Solved

Exchange 2010 - LAN users being prompted for username/password

Posted on 2011-03-04
24
1,244 Views
Last Modified: 2012-09-17
Got an issue with a fresh Exchange 2010 install. One Exchange server with all roles installed.

When users open up their Outlook client (Outlook 2007), they are continually prompted for their username/password. Further more... it will not accept their correct credentials, and you have no choice other then to hit cancel a few times and then Outlook works as usual. They will continue to get prompted sporadically throughout the day.

We have correctly configured Autodiscover and installed a valid SAN cert with all the correct names. OWA, activesync and Outlook Anywhere (for users outside the office) all work fine. This only effects local LAN users on the Domain.

At a loss, I opened a Microsoft support case and have been working with them for 4 days now... and they themselves are currently stumped.

After a week of troubleshooting; here's what we know....

1) Any user running a Outlook 2010 client, do not get prompted and work fine.
2) Any member of the "Domain Admins" group do not get prompted and work fine.

The above are obviously not valid solutions....but a "work around" so to speak found solely through troubleshooting.

I am posting this question here, if not for anything else, for chronicling purposes to look back on when this issue inevitably raises its head for another client and to help out all those who I know are experiencing this same issue as well.

If you have any comments or suggestions that may aid in resolving this ... I'd love to hear them!
0
Comment
Question by:Italia_NYC
  • 12
  • 10
  • +1
24 Comments
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Usual suspect:
a) Check if Exchange autodiscover Internal URL's are configured appropriately to local exchange server / CAS Array
b) Check if there is a certificate mismatch.

Tests:
a) ExBPA
Download and run this
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dbab201f-4bee-4943-ac22-e2ddbd258df3&displaylang=en

b) ExRCA
www.testexchangeconnectivity.com
Run all tests one by one.

Output required;
get-clientaccessserver | fl
get-autodiscovervirtualdirectory | fl
get-exchangecertificate | fl

Please post the results.

thanks
0
 
LVL 1

Expert Comment

by:dcraft
Comment Utility
Had a similar issue last month with Outlook 2007 clients. Don't know about 2010.

Microsoft had issued a KB2412171 last month that made Outlook 2007 users get a logon prompt repeatedly. Simply uninstall the KB2412171.
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
Sunny - The first thing we did was run the ExBPA. Test clean...no errors at all...

Regarding the www.testexchangeconnectivity.com site... the only test out of all of them that failed was the "Synchronization, Notification, Availability, and Automatic Replies (OOF) " test.
 
Get-ClientAccessServer:

RunspaceId                           : b120b8bc-b13e-4dba-88f5-39c932eb83c5
Name                                 : RIZZNETEX10SRV1
Fqdn                                 : rizznetex10srv1.rizznetworks.com
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : rizznetex10srv1
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.rizznetworks.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : D:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=RIZZNETEX10SRV1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT)
                                       ,CN=Administrative Groups,CN=Rizznetworks,CN=Microsoft Exchange,CN=Services,CN=C
                                       onfiguration,DC=rizznetworks,DC=com
Identity                             : RIZZNETEX10SRV1
Guid                                 : 24e684c8-4161-44c0-a15f-15e8ab6a3f81
ObjectCategory                       : rizznetworks.com/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 12/6/2010 3:45:32 PM
WhenCreated                          : 5/13/2010 3:11:42 PM
WhenChangedUTC                       : 12/6/2010 8:45:32 PM
WhenCreatedUTC                       : 5/13/2010 7:11:42 PM
OrganizationId                       :
OriginatingServer                    : RIZZNETNY2K8AD2.rizznetworks.com

Get-AutoDiscoverVirtualdirectory:



