Outlook 2007 keeps asking for password

did you repoint the outlook clients to the new server?
It sounds like you may have missed that step.

Yes once I rejoined the PC, I repointed the clients to the new server and when it is asking for a password it is showing the new server's name at the top of the password box.

Please create a new Outlook Profile and try

Sounds like autodiscover is not setup properly.

I have tried creating a new Outlook profile and that did not work. I have uninstalled and reinstalled Office and that works for a few days then it starts asking for the password again. I have even tried deleting the domain profile off of the PC and recreating it.

How would I check if autodiscover is set up properly?

Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, them on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Look at the URLs returned by the test  and confirm you have a certificate that contains the same subject as the URLs

The results tab says it was unable to determine your settings, and the log tab shows the URL's and I have them all listed on my cert. The only difference is that I have rarexchange.reindeerauto.local and the results show RAREXCHANGE.reindeerauto.local, is it case sensitive?

Are the machines and users in the same domain as the Exchange 2010 server?

Is Outlook 2007 patched to the latest levels? Do they have the Dec 2010 hotfix installed: http://support.microsoft.com/kb/983316 

Install the above hotfix on a problem machine and then if that doesn't work, post your autodiscover test log and hide your company details if you want.

Run through the checklist on the site below, there are 3 or 4 things on there that may resolove this.

http://www.techieshelp.com/outlook-prompts-for-credentials/

I have all updates and hotfixes installed.

I ran through the checklist Zippy and I am running Exchange 2010 but I did notice that all authentication in RPC virtual directory is disabled as well as the RPCwithcert directory.

results from test AutoConfiguration

LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END

Is rarexchange.reindeerauto.local on your certificate? If you ping that name does it resolve internally to the internal IP address your Exchange 2010 CAS server?

Yes that is listed on my certificate and when I ping it I get the IP address of the Exchange Server.

Confirm you are getting the INTERNAL ip address back

As a test can you create a new test user with a mailbox, send it a message. Then, logon as that test user and open Outlook and see if Autodiscover works or gives you the same error.

Yes it ping's to a internal ip address.

I created the new user, logged in as that user and outlook 2007 did not find user using autodiscovery.

Ok, test the autodiscovery for Outlook and see if it gets the same error when trying to access the SCP URL

Try and access the SCP URL yourself from IE and see if it prompts you for a password, after entering the test account credentials you should see the contents of the autodiscover.XML file

to try the SCP URL, dont I just replace http with SCP?

No, just use the full https:// url
https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml

here is what pops up:

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="13:05:58.0438120" Id="952582034">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>

Good. That is what you want to see,
1.) did it prompt for credentials or not?
2.) Did you get a certificate error or not?
3.) was the URL from an Internet PC that is not joined to your work network?

1. Yes it did prompt for credentials
2. no I did not et a certificate error
3. I ran the URL from a PC joined to the network

From EMS try
Get-clientaccessserver | fl
And then look at the autoDiscoverInternalUri what is it set to?

Have a look at the test account with ADSIEdit and see if it has a msExchQueryBaseDN value set?

the autodisoverinternaluri is:https://rarexchange.reindeerauto.local/autodiscover/autodiscover.xml

and where do I run the ADSIEdit at?

Start--> run --> adsiedit.msc

Try adding a SRV DNS record to your internal DNS:
http://support.microsoft.com/kb/940881

So I created a SRV record in my reindeerauto.local/tcp as autodiscover and pointed it to rarexchange.reindeerauto.local.

Is this correct?

I reran the "test email autoconfiguration" and here are the results. Lutlook 2007 is still asking for a password.

