Solved

Help with constant password prompts to Exchange 2007

Posted on 2011-03-20
47
4,061 Views
Last Modified: 2012-05-11
Hey guys, I really need some help here.  About to lose my mind!!  Here is what I got.  
-Exchange 2007 SP3
-Server 2008
-Installed an SSL a couple weeks ago.
-Enabled Outlook Anywhere.

Problems arose from the certificate install that I don't believe pertain to my problem.  But, who knows, it was my first SSL install.

I disabled Outlook Anywhere.

I removed the certificate and went back to the standard self signed cert.  I disabled all SSL requirements and put everything back to the way things were PRE-SSL

Everything is working fine, but I have 2 users on WIN XP / Outlook 2007 clients who are getting hammered with CONSTANT username/password prompts to the Outlook Anywhere server.  Whats even stranger I have many others on XP/Outlook2007 and they Are NOT getting prompted.

The prompts say "Welcome back to servername.internaldomain.com"  Please login and the user need to enter a password.  

I've tried everything I can think of to fix this.  I've read post after post but I can't seem to find a solution anywhere!!  I've even read Dezmaster's doc and still can't seem to fix.  

Can Someone help please?
0
Comment
Question by:kevingibbs1
  • 23
  • 16
  • 6
  • +2
47 Comments
 
LVL 2

Expert Comment

by:JDCUSAF
Comment Utility
Have you deleted the outlook profile and re-added it on the offending PC's?
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
have you checked the event logs on the exchange server? outlook anywhere is IIS based. There could be some permission issues with one of the folders in IIS for Outlook Anywhere. The eventlogs are very good with Ex 2007/2010.
0
 

Author Comment

by:kevingibbs1
Comment Utility
Yes, I have.  Same problem.  
0
 

Author Comment

by:kevingibbs1
Comment Utility
This is the only evenlt log entry that stands out.  Other wise, all seems clear.

Process w3wp.exe (AirSync) (PID=3224). An remote procedure call (RPC) request to the Microsoft Exchange Active Directory Topology service failed with error 1753 (Error 6d9 from HrGetTopologyVersion). Make sure that the Remote Procedure Call (RPC) service is running. In addition, make sure that the network ports that are used by RPC are not blocked by a firewall.

RPC IS running.  Does the the RPC locator service need to be running?  It is stopped.  Do I need these RPC services at all if I am NOT using Outlook Anywhere.  I have disabled it.
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
silly question but the accounts that you are mentioning which are getting multiple prompts, they are enabled in AD (not locked our or disabled) and you are typing the correct password? I found in the past that the issue you are experiencing happened to some of my collegues when they had recently changed passwords and for some reason their new password hadnt takent effect. see if these users have changed their passwords recently. try to use their old password. also try to reset the passwords and try as well.
0
 

Author Comment

by:kevingibbs1
Comment Utility
Yes and No.  Yes in the sense that my internal domain is a .com and not a .local.  But no, because Outlook anywhere is completely disabled so I am trying to just take it completely out of the loop and go back to my settings I had a couple weeks ago.  Right now it is disabled.  

I think this has something to do with my autodiscover service but can't for the life of me figure it out!  
0
 

Author Comment

by:kevingibbs1
Comment Utility
Niviesh, users passwords are not the issue.  I have already tried to reset but to no avail.  Just FYI.  Exchange works just fine, sends and receives with no problem.  I just need this username/password prompt to go away!  Thanks for all your help!
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
when you start outlook, press down CTRL key and then right click on the outlook icon in your status bar. then click on Connection Status to check if everything looks aright. You can also click on Test E-Mail AutoConfiguration to see your settings and find any errors.
0
 

Author Comment

by:kevingibbs1
Comment Utility
Odd.  I don't have the option for Test Email Autoconfiguration.  
0
 

Author Comment

by:kevingibbs1
Comment Utility
I've found this in a few posts I have read that the URL http://servername.exchange.com/ews/exchange.asmx should NOT be prompting for user credentials.  However, MINE IS.  Can someone point me to the solution to that problem?  I believe that must be related to my issue?
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
that is odd. now another thing. have you tried configuring the account which constantly prompts for password on another computer that is working fine? if it works on this computer then it could be a local machine issue. at least this will move one step further in the troubleshooting chain
0
 

Author Comment

by:kevingibbs1
Comment Utility
I'm working remotely and have access to the trouble PC and the server.  Don't really have access to another user's machine at the moment.  I could potentially tomorrow night.
0
 
LVL 8

Expert Comment

by:Nivlesh
Comment Utility
have you checked to ensure that Authentication on the IIS folder Default Web Site\ESW is setup for

Anonymous Authentication - Enabled
Basic Authentication - Enabled
Windows Authentication - Enabled

These are the settings I have on my Ex2010. Might be slightly different for you but worth a try.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Try the autoconfig test again for these users:
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Are all PCs members of the same AD domain?