RunspaceId                      : b120b8bc-b13e-4dba-88f5-39c932eb83c5
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://rizznetex10srv1.rizznetworks.com/W3SVC/1/ROOT/Autodiscover
Path                            : D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RIZZNETEX10SRV1
InternalUrl                     : https://autodiscover.rizznetworks.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.rizznetworks.com/autodiscover/autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RIZZNETEX10SRV1,CN=Servers
                                  ,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Rizzn
                                  etworks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rizznetworks,DC=com
Identity                        : RIZZNETEX10SRV1\Autodiscover (Default Web Site)
Guid                            : df89520e-aab4-462a-b2b8-07f8597cdd8f
ObjectCategory                  : rizznetworks.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 9/28/2010 8:44:55 PM
WhenCreated                     : 9/23/2010 9:31:09 AM
WhenChangedUTC                  : 9/29/2010 12:44:55 AM
WhenCreatedUTC                  : 9/23/2010 1:31:09 PM
OrganizationId                  :
OriginatingServer               : RIZZNETNY2K8AD2.rizznetworks.com
IsValid                         : True


Get-Exchangecertificate:


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.rizznetworks.com, www.mail.rizznetworks.com, autodiscover.rizznetworks.com, rizznetex10srv1.
                     rizznetworks.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 1/15/2012 11:03:07 AM
NotBefore          : 12/6/2010 2:59:49 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2794E88D071194
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.rizznetworks.com, OU=Domain Control Validated, O=mail.rizznetworks.com
Thumbprint         : 376F94A3A54233E587195350D2D50C84B1C1525B

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {rizznetex10srv1, rizznetex10srv1.rizznetworks.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=rizznetex10srv1
NotAfter           : 5/13/2015 3:13:46 PM
NotBefore          : 5/13/2010 3:13:46 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 0C931EC728C6A28244F9475A4499349C
Services           : SMTP
Status             : Valid
Subject            : CN=rizznetex10srv1
Thumbprint         : 775E81A3680EAFBBD6F97D9110DC80CE860CE9BC




To dcraft...; the few machines I looked at do not have that KB installed...
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
also
get-outlookanywhere | fl

from a outlook client which is prompting for password
Press Ctrl + Right click Outlook icon on bottom right corner
Test Email Auto Config
use Autodisocver and guess smart separately.
Let me know the error code you are getting.
0x800 something.
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
Get-Outlookanywhere:


RunspaceId                      : ba5ba747-2a73-4a03-b7bb-6aa835a0fd6f
ServerName                      : RIZZNETEX10SRV1
SSLOffloading                   : False
ExternalHostname                : mail.rizznetworks.com
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm}
XropUrl                         :
MetabasePath                    : IIS://rizznetex10srv1.rizznetworks.com/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RIZZNETEX10SRV1
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : Rpc (Default Web Site)
DistinguishedName               : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=RIZZNETEX10SRV1,CN=Servers,CN=Excha
                                  nge Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Rizznetworks,C
                                  N=Microsoft Exchange,CN=Services,CN=Configuration,DC=rizznetworks,DC=com
Identity                        : RIZZNETEX10SRV1\Rpc (Default Web Site)
Guid                            : d54c876b-7ba3-4450-a57e-f38d94b04023
ObjectCategory                  : rizznetworks.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 3/3/2011 6:50:54 PM
WhenCreated                     : 3/3/2011 6:47:38 PM
WhenChangedUTC                  : 3/3/2011 11:50:54 PM
WhenCreatedUTC                  : 3/3/2011 11:47:38 PM
OrganizationId                  :
OriginatingServer               : RIZZNETNY2K8AD2.rizznetworks.com
IsValid                         : True



In regards to the Test Email AutoConfiguration:

There are no errors for Autodiscover... that works fine.

The Guessmart fails with: FAILED (0x80070005)
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
are the users connecting locally over the lan
or over the vpn ?
is the user logged in to the domain when opening outlook ?

thanks
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
All users having this issue (prompting for credentials), are local LAN users. VPN or any other user OUTSIDE the office works flawlessy via Outlook Anywhere.
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
And yes... the users are logged into the domain when opening outlook.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
That's strange :)

@ I am checking the output. will post back.
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
Strange indeed... lol

Like I said...currently MS themselves are stumped.