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Bob Albertson</DisplayName>
      <LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
      <AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
      <DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>RAREXCHANGE.reindeerauto.local</Server>
        <ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
        <ServerVersion>738180DA</ServerVersion>
        <MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
        <AD>RARDC2.reindeerauto.local</AD>
        <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://rarexchange.reindeerauto.local/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://rarexchange.reindeerauto.local/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://rarexchange.reindeerauto.local/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mail.reindeerauto.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://rarexchange.reindeerauto.local/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

Start outlook with /rpcdiag
See what Outlook is connecting to when it prompts for credentials.
Does it continuously prompt for credentials?

when i run the /rpcdiag it is looking at "rarexchange.reindeerauto.local", and yes it always prompts for credentials when we open outlook 2007.

Also outlook anywhere is checked, but if I uncheck it and then restart outloot 2007 it is checked again. We have one computer in the building with office 2007 that is not having this problem and the only difference is that office has not installed service pack 2 yet.

I removed the Autodiscover VD and then recreated it and Autodiscover is now working.

Glad to hear you got it sorted.

Ok so I removed the Autodiscover VD and recreated and it worked, now Autodiscover has stopped working again. And the whole time it worked it kept prompting for username and password again for outlook 2007 users.

Any suggestions?

Does
Outlook /rpcdiag
Show Outlook connecting over TCP/IP or HTTP?

How do I tell?

I did find one thing out.

I have taken 2 different outlook 2007 clients and one autoconfigured to "user@reindeerauto.com" email address and the other was "user@reindeerauto.local".

The .com user does not get asked for a password and their Outlook Anywhere is turned off but their OOF does not work and they fail the "test e-mail autoconfiguration"

the .local user is asked for a password, their OOF works and they pass the "test e-mail autoconfiguration"

Is the .local user prompted for the password all the time?

Try
Start--run--> outlook /rpcdiag
And see if one connects over http and the other connects over TCP/IP?

Yes everytime you open outlook 2007 on the .local user they are prompted for a username and password.

I did the outlook /rpcdiag and it those TCP/IP

Are they only prompted once and that is only when they open Outlook? Have you checked the Outlook authentication settings to see if it using Basic authentication? Try changing it to NTLM.

With the .com user, where did the Autoconfiguration fail? Adding an internal DNS zone for reindeerauto.com with a SRV record pointed at your CAS server will resolve that OOF and Autoconfiguration issue. Make sure that anything you add to the internal .com dns zone points at internal IP addresses for internal resources e.g. If you have an (A) record for mail.reindeerauto.com then this must point at the internal IP address of your Exchange CAS server.

Yes they are prompted when they open outlook, but outlook anywhere is turned on and it shouldnt be since we in the LAN but it is set to basic and when I change it or uncheck outlook anywhere it automatically changes it back.

Here is the entire report.
LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END

MegaNuk3,

I don't know a lot about DNS, should this record be an "_autodiscover SRV record pointing to RAREXCHANGE.reindeerauto.local" located in the _tcp or reindeerauto.com DNS?

Add a SRV record to both internal DNS zones and point it at a name on your cert that is internally resolvable to the IP address of your CAS server.

So if mail.reindeerauto.com is a name on your cert and it resolves internally to the internal IP address on your cert, then point the SRV records at that.

Don't worry about Outlook Anywhere configuring itself, that is Outlook picking up the settings from autodiscover, it does not mean Outlook is connecting over HTTP - outlook /rpcdiag will prove outlook is connecting over TCP/IP even though the Outlook Anywhere settings are present.

I have 2 SRV records already.

_autodiscover  SRV  RAREXCHANGE.reindeerauto.local

Ok, are those SRV records in the following INTERNAL DNS zones reindeerauto.com and reindeerauto.local and is that name rarexchange.reindeerauto.local on your certificate?
Do
Get-exchangecertificate | fl
And post the output