Another thing to check is if outlook.exe is on the same version on the problem PC vs. a working PC
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Install this on the problem Outlook 2007 machines:
http://support.microsoft.com/kb/983316
0
 

Author Comment

by:kevingibbs1
Comment Utility
OK, I changed the permission to BASIC, ANONYMOUS, and WINDOWS...(It was JUST windows).  Now the page just doesn't even display or give me a prompt.  Just says "Page cannot be displayed"  Likely cause, this page requires you to login"

My Autodiscover is clearly a mess.  I managed to get the "Test Email Autoconfiguration" to run and it is riddled with failures.  It attempted to connect to a variety of different autodiscover links and failed on all of them.  Not sure where to go from here.  Any help is greatly appreciated!

0
 

Author Comment

by:kevingibbs1
Comment Utility
For what it is worth, I am trying to run without a cert...(for now)  Which I have been able to do just fine for over a year now.  I then installed a cert a couple weeks ago and that is when all my issues began to drive me nuts!  I am just trying to get back to the default install when everything was working fine.  Thanks to everyone for any help!
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
This article of mine will help with resetting Autodiscover for you:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_4962-7-Steps-to-AutoDiscover-Heaven.html

Do
get-exchangecertificate | fl
And make sure the self signed one is still valid or re-associate the 3rd party one with IIS. What names are on your 3rd party cert?

Set EWS back to Windows authentication only
0
 

Author Comment

by:kevingibbs1
Comment Utility
Thanks Mega!  I followed your doc to to a T and all seems well.  My results are exactly as you describe, so I think I'm good there now.  However, the users are still getting the blasted prompts.  My Self signed cert is still valid and is currently associated with IMAP, POP, IIS and SMTP.  Is that how it should be.  Forgive me, but I am new the cert world with exchange.  Still learning!

I am holding off for now on trying to implement my 3rd party cert, because that is when all my troubles began.  I want to get things back to normal first and then work on the 3rd part cert.

THANKS!!!
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Look for URL values and any error codes returned
0
 

Author Comment

by:kevingibbs1
Comment Utility
OK, here is where it gets confusing.  I've got an internal domain name that is different from my user's actual email address.  So, by default, the "Test email AutoConfiguration" pre-fills my user's email address with "username@"internaldomainname".com.  When I enter password for that, it bombs and everything fails.  

However when I enter the actual user's email address and then enter password.  Everything passes just fine.  

The agonizingly annoying password prompt that my user's keep getting are to "Servername".internaldomainname.com
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Does that servername match the cert?

What happens if you try
Test-outlookwebservices "internal email address" | fl

Where the internal email address is the one you say the outlook autoconfig test fails for?

Also do
Get-clientaccessserver | fl
And look at the autodiscoverserviceinternalUri value, is it a name on your cert that is internally resolvable to the internal  ip address of your CAS server?
0
 

Author Comment

by:kevingibbs1
Comment Utility
Here is what I get when I run...
Test-outlookwebservices "internal email address" | fl

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address xxxxxxx

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://exservername.InternalDomainname.com/EWS/Exchange.asmx received the error The request failed with HTTP status 403: Forbidden.

Id      : 1016
Type    : Error
Message : [EXCH]-Error when contacting the AS service at https://exservername.InternalDomainname.com/EWS/Exchange.asmx. The elapsed time was 138 milliseconds.

Id      : 1015
Type    : Information
Message : [EXCH]-The OAB is not configured for this user.

Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://exservername.InternalDomainname.com/UnifiedMessaging/Service.asmx. The elapsed time was 558 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.

Id      : 1021
Type    : Information
Message : The following web services generated errors.
              As in EXCH
          Please use the prior output to diagnose and correct the errors.