Thank you sunny for your help and input. Much appreciated.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
start > run > inetmgr
Expand the servername
go to default website
Autodiscover
click autodiscover
click on authentication on right panel.
Check if windows auth is enabled. if not enable it.
restart iis
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
Windows (integrated) authentication is enabled for Autodiscover.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
run this please.


Get-AutodiscoverVirtualDirectory  | Set-AutodiscoverVirtualDirectory -BasicAuthentication:$true -DigestAuthentication:$false -WindowsAuthentication:$true -WSSecurityAuthentication:$false
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
Sunny - I ran that command, reset IIS, but it made no difference....
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you output
get-autodiscovervirtualdirectory | fl again please.

thanks
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
sure...


RunspaceId                      : 723fc67e-800d-4a9b-a956-b763d095502b
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://rizznetex10srv1.rizznetworks.com/W3SVC/1/ROOT/Autodiscover
Path                            : D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RIZZNETEX10SRV1
InternalUrl                     : https://autodiscover.rizznetworks.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.rizznetworks.com/autodiscover/autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RIZZNETEX10SRV1,CN=Servers
                                  ,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Rizzn
                                  etworks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rizznetworks,DC=com
Identity                        : RIZZNETEX10SRV1\Autodiscover (Default Web Site)
Guid                            : df89520e-aab4-462a-b2b8-07f8597cdd8f
ObjectCategory                  : rizznetworks.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 3/5/2011 8:47:12 AM
WhenCreated                     : 9/23/2010 9:31:09 AM
WhenChangedUTC                  : 3/5/2011 1:47:12 PM
WhenCreatedUTC                  : 9/23/2010 1:31:09 PM
OrganizationId                  :
OriginatingServer               : rizznetny2k8ad1.rizznetworks.com
IsValid                         : True
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you restart hubtransport service.
MsExchangeTransport

After restarting.
Close outlook.
and then try to connect again.


I am in the city all day for some client work. Wont be able to respond frequently..
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
If it still doesnt fix the problem, can you enable Kernel Authentication mode as per this article by demazter

http://demazter.wordpress.com/2010/02/09/outlook-continually-prompting-for-username-and-password-2/

thanks
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
I will try that Sunny... thanks.

Yea, we originally had Kernal Authentication enabled... but Microsoft recommended we turn it off for some reason. Either way, made no difference...
0
 
LVL 2

Author Comment

by:Italia_NYC
Comment Utility
As a follow up Sunny... I did restart the serivces and even rebooted the Exchange server. No change unfortunately...
0
 
LVL 2

Accepted Solution

by:
Italia_NYC earned 0 total points
Comment Utility
Well after working with MS for 8 days... the last thing we did that finally seemed to suppress the pop up login box was to assign READ & EXECUTE, LIST FOLDER CONTENTS and READ permissions to the "Program Files\Microsoft\Exchange Sever\V14\ClientAccess" folder for the "Authenticated Users" group.
This seemed like an odd solution to this problem, but alas, it is fixed now, users are happy, I am happy; so I'll leave well enough alone for now.

Thank you very much for all your help and suggestions Sunny, I appreciate it. Hopefully, this will help someone else one day.

0
 
LVL 2

Author Closing Comment

by:Italia_NYC
Comment Utility
Special thanks to Sunny for all your help and ideas. This was truly an odd issue and I hope this resolution from Microsoft can help others.
0
 
LVL 3

Expert Comment

by:jmichaelpalermo4
Comment Utility
FYI - performing this solution and then doing an iisreset caused all Exchange clients to disconnect (yikes!). Restarting the server caused everything to come back up and the authentication pop-up issue window to resolve. Thank you much to Italia_NYC for going through the pain to resolve this horrific issue!
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Thanks for coming back and updating the case.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now