Can you also post the output of
Get-autodiscoverVirtualdirectory | fl

Can you screenshot your SRV record in DNS too please

Yes they are in both internal DNS zones and yes rarexchange.reindeerauto.local is on my cert.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com, rarexchange, rar
                     exchange.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2/20/2016 2:53:01 PM
NotBefore          : 2/21/2011 2:49:32 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0412FEAE3D8318
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.reindeerauto.com, OU=Domain Control Validated, O=mail.reindeerauto.com
Thumbprint         : 7683CD77BD29CB5DC444E7B5F8F7C8D086CDA39A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=RAREXCHANGE
NotAfter           : 2/20/2016 3:41:35 PM
NotBefore          : 2/20/2011 3:41:35 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1910EBC470F02689498B24913EADF4DE
Services           : SMTP
Status             : Valid
Subject            : CN=RAREXCHANGE
Thumbprint         : E42817C397B73445289636A876270155CE09D988


RunspaceId                      : 4ec9fd4a-6282-4e83-967f-6c927a2a6c5f
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://RAREXCHANGE.reindeerauto.local/W3SVC/1/ROOT/Autodiscover
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=
                                  Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerA
                                  uto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=reindeerauto,DC=local
Identity                        : RAREXCHANGE\Autodiscover (Default Web Site)
Guid                            : 58f2b2fe-f3a5-4bf5-9a53-9bdad5660d6d
ObjectCategory                  : reindeerauto.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 3/4/2011 2:02:44 PM
WhenCreated                     : 3/4/2011 2:02:44 PM
WhenChangedUTC                  : 3/4/2011 7:02:44 PM
WhenCreatedUTC                  : 3/4/2011 7:02:44 PM
OrganizationId                  :
OriginatingServer               : RARDC1.reindeerauto.local
IsValid                         : True

Untitled.jpg

I made the changes you advised to make, and have been running the "test e-mail autoconfig" and it is still failing.

Can you post the test autoconfig please.

Can you also create a new test user with a mailbox and then logon to windows as that user and then see if outlook configures itself correctly for this user and see if it password prompts or not...

autoconfig.jpg

It passed the test thank you.

But the OOF still gets the "your out of office settings cannot be displayed, because the server is currently unavailable. try again later" error.

Look at the EWS URLs returned in the autoconfig test and possibly change them to the mail.reindeerauto.com name too.

When you say change the EWS URL's to mail.reindeerauto.com, did you mean in DNS?

I went into IIS EWS VD and set to ignore it was on accept, that fixed the OOF issue.

Should OAB be set to ignore also?

And here are the results fo the test

[PS] C:\Windows\system32>Test-outlookwebservices bob.albertson@reindeerauto.com |fl

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1019
Type       : Information
Message    : A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://RA
             REXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1006
Type       : Information
Message    : Contacted the Autodiscover service at https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml
             .

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1016
Type       : Information
Message    : [EXCH] The AS is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1015
Type       : Information
Message    : [EXCH] The OAB is configured for this user in the Autodiscover response received from https://RAREXCHANGE.
             reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1014
Type       : Information
Message    : [EXCH] The UM is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1016
Type       : Information
Message    : [EXPR] The AS is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1015
Type       : Information
Message    : [EXPR] The OAB is configured for this user in the Autodiscover response received from https://RAREXCHANGE.
             reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1014
Type       : Information
Message    : [EXPR] The UM is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1022
Type       : Success
Message    : Autodiscover was tested successfully.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1024
Type       : Success
Message    : [EXCH] Successfully contacted the AS service at https://rarexchange.reindeerauto.local/EWS/Exchange.asmx.
             The elapsed time was 882 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1026
Type       : Success
Message    : [EXCH] Successfully contacted the UM service at https://rarexchange.reindeerauto.local/EWS/Exchange.asmx.
             The elapsed time was 394 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1024
Type       : Success
Message    : [EXPR] Successfully contacted the AS service at https://mail.reindeerauto.com/ews/exchange.asmx. The elaps
             ed time was 319 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1026
Type       : Success
Message    : [EXPR] Successfully contacted the UM service at https://mail.reindeerauto.com/ews/exchange.asmx. The elaps
             ed time was 145 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1124
Type       : Success
Message    : [Server] Successfully contacted the AS service at https://rarexchange.reindeerauto.local/ews/exchange.asmx
             . The elapsed time was 130 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1126
Type       : Success
Message    : [Server] Successfully contacted the UM service at https://rarexchange.reindeerauto.local/ews/exchange.asmx
             . The elapsed time was 47 milliseconds.

