comment

by:JoeBarbone
ID: 33514755
I tried it with my local domain and it does not work. It prompts me with the certificate message, but when I click ok I get the login box but user credentials do not work.

Now, keep in mind, my mail domain is different from the local domain. local is coastal.local, the mail domain is coastalpaincenter.com.

Something interesting to note, I cannot get a 2007 Outlook profile in a new setup to find the auto settings. it says it cannot find the server. Even if I specify the servername.coastal.local, it fails to resolve the user name when setting up Outlook.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 32

Expert Comment

by:endital1097
ID: 33515215
are you using domain\username?
what zone does the URL fall into, local intranet, internet?

try one more time
Get-WebServicesVirtualDirectory | fl *url
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515284
let's determine what your internal URLs should be then you can run the following

Set-WebServicesVirtualDirectory SERVER\EWS* -InternalURL https://servername.domain.local/EWS/Exchange.asmx

Set-OabVirtualDirectory SERVER\OAB* -InternalURL https://servername.domain.local/EWS/Exchange.asmx

Set-UMVirtualDirectory SERVER\Unified* -InternalURL https://servername.domain.local/UnifiedMessaging/Service.asmx

I believe you setup the internal record for remote.domain.com to resolve internally, so you could use https://server.domain.com/... for each
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515305
sorry... an update
Set-WebServicesVirtualDirectory SERVER\EWS* -InternalURL https://servername.domain.local/EWS/Exchange.asmx -BasicAuthentication:$true -WindowsAuthentication:$true
0
 

Author Comment

by:JoeBarbone
ID: 33515342
Same thing, access is denied, see below.

Also, yes, when prompted for user credentials, I am using domain\user name.


I'm not sure how to tell what zone it's in. I attached a screen cap of my DNS tree.
 


Welcome to the Exchange Management Shell!

Full list of cmdlets: get-command
Only Exchange cmdlets: get-excommand
Cmdlets for a specific role: get-help -role *UM* or *Mailbox*
Get general help: help
Get help for a cmdlet: help or -?
Show quick reference guide: quickref
Exchange team blog: get-exblog
Show full output for a cmd: | format-list

Tip of the day #38:

Do you want to move the storage group path to another location? Type:

Move-StorageGroupPath -LogFolderPath DestLogFolder

To change only the path setting without moving data, use this command together w
ith the ConfigurationOnly parameter. This command is especially useful for disas
ter recovery. Caution: Misuse of this cmdlet will cause data loss.

[PS] C:\Windows\System32>get-WebServicesVirtualDirectory | fl *url
Get-WebServicesVirtualDirectory : Unable to create Internet Information Service
s (IIS) directory entry. Error message is: Access is denied.
. HResult = -2147024891.
At line:1 char:32
+ get-WebServicesVirtualDirectory <<<< | fl *url
[PS] C:\Windows\System32>

dns.jpg
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515364
can you start the shell by right-clicking it and running as administrator

the zone for IE appears in the bottom right center (not centered and not all the way to the right)
0
 

Author Comment

by:JoeBarbone
ID: 33515497
Do you want me to run this command now?

Set-WebServicesVirtualDirectory SERVER\EWS* -InternalURL https://servername.domain.local/EWS/Exchange.asmx -BasicAuthentication:$true -WindowsAuthentication:$true
0
 

Author Comment

by:JoeBarbone
ID: 33515603
That info isn't displayed on my IE Status bar. How do I enable it?
0
 

Author Comment

by:JoeBarbone
ID: 33515695
I ran the command as Administrator and it completed successfully, but didnt change anything. See below.
command.jpg
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515954
I will be back online in a couple hours
we are close
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515955
I will be back online in a couple hours
we are close
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515956
I will be back online in a couple hours
we are close
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33515958
I will be back online in a couple hours
we are close
0
 

Author Comment

by:JoeBarbone
ID: 33516011
Excellent, thanks.

Yeah, I'm out of the office soon too, they are kicking me out for the day. :)

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33516864
here is a screenshot of the zone
you can always test by adding your url to the intranet zone
tools - internet options - security tab
highlight local intranet
sites button
advanced button
add the urls
zone.JPG
0
 

Author Comment

by:JoeBarbone
ID: 33517261
Ok, I'll try it when I get home. If that works, would I have to make the entries on every PC?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33517301
No you can use group policy to apply this
0
 

Author Comment

by:JoeBarbone
ID: 33517764
Ok, I added the URLs and it still prompts me for a password, also note that the Protection Mode is Off.

I also checked the box that says: "Require Server Verification"


I added the following sites to the Trusted Sites:

https://remote.coastalpaincenter.com

https://CPC-FS1.coastal.local

What other sites do I need to add?
0
 

Author Comment

by:JoeBarbone
ID: 33517793
Not sure if this helps or not, but, I created a Windows 7 test machine running Outlook 2007 and when I tried to install it, it automatically populated my name and email address, but when it tried to continue, it prompts me for the login credentials and again, nothing works. So, I left it for a little bit and it eventually detected the proper setttings.

WTF??? lol.
0
 
LVL 17

Accepted Solution

by:
aoakeley earned 250 total points
ID: 33519188
Hi,
@endital1097 - not trying to steal your thunder, as I see you have been working very hard.

@JoeBarbone you really do need to get Exchange Update Rollup 9 or higher installed on your exchange server

Demazter has written a short but accurate article on this which can be found here.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2300-Outlook-continually-prompting-for-username-and-password.html

I admit to not haveing read every post in depth so I apologise in advance if I have missed the post where you got the update applied.

Andy
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 33520095
0
 

Author Comment

by:JoeBarbone
ID: 33521750
If I install Exchange 2007 SP2, will I still need to install the Rollup 9?

I tried installing Rollup 9 but it failed stating it could not modify RelNotes.htm.

Thanks!

Joe
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33522240
no, you should apply update rollup 4 for sp2
0
 

Author Comment

by:JoeBarbone
ID: 33525908
I will try to install SP2 this evening and I'll post the results afterwards.

Joe
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 33526889
Make sure you use the sbs tool to install sp2 as per the notes. Take full backup of server first.
0
 

Author Comment

by:JoeBarbone
ID: 33528074
I've actually decided to wait on the installation. I am going out of town this weekend and don't want to take a chance on something not working properly.

I will run the update with the help of the installation tool when I return and I'll post the results.

Until then, thank you for your help, especially endital.

Have a great weekend.
0
 

Author Comment

by:JoeBarbone
ID: 33590183
FYI I was able to install Rollup 9 by "Approving it". Once Rollup 9 was installed, the prompting stopped.

I'll update more in a few days.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 33592916
Awesome. Was pretty sure that would work.
0
 

Author Closing Comment

by:JoeBarbone
ID: 33954407
Thank you to all that helped.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now