?
Solved

Help with constant password prompts to Exchange 2007

Posted on 2011-03-20
47
Medium Priority
?
4,103 Views
Last Modified: 2012-05-11
Hey guys, I really need some help here.  About to lose my mind!!  Here is what I got.  
-Exchange 2007 SP3
-Server 2008
-Installed an SSL a couple weeks ago.
-Enabled Outlook Anywhere.

Problems arose from the certificate install that I don't believe pertain to my problem.  But, who knows, it was my first SSL install.

I disabled Outlook Anywhere.

I removed the certificate and went back to the standard self signed cert.  I disabled all SSL requirements and put everything back to the way things were PRE-SSL

Everything is working fine, but I have 2 users on WIN XP / Outlook 2007 clients who are getting hammered with CONSTANT username/password prompts to the Outlook Anywhere server.  Whats even stranger I have many others on XP/Outlook2007 and they Are NOT getting prompted.

The prompts say "Welcome back to servername.internaldomain.com"  Please login and the user need to enter a password.  

I've tried everything I can think of to fix this.  I've read post after post but I can't seem to find a solution anywhere!!  I've even read Dezmaster's doc and still can't seem to fix.  

Can Someone help please?
0
Comment
Question by:kevingibbs1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 23
  • 16
  • 6
  • +2
47 Comments
 
LVL 2

Expert Comment

by:JDCUSAF
ID: 35177792
Have you deleted the outlook profile and re-added it on the offending PC's?
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177801
have you checked the event logs on the exchange server? outlook anywhere is IIS based. There could be some permission issues with one of the folders in IIS for Outlook Anywhere. The eventlogs are very good with Ex 2007/2010.
0
 

Author Comment

by:kevingibbs1
ID: 35177802
Yes, I have.  Same problem.  
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Author Comment

by:kevingibbs1
ID: 35177824
This is the only evenlt log entry that stands out.  Other wise, all seems clear.

Process w3wp.exe (AirSync) (PID=3224). An remote procedure call (RPC) request to the Microsoft Exchange Active Directory Topology service failed with error 1753 (Error 6d9 from HrGetTopologyVersion). Make sure that the Remote Procedure Call (RPC) service is running. In addition, make sure that the network ports that are used by RPC are not blocked by a firewall.

RPC IS running.  Does the the RPC locator service need to be running?  It is stopped.  Do I need these RPC services at all if I am NOT using Outlook Anywhere.  I have disabled it.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177870
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177881
silly question but the accounts that you are mentioning which are getting multiple prompts, they are enabled in AD (not locked our or disabled) and you are typing the correct password? I found in the past that the issue you are experiencing happened to some of my collegues when they had recently changed passwords and for some reason their new password hadnt takent effect. see if these users have changed their passwords recently. try to use their old password. also try to reset the passwords and try as well.
0
 

Author Comment

by:kevingibbs1
ID: 35177887
Yes and No.  Yes in the sense that my internal domain is a .com and not a .local.  But no, because Outlook anywhere is completely disabled so I am trying to just take it completely out of the loop and go back to my settings I had a couple weeks ago.  Right now it is disabled.  

I think this has something to do with my autodiscover service but can't for the life of me figure it out!  
0
 

Author Comment

by:kevingibbs1
ID: 35177894
Niviesh, users passwords are not the issue.  I have already tried to reset but to no avail.  Just FYI.  Exchange works just fine, sends and receives with no problem.  I just need this username/password prompt to go away!  Thanks for all your help!
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177899
when you start outlook, press down CTRL key and then right click on the outlook icon in your status bar. then click on Connection Status to check if everything looks aright. You can also click on Test E-Mail AutoConfiguration to see your settings and find any errors.
0
 

Author Comment

by:kevingibbs1
ID: 35177913
Odd.  I don't have the option for Test Email Autoconfiguration.  
0
 

Author Comment

by:kevingibbs1
ID: 35177954
I've found this in a few posts I have read that the URL http://servername.exchange.com/ews/exchange.asmx should NOT be prompting for user credentials.  However, MINE IS.  Can someone point me to the solution to that problem?  I believe that must be related to my issue?
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177958
that is odd. now another thing. have you tried configuring the account which constantly prompts for password on another computer that is working fine? if it works on this computer then it could be a local machine issue. at least this will move one step further in the troubleshooting chain
0
 

Author Comment

by:kevingibbs1
ID: 35177965
I'm working remotely and have access to the trouble PC and the server.  Don't really have access to another user's machine at the moment.  I could potentially tomorrow night.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35177988
have you checked to ensure that Authentication on the IIS folder Default Web Site\ESW is setup for

Anonymous Authentication - Enabled
Basic Authentication - Enabled
Windows Authentication - Enabled

These are the settings I have on my Ex2010. Might be slightly different for you but worth a try.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35178592
Try the autoconfig test again for these users:
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35178597
Are all PCs members of the same AD domain?