Looking good so far - is everything working now? Yes you can set client certificates to ignore on the OAB VD.

Yes I believe most everything is working correctly now, with one exception. I have a few machines that when I start Outlook 2007 I get the following with Autodiscovery, when I change to my email address it prompts for password and then it finally finishes but every time I open outlook it prompts me for a password and when I try and uncheck "outlook anywhere" or change to "NTLM" close Outlook and reopen it is rechecked and prompts for password.
login.jpg

Test autoconfig on the failing machines
Check their DNS settings
Also try outlook /rpcdiag on them to see if they are connecting over HTTP or not

This machine happens to be mine, and when i connect with my email address and not .local the  autoconfig test passed and when I did outlook /rpcdiag it showed tcp/ip.

Not sure what exactly I am looking for in DNS but it all looks correct

What happens if you test autoconfig with the .local address?

Well when I try and set it up that way it comes up with a Security Alert for "autodiscover.reindeerauto.local" and I added the screen shot. Once I get everything set up the "outlook anywhere" will not turn off but it is not prompting me for a passoword.

I ran "outlook /rpcdiag" and it said it was using tcp

I ran the "Test e-mail AutoConfiguration" and it failed

LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END

alert.jpg

Post a screenshot of the SRV record in the reindeerauto.local DNS zone please. Did you create it like I said?

Untitled.jpg

It's in the wrong place it should be under reindeerauto.local\_tcp

Left click on reindeerauto.local also it is selected and then create another SRV record, hopefully it will end up in the correct location this time.

If it does end up in the correct location then test the autoconfig again

Ok I made the change and it still fails the test.
Untitled.jpg

Add a full stop after mail.reindeerauto.com so it is mail.reindeerauto.com.

I did that.

Does the autoconfig still fail to Lookup a SRV record at the bottom of the test?

If I change it from "bob@reindeerauto.local" to bob.albertson it passes.

Bob.albertson@reindeerauto.local or bob.albertson@reindeerauto.com?

Basically when you logon to a computer you have never logged onto before Outlook should configure itself and all you should have to do is press Next --> Next --> finish and then Outlook should work.

Can you test that with a new test account and mailbox please?

You can also try the following to reset the SCP (Service Connection Point) by going into EMS and doing:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalURi "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

Then try the autoconfig test and hopefully it will find the SCP at the top of the test and not error on that.

I tested the login question with a new account on my PC and it did the same thing "user@reindeerauto.local" and will not connect with autodiscover.

I formatted my PC and reinstalled and still the same thing "bob@reindeerauto.local" so not sure why some discover correctly and others do not when configuring outlook for the first time.

Did you try reset the SCP?

I will try that now. do I type in the entire command including the url

Yep, the whole command with the URL and the quotes all on one line.

Here is the error I got with that command.

[PS] C:\Windows\system32>Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalURi "https://mail.reindeer
auto.com/autodiscover/autodiscover.xml"

A positional parameter cannot be found that accepts argument 'https://mail.reindeerauto.com/autodiscover/autodiscover.x
ml'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

[PS] C:\Windows\system32>

Try
Set-clientaccessserver -server rarexchange -autodiscoverInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line

[PS] C:\Windows\system32>Set-clientaccessserver -server rarexchange -autodiscoverInternalUri "https://mail.reindeerauto.
com/autodiscover/autodiscover.xml"
A positional parameter cannot be found that accepts argument 'rarexchange'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

Try
Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line

Here is the error from that one, I have tried every variation that I can find and nothing seems to work.