The results of Get-clientaccessserver | fl give me
AutoDiscoverServiceInternalUri : https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml

Should that be https?  Since I am not using an SSL for the autodiscover service?
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
On the EWS VD ensure windows authentication is Windows only. Then right click on windows auth and ensure kernel mode authentication is NOT ticked.

Check the SSL settings of the EWS VD and make sure that client certificates = ignore

Did the outlook autoconfig give you any error codes like 0x80072F0C ? Can you post it after hiding your server and domain names please?
0
 

Author Comment

by:kevingibbs1
Comment Utility
Did as you instructed in the first 2 paragraphs.  Then re-started IIS

Attached is the screenshot of the results of the Autoconfig test.  You can't copy paste those results so I just had to do a screen grab and do some blurring.


 autoconfig results
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Confirm that in Internet explorer the name it is trying to contact is listed in the proxy exceptions list.

Then try and open the autodiscover URL in IE on the problem machine and if you get prompted for credentials then enter the problem user credentials and see what you get, you should get error code 600
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Also ensure IE is set to bypass the proxy for local addresses.
0
 

Author Comment

by:kevingibbs1
Comment Utility
Hey man, I'm not 100% clear.  We don't use any proxies of any kind.  I don't have any exceptions list or anything.  Am I understanding you?  Sorry!
0
 

Author Comment

by:kevingibbs1
Comment Utility
From a problem user's workstation, I can browse to the autodiscover URL.  I am prompted for a password.  Enter it and I get Error code 600
0
 

Author Comment

by:kevingibbs1
Comment Utility
Hey man, I'm not 100% sure of the policies and procedures that govern this site, but I have a proposition for you.  What is the best way to contact you directly?  phone or email.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
While you have IE open as that user on the autodiscover page try the autoconfig test.

Also whilst logged onto the machine as the user create a new outlook profile, what email address does outlook fill in and can it open successfully?
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Sorry, I can't be contacted for work outside of EE. You can hire alanhardisty or demazter though...
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Also what is your version of exsetup.exe?
0
 

Author Comment

by:kevingibbs1
Comment Utility
Tried what you said and ran the autoconfig test.  Fails with all the same errors as above.  It defaults to roger@internaldomainname.com.  I enter the password and it fails.  When I change the email address to the actual user's email address...it passes with flying colors.

Understood on your last comment about hiring.  thanks!!
0
 

Author Comment

by:kevingibbs1
Comment Utility
8.3.83.6
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
Comment Utility
You can try turning off the SSL requirement on the Autodiscover VD and then do
Get-clientAccessServer | set-clientaccessServer -autoDiscoverServiceinternalURi "http://<internal CAS FQDN>/autodiscover/autodiscover.XML"
0
 

Author Comment

by:kevingibbs1
Comment Utility
Is there a service or anything I would need to restart to make that change effective?  IIS?
0
 

Author Comment

by:kevingibbs1
Comment Utility
OK, I'm afraid to speak too soon, but it looks like that may have done it!!  You are a genius!!  As soon as I did that.  Restarted IIS, and then opened a user's outlook and no PROMPTS!!!!  I can't tell you how appreciative I am for you sticking with me!! Thanks MegaNuk3.  I'm going to watch this for just a little longer and I will award your points later!!  Thanks again!
0
 
LVL 4

Expert Comment

by:Habeebmast7
Comment Utility
You mentioned, it all started after configuring the self signed certificate and this is only for couple users.

Have you checkk the certificates on these two computers, if these certificates are added to trusted root certificates. - Habz
0
 

Author Comment

by:kevingibbs1
Comment Utility
Habz.  no, I did not check those user's individually.  Probably should have.  Appreciate the input!
0
 

Author Closing Comment

by:kevingibbs1
Comment Utility
MegaNuk3 is the man!  This was not my AOE and he really stuck with me.  Very appreciative!
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Glad to hear it is sorted. You can try turning SSL on again and changing the autodiscoverserviceinternaluri back to https again and see if the fault comes back if it doesn't then we know your SCP was faulty
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Did you try turning on autodiscover HTTPs again?
0
 

Author Comment

by:kevingibbs1
Comment Utility
I have not.  Lost so much time with this client, I am trying to play catchup with all my others.  I'll take a stab at it over the weekend.
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
Ok
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Import Cert issue 15 39
room finder - outlook 2016 2 17
Powershell to track mobile activity 2 31
Exchange 2010 to 2016 migration 1 15
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now