Another thing to check is if outlook.exe is on the same version on the problem PC vs. a working PC
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35178606
Install this on the problem Outlook 2007 machines:
http://support.microsoft.com/kb/983316
0
 

Author Comment

by:kevingibbs1
ID: 35179627
OK, I changed the permission to BASIC, ANONYMOUS, and WINDOWS...(It was JUST windows).  Now the page just doesn't even display or give me a prompt.  Just says "Page cannot be displayed"  Likely cause, this page requires you to login"

My Autodiscover is clearly a mess.  I managed to get the "Test Email Autoconfiguration" to run and it is riddled with failures.  It attempted to connect to a variety of different autodiscover links and failed on all of them.  Not sure where to go from here.  Any help is greatly appreciated!

0
 

Author Comment

by:kevingibbs1
ID: 35179726
For what it is worth, I am trying to run without a cert...(for now)  Which I have been able to do just fine for over a year now.  I then installed a cert a couple weeks ago and that is when all my issues began to drive me nuts!  I am just trying to get back to the default install when everything was working fine.  Thanks to everyone for any help!
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35181582
This article of mine will help with resetting Autodiscover for you:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_4962-7-Steps-to-AutoDiscover-Heaven.html

Do
get-exchangecertificate | fl
And make sure the self signed one is still valid or re-associate the 3rd party one with IIS. What names are on your 3rd party cert?

Set EWS back to Windows authentication only
0
 

Author Comment

by:kevingibbs1
ID: 35182083
Thanks Mega!  I followed your doc to to a T and all seems well.  My results are exactly as you describe, so I think I'm good there now.  However, the users are still getting the blasted prompts.  My Self signed cert is still valid and is currently associated with IMAP, POP, IIS and SMTP.  Is that how it should be.  Forgive me, but I am new the cert world with exchange.  Still learning!

I am holding off for now on trying to implement my 3rd party cert, because that is when all my troubles began.  I want to get things back to normal first and then work on the 3rd part cert.

THANKS!!!
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35182255
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Look for URL values and any error codes returned
0
 

Author Comment

by:kevingibbs1
ID: 35182339
OK, here is where it gets confusing.  I've got an internal domain name that is different from my user's actual email address.  So, by default, the "Test email AutoConfiguration" pre-fills my user's email address with "username@"internaldomainname".com.  When I enter password for that, it bombs and everything fails.  

However when I enter the actual user's email address and then enter password.  Everything passes just fine.  

The agonizingly annoying password prompt that my user's keep getting are to "Servername".internaldomainname.com
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35182698
Does that servername match the cert?

What happens if you try
Test-outlookwebservices "internal email address" | fl

Where the internal email address is the one you say the outlook autoconfig test fails for?

Also do
Get-clientaccessserver | fl
And look at the autodiscoverserviceinternalUri value, is it a name on your cert that is internally resolvable to the internal  ip address of your CAS server?
0
 

Author Comment

by:kevingibbs1
ID: 35182875
Here is what I get when I run...
Test-outlookwebservices "internal email address" | fl

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address xxxxxxx

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://exservername.InternalDomainname.com/EWS/Exchange.asmx received the error The request failed with HTTP status 403: Forbidden.

Id      : 1016
Type    : Error
Message : [EXCH]-Error when contacting the AS service at https://exservername.InternalDomainname.com/EWS/Exchange.asmx. The elapsed time was 138 milliseconds.

Id      : 1015
Type    : Information
Message : [EXCH]-The OAB is not configured for this user.

Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://exservername.InternalDomainname.com/UnifiedMessaging/Service.asmx. The elapsed time was 558 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.

Id      : 1021
Type    : Information
Message : The following web services generated errors.
              As in EXCH
          Please use the prior output to diagnose and correct the errors.