[PS] C:\Windows\system32>Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverInternalUri "https
://mail.reindeerauto.com/autodiscover/autodiscover.xml"
A positional parameter cannot be found that accepts argument '-autodiscoverInternalUri'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

[

This should work now

Try
Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverServiceInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line

I seems to have run, it came straight back to the [PS] C:\Windows\system32> prompt

Do
Get-clientaccessserver | fl *autodiscover*
and see if it shows the correct autodiscoverserviceinternaluri and if it does then do the autoconfig test...

No it still fails.

Can you paste it please?

Ok I uninstalled office 2007 and installed office 2010 and it worked correctly. The only issue I am having with it is the Offline address book is taking forever to download which probably means it's locked up.

How long have you left it for? Does it log any errors in the 'Sync Issues' folder?

It has been about 5 min, and I do not see the "Sync Issues" folder in Outlook 2010

You need to click on the "Folder List" button at the bottom of the Navigation pane

There are no Sync Issues.

Is it still stuck? Is it stuck for anyone who tries to download the OAB?

Do EMS:
Get-OABVirtualDirectory |fl *URL*
And post the result.

I .
[PS] C:\Windows\system32>Get-OABVirtualDirectory |fl *URL*


InternalUrl : https://rarexchange.reindeerauto.local/OAB
ExternalUrl : https://mail.reindeerauto.com/OAB



[PS] C:\Windows\system32>

Ok let's change the internalURL
Set-OABVirtualDirectory -internalURL "https://mail.reindeerauto.com/OAB"

when you ping rarexchange.reindeerauto.local from a PC does it reply with the same IP address as when you ping mail.reindeerauto.com?

After making the URL change, restart Outlook and see if can download the OAB

Go to here on your exchange server
 C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB

Open properties onthe web.config in the OAB folder, and give Authenticated Users both the read and read and execute permissions. Run a iisreset /noforce on the CAS server

Also make sure Authenticated users at least have read permissions on the OAB folder too

I made the change and it still just hangs.

I get the same IP reply from both.

Ok I followed the patch but I have no web.config in the OAB folder, there is a oab.xml but thats it.

I gave Authenticated users read permissions of the OAB folder.

try navigate here from a client:
https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/

and
https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/oab.xml

also try
http://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/oab.xml

what may also be worth doing is going into the EMC turning off web distribution of your OAB, pressing OK and then waiting 15 minutes... Then turn web distribution on again. then right click on the offline address list in the EMC and choose "Update"
wait 15 minutes
then restart the Microsoft Exchange File Distribution Service on your server (it should be running)

wait 15 minutes
close and re-open outlook and see if it can download the OAB.

If it still hangs, try EMC-->Toolbox-->Best Practice Analyser --> Health Check and see if that reports any OAB errors like folder permissions etc.

The first link asked me for credentials and then gave me a forbidden error, the second link brought up a page of code and the third asked for credentials and then brought up a page of code.

Ok, did the 2nd link prompt for credentials or not?

On your client machine Ensure internet Explorer is set to 'Bypass proxy for local addresses' and also add the cas name/internally resolvable cert names to the proxy exceptions list in IE (Tools-->Internet Options-->Connections-->LAN settings-->Advanced-->Exceptions)

So in your case, add mail.reindeerauto.com and rarexchange.reindeerauto.local to the Proxy exceptions

Mega,

Everything seems to be working except for I cannot get the global address book to finish a download on my machine, I have office 2010.

Does it error or stall?

Just stalls I let it run all weekend and never finished

Have a look at the "Additional Info" section in my article:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html

Mega,

Can this be done in a live environment without disrupting business, or should it be done after hours?

You can change the OAB URL and turn off the HTTPS requirement during business hours as outlook will only try and download the OAB once every 24 hours. I am not asking you to do all 9 steps of my article. Just the part where you change the internal OAB URL and OAB VD SSL requirement (the first bullet point under additional info section)

I saw that in the first part you suggested "Untick 'Enable Web-based Distribution' ", should that be turned off?

You don't need to do all the steps, but you can if you want. Web distribution gets turned back on later.

I followed the first bullet on your list and it still just hangs.

Hmmm, did you restart Outlook after making the change so it picks up the new URL of http:// instead of https://?

Yes and I ran the "test email autoconfiguration" and it show what I have in Exchange OAB "http://mail.reindeerauto.com/oab"

Ok and did you Untick the "Require SSL" on the OAB VD?

It was not ticked, and "ignore" client certificates is ticked.

If you explore your OAB VD (right click on OAB VD-> explore) is there a GUID folder in there which contains a OAB.XML and .lzx files

Yes there is.

Do a search for *.OAB on that machine and delete this files if they exist. If that doesnt work try a new outlook profile

Ok I removed and recreated the outlook profile and the address book updated, however all day at the bottom of outlook it has read "all folders are up to date, updating address book".

Hmmm and if you do "download address book" in Outlook, does it hang/stall?

Yes it still hangs/stalls

Ok, if you have the Jan 2011 update installed for Outlook 2010 remove it and try the OAB download again

Removing the update should also make outlook detect the users email address instead of the UPN for new profiles too.

Do you have Kb2405793 installed? Consider installing kb2475877

I do not have Kb2405793, and I installed Kb2475877

When did you install the latter one? Today or before? And outlook is still hanging after install?

I installed it today, and yes it is still hanging.

OK here is the next plan of action:
1.) create a new test user with a mailbox
2.) logon to the problem Outlook 2010 machine
3.) confirm Outlook configures itself properly with no additional typing
4.) open Outlook wait till the profile syncs, confirm if it finishes or not
5.) try download the OAB and confirm if it hangs or stalls

I did the above and still the same results, it hangs/stalls.

I looked in the event viewer and found some event ID 9328 and 9126 below is the details.
OABGen encountered error 80070070 while calculating the offline address book for address list '\Global Address List'.  This offline address book won't be available for client download.
- \Default Offline Address Book.

Have you run out of disk space on your OAB generating server? Check c: drive

I was just looking at that now, C is full

Look in c:\temp for stuff to delete

Or c:\inetpub\logs\logfiles see if any of those directories are huge

I restarted the server due to the page file and looked in those folder and removed what I could but it only gave me 3.4 available Gig.

That should be more than enough to generate the OAB.
Try
Get-offlineaddressbook | update-offlineaddressbook

I ran the above and am trying to download the address book again and it is still hanging.

If you logon to another machine does the problem follow you?

How many Outlook 2010 machines do you have and are they all experiencing the hang/stall when you try and download the OAB?

Are the Outlook 2007 clients affected?

If only one client is affected then enable Outlook logging and we'll see if it logs anything useful:
http://support.microsoft.com/kb/300479

Well it seems that it is only me, so I have enabled logging.

Only you or only you connecting with Outlook 2010?

seems to be only my machine? I tried using the test user this morning on my machine and it did not work.

I logged into a machine with Office 2010 as me that I tested with a user that worked and it did work for me.

On your computer go to c:\users\<your username>\appdata\local\Microsoft\outlook\offline address book
Then rename the <GUID> folder, reopen outlook and try the download of the OAB again and see if a new <GUID> folder gets created in that area

Followed those directions and it just hangs at "Copying offline address book template file."

Did you restart Outlook? And has it created a new <GUID> subfolder? Give it a few mins it can take a while to download the OAB for the first time. My fingers are crossed

It did creat a new subfolder, which is empty. I did restart outlook and it just hangs, so far about 6 hours today.

Is that outlook logging doing anything useful? Maybe copy that folder off another machine and then see if outlook can manage to keep it up to date.

From what I have been reading on the Internet this morning, if you have only one machine that won't update no matter who logs on, then the best course of action is to remove that PC from the domain, delete the computer account for it from ADUC and then re-add it back to the domain and then reboot and test the OAB download.