The results of Get-clientaccessserver | fl give me
AutoDiscoverServiceInternalUri : https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml

Should that be https?  Since I am not using an SSL for the autodiscover service?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183024
On the EWS VD ensure windows authentication is Windows only. Then right click on windows auth and ensure kernel mode authentication is NOT ticked.

Check the SSL settings of the EWS VD and make sure that client certificates = ignore

Did the outlook autoconfig give you any error codes like 0x80072F0C ? Can you post it after hiding your server and domain names please?
0
 

Author Comment

by:kevingibbs1
ID: 35183245
Did as you instructed in the first 2 paragraphs.  Then re-started IIS

Attached is the screenshot of the results of the Autoconfig test.  You can't copy paste those results so I just had to do a screen grab and do some blurring.


 autoconfig results
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183388
Confirm that in Internet explorer the name it is trying to contact is listed in the proxy exceptions list.

Then try and open the autodiscover URL in IE on the problem machine and if you get prompted for credentials then enter the problem user credentials and see what you get, you should get error code 600
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183396
Also ensure IE is set to bypass the proxy for local addresses.
0
 

Author Comment

by:kevingibbs1
ID: 35183427
Hey man, I'm not 100% clear.  We don't use any proxies of any kind.  I don't have any exceptions list or anything.  Am I understanding you?  Sorry!
0
 

Author Comment

by:kevingibbs1
ID: 35183464
From a problem user's workstation, I can browse to the autodiscover URL.  I am prompted for a password.  Enter it and I get Error code 600
0
 

Author Comment

by:kevingibbs1
ID: 35183495
Hey man, I'm not 100% sure of the policies and procedures that govern this site, but I have a proposition for you.  What is the best way to contact you directly?  phone or email.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183506
While you have IE open as that user on the autodiscover page try the autoconfig test.

Also whilst logged onto the machine as the user create a new outlook profile, what email address does outlook fill in and can it open successfully?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183529
Sorry, I can't be contacted for work outside of EE. You can hire alanhardisty or demazter though...
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35183544
Also what is your version of exsetup.exe?
0
 

Author Comment

by:kevingibbs1
ID: 35183551
Tried what you said and ran the autoconfig test.  Fails with all the same errors as above.  It defaults to roger@internaldomainname.com.  I enter the password and it fails.  When I change the email address to the actual user's email address...it passes with flying colors.

Understood on your last comment about hiring.  thanks!!
0
 

Author Comment

by:kevingibbs1
ID: 35183602
8.3.83.6
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 2000 total points
ID: 35183618
You can try turning off the SSL requirement on the Autodiscover VD and then do
Get-clientAccessServer | set-clientaccessServer -autoDiscoverServiceinternalURi "http://<internal CAS FQDN>/autodiscover/autodiscover.XML"
0
 

Author Comment

by:kevingibbs1
ID: 35183666
Is there a service or anything I would need to restart to make that change effective?  IIS?
0
 

Author Comment

by:kevingibbs1
ID: 35183873
OK, I'm afraid to speak too soon, but it looks like that may have done it!!  You are a genius!!  As soon as I did that.  Restarted IIS, and then opened a user's outlook and no PROMPTS!!!!  I can't tell you how appreciative I am for you sticking with me!! Thanks MegaNuk3.  I'm going to watch this for just a little longer and I will award your points later!!  Thanks again!
0
 
LVL 4

Expert Comment

by:Habeebmast7
ID: 35183965
You mentioned, it all started after configuring the self signed certificate and this is only for couple users.

Have you checkk the certificates on these two computers, if these certificates are added to trusted root certificates. - Habz
0
 

Author Comment

by:kevingibbs1
ID: 35184048
Habz.  no, I did not check those user's individually.  Probably should have.  Appreciate the input!
0
 

Author Closing Comment

by:kevingibbs1
ID: 35184056
MegaNuk3 is the man!  This was not my AOE and he really stuck with me.  Very appreciative!
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35184745
Glad to hear it is sorted. You can try turning SSL on again and changing the autodiscoverserviceinternaluri back to https again and see if the fault comes back if it doesn't then we know your SCP was faulty
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35195039
Did you try turning on autodiscover HTTPs again?
0
 

Author Comment

by:kevingibbs1
ID: 35195046
I have not.  Lost so much time with this client, I am trying to play catchup with all my others.  I'll take a stab at it over the weekend.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35195067
Ok
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month12 days, 12 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question