Are you willing to try the above?

I will try it first thing tomorrow and see what happens.

Ok - fingers crossed

I removed it from the domain, deleted the PC from the domain and then re-joined the domain.

The thing still hangs

Grrrr, this is annoying.

Try this:
Close Outlook, go into control Panel --> mail -->profiles then select your profile and put a space on the end of the server name then press check names so it underlines again. Next next finish. Open outlook and try the OAB download.

If the above doesn't work:
Give your AD account 'Full Control' on the ClientAccess\OAB folder on the CAS server and see if that wakes Outlook up.

when you click mail/profiles (show profiles), it does not give you the option to do that. It does not show a "server name".

If I go into email accounts it shows "microsoft exchange"

Go into the Exchange Account settings

That did not work it still hangs.

And I am an administrator.

Have you considered uninstalling outlook 2010 and installing outlook 2007 to verify if the problem exists there?

Or before reinstalling Outlook have a look at using OABInteg to see if that sheds any light on the issue:
http://archive.msdn.microsoft.com/oabinteg/Release/ProjectReleases.aspx?ReleaseId=726

There is a usage doc on that web site, but here is another one:
http://www.msexchange.org/articles/Offline-Address-Book-Integrity-OABInteg-Utility-Explained.html

I had 2007 previous when this problem was happening so I uninstalled 2007 and installed 2010 and still having the issue.

I ran the OABinteg not sure if I did it correct but here are the results

OABInteg (Offline Address Book Integrity Checker)
Version : 1, 0, 0, 1
OABInteg
Microsoft Corporation, Copyright (C) 2005
=====================================================

c:\OABinteg.txt has been opened for writing.

Program started at: 11:03:05 AM
Running OABInteg on: RAREXCHANGEUnable to obtain username.
Trying to connect to: GC://ehvms01

Failure ADsOpenObject
ADSI Error: hr = 0x8007203a
LDAP_SERVER_DOWN - ERROR_DS_SERVER_DOWN: Cannot contact the LDAP server...

Failure in function: HrGetRootDSEData on line number: 165

Performing cleanup.
Exiting application.


C:\Users\administrator.REINDEERAUTO\Desktop>

Ignore OABInteg as it only checks PF distribution.

Try this command and post the result:

C:\Windows\System32\inetsrv>appcmd.exe list config /section:WindowsAuthentication

All on one line

C:\Windows\System32\inetsrv>appcmd.exe list config /section:WindowsAuthenticatio
n
<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="false" useKernelMode="false">
        <providers>
          <add value="Negotiate" />
          <add value="NTLM" />
        </providers>
        <extendedProtection>
        </extendedProtection>
      </windowsAuthentication>
    </authentication>
  </security>
</system.webServer>

C:\Windows\System32\inetsrv>

Ok, that looks good.
What does
C:\Windows\System32\inetsrv>appcmd.exe list config "Default Web Site/OAB" /section:WindowsAuthentication

Result in?

Also can you do:
Set-eventloglevel "<ex server name>\msexchangeSA\OAL Generator" -level Medium

Then run
Get-offlineaddressbook | update-offlineaddressbook
And watch the application event log for errors & warnings. Restart msexchangeFDS and watch event log again.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>cd\

C:\>cd windows

C:\Windows>cd system32/inetsrv

C:\Windows\System32\inetsrv>appcmd.exe list config "Default Web Site/OAB" /secti
on:WindowsAuthentication
<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="true" useKernelMode="true">
        <providers>
          <add value="Negotiate" />
          <add value="NTLM" />
        </providers>
        <extendedProtection tokenChecking="None">
        </extendedProtection>
      </windowsAuthentication>
    </authentication>
  </security>
</system.webServer>

C:\Windows\System32\inetsrv>

Here is the only error in Application errors.
 

Is exchangeFDS the File distribution?

Yes FDS is File Distribution

Go into IIs click on the OAB then authentication, select windows auth, then right click on it --> advanced settings and UNTICk "enable kernel mode..." ok

Try download the OAB then. If that fails do an iisreset on the server, confirm the kernel mode auth is still off and then try the OAB download again

The tick mark is grayed out.

Try using %windir%\system32\inetsrv\appcmd unlock config -section:WindowsAuthentication

And then try Untick that box.

here is what I put in the command line with the results and the tick is still grayed out.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>%windir%\system32\inetsrv\appcmd unlock conf
ig -section:WindowsAuthentication
Unlocked section "system.webServer/security/authentication/windowsAuthentication
" at configuration path "MACHINE/WEBROOT/APPHOST".

C:\Users\administrator.REINDEERAUTO>

Try:
C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /section:WindowsAuthentication -useKernelMode="false"

I ran the command and got the following error.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>cd c:\windows\system32\inetsrv

c:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /sectio
n:WindowsAuthentication -useKernelMode="false"
ERROR ( message:Unknown attribute "useKernelMode=false".  Replace with -? for he
lp. )

c:\Windows\System32\inetsrv>

C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /section:WindowsAuthentication -useKernelMode:false /commit:apphost

You may need an iisreset after that and them confirm the kernel mode box is unticked.

You can also use
Appcmd list config "default web site/OAB" -section:WindowsAuthentication

To confirm the useKernelMode="false"

Do an iisreset and then attempt to download the OAB on your Outlook 2010 machine.

The box is now unticked and it is still hanging.

Can you confirm if you have any file level AV on the server that the OAB directories are excluded from scanning.

Try outlook /cleanprofile
Then try download the OAB again

I do not have any file level AV, plus I have other users with 2010 that have no issues.

I do not know where to do the command "outlook /cleanprofile"

Close outlook
Then on your machine do
Start-->Run-->Type "outlook /cleanprofile" without the quotes
Then press enter

Then when outlook opens try to download the OAB

It says the command line is not valid

Looks like it is no longer supported under outlook 2010...

Close outlook, go into
%userprofile%\appdata\local\Microsoft\outlook
 Create a new folder in there and move all the .OAB files and any files that begin with "~" into the folder

Open outlook and try and download the OAB

I do not have any files that begin with "~"

Not even in the subfolders of "\Offline Address Books"?

nope have one that starts with "be" but that is it.

Can you screenshot that folder and the offline address books folder and subfolder please? Sort on date with newest at the top.

Can you also open regedit on your machine and see if there is anything under the following key:
Hkey_current_user\software\Microsoft\exchange\exchange Provider\OABs?
If there is, export the subkeys under the OABs key and then delete them and restart outlook and try the OAB again

I delete the subkey and retried and it just hangs.
outlook.jpg

Can you open the be... Folder and screenshot it's contents please.

its empty.

Delete it and then restart Outlook, down load OAB and see if the folder gets updated and see if the reg keys update too...

Can you also try logging onto Windows as that test account ( with mailbox ) and confirm the same thing occurs?


If it does, then I am afraid it's time to manually deploy the OAB files to Outlook and see if it can keep them up to date:
http://technet.microsoft.com/en-us/library/ff969354.aspx

One more thing to try before you do the manual OAB procedure...

When outlook creates the empty <GUID> subfolder can you create an empty text file in there and rename it to OAB.XML and then restart Outlook and try the OAB download.

If that fails, then it is definitely time to perform a manual OAB update... Sorry...

Thanks for the points. Did you manage to get outlook to download the OAB in the end?

You deserved them wish I could have done more, you were very helpful.

It still says updating address book all the time at the bottom of Outlook, but any new employee's I add to the network are showing up in the global address book so to me it's working.

Thanks again for the help.

If you want, feel free to open a new question about your Outlook OAB download issue to see if any experts have any fresh ideas on how to resolve it.