Help with constant password prompts to Exchange 2007

Have you deleted the outlook profile and re-added it on the offending PC's?

have you checked the event logs on the exchange server? outlook anywhere is IIS based. There could be some permission issues with one of the folders in IIS for Outlook Anywhere. The eventlogs are very good with Ex 2007/2010.

Yes, I have.  Same problem.  

This is the only evenlt log entry that stands out.  Other wise, all seems clear.

Process w3wp.exe (AirSync) (PID=3224). An remote procedure call (RPC) request to the Microsoft Exchange Active Directory Topology service failed with error 1753 (Error 6d9 from HrGetTopologyVersion). Make sure that the Remote Procedure Call (RPC) service is running. In addition, make sure that the network ports that are used by RPC are not blocked by a firewall.

RPC IS running.  Does the the RPC locator service need to be running?  It is stopped.  Do I need these RPC services at all if I am NOT using Outlook Anywhere.  I have disabled it.

Does this post relate? http://forums.techarena.in/small-business-server/1178053.htm

silly question but the accounts that you are mentioning which are getting multiple prompts, they are enabled in AD (not locked our or disabled) and you are typing the correct password? I found in the past that the issue you are experiencing happened to some of my collegues when they had recently changed passwords and for some reason their new password hadnt takent effect. see if these users have changed their passwords recently. try to use their old password. also try to reset the passwords and try as well.

Yes and No.  Yes in the sense that my internal domain is a .com and not a .local.  But no, because Outlook anywhere is completely disabled so I am trying to just take it completely out of the loop and go back to my settings I had a couple weeks ago.  Right now it is disabled.  

I think this has something to do with my autodiscover service but can't for the life of me figure it out!  

Niviesh, users passwords are not the issue.  I have already tried to reset but to no avail.  Just FYI.  Exchange works just fine, sends and receives with no problem.  I just need this username/password prompt to go away!  Thanks for all your help!

when you start outlook, press down CTRL key and then right click on the outlook icon in your status bar. then click on Connection Status to check if everything looks aright. You can also click on Test E-Mail AutoConfiguration to see your settings and find any errors.

Odd.  I don't have the option for Test Email Autoconfiguration.  

I've found this in a few posts I have read that the URL http://servername.exchange.com/ews/exchange.asmx should NOT be prompting for user credentials.  However, MINE IS.  Can someone point me to the solution to that problem?  I believe that must be related to my issue?

that is odd. now another thing. have you tried configuring the account which constantly prompts for password on another computer that is working fine? if it works on this computer then it could be a local machine issue. at least this will move one step further in the troubleshooting chain

I'm working remotely and have access to the trouble PC and the server.  Don't really have access to another user's machine at the moment.  I could potentially tomorrow night.

have you checked to ensure that Authentication on the IIS folder Default Web Site\ESW is setup for

Anonymous Authentication - Enabled
Basic Authentication - Enabled
Windows Authentication - Enabled

These are the settings I have on my Ex2010. Might be slightly different for you but worth a try.

Try the autoconfig test again for these users:
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Are all PCs members of the same AD domain?

Another thing to check is if outlook.exe is on the same version on the problem PC vs. a working PC

Install this on the problem Outlook 2007 machines:
http://support.microsoft.com/kb/983316

OK, I changed the permission to BASIC, ANONYMOUS, and WINDOWS...(It was JUST windows).  Now the page just doesn't even display or give me a prompt.  Just says "Page cannot be displayed"  Likely cause, this page requires you to login"

My Autodiscover is clearly a mess.  I managed to get the "Test Email Autoconfiguration" to run and it is riddled with failures.  It attempted to connect to a variety of different autodiscover links and failed on all of them.  Not sure where to go from here.  Any help is greatly appreciated!

For what it is worth, I am trying to run without a cert...(for now)  Which I have been able to do just fine for over a year now.  I then installed a cert a couple weeks ago and that is when all my issues began to drive me nuts!  I am just trying to get back to the default install when everything was working fine.  Thanks to everyone for any help!

This article of mine will help with resetting Autodiscover for you:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_4962-7-Steps-to-AutoDiscover-Heaven.html

Do
get-exchangecertificate | fl
And make sure the self signed one is still valid or re-associate the 3rd party one with IIS. What names are on your 3rd party cert?

Set EWS back to Windows authentication only

Thanks Mega!  I followed your doc to to a T and all seems well.  My results are exactly as you describe, so I think I'm good there now.  However, the users are still getting the blasted prompts.  My Self signed cert is still valid and is currently associated with IMAP, POP, IIS and SMTP.  Is that how it should be.  Forgive me, but I am new the cert world with exchange.  Still learning!

I am holding off for now on trying to implement my 3rd party cert, because that is when all my troubles began.  I want to get things back to normal first and then work on the 3rd part cert.

THANKS!!!

Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, then on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Look for URL values and any error codes returned

OK, here is where it gets confusing.  I've got an internal domain name that is different from my user's actual email address.  So, by default, the "Test email AutoConfiguration" pre-fills my user's email address with "username@"internaldomainname".com.  When I enter password for that, it bombs and everything fails.  

However when I enter the actual user's email address and then enter password.  Everything passes just fine.  

The agonizingly annoying password prompt that my user's keep getting are to "Servername".internaldomainname.com

Does that servername match the cert?

What happens if you try
Test-outlookwebservices "internal email address" | fl

Where the internal email address is the one you say the outlook autoconfig test fails for?

Also do
Get-clientaccessserver | fl
And look at the autodiscoverserviceinternalUri value, is it a name on your cert that is internally resolvable to the internal  ip address of your CAS server?

Here is what I get when I run...
Test-outlookwebservices "internal email address" | fl

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address xxxxxxx

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://exservername.InternalDomainname.com/EWS/Exchange.asmx received the error The request failed with HTTP status 403: Forbidden.

Id      : 1016
Type    : Error
Message : [EXCH]-Error when contacting the AS service at https://exservername.InternalDomainname.com/EWS/Exchange.asmx. The elapsed time was 138 milliseconds.

Id      : 1015
Type    : Information
Message : [EXCH]-The OAB is not configured for this user.

Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://exservername.InternalDomainname.com/UnifiedMessaging/Service.asmx. The elapsed time was 558 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.

Id      : 1021
Type    : Information
Message : The following web services generated errors.
              As in EXCH
          Please use the prior output to diagnose and correct the errors.

The results of Get-clientaccessserver | fl give me
AutoDiscoverServiceInternalUri : https://exservername.InternalDomainname.com/Autodiscover/Autodiscover.xml

Should that be https?  Since I am not using an SSL for the autodiscover service?

On the EWS VD ensure windows authentication is Windows only. Then right click on windows auth and ensure kernel mode authentication is NOT ticked.

Check the SSL settings of the EWS VD and make sure that client certificates = ignore

Did the outlook autoconfig give you any error codes like 0x80072F0C ? Can you post it after hiding your server and domain names please?

Did as you instructed in the first 2 paragraphs.  Then re-started IIS

Attached is the screenshot of the results of the Autoconfig test.  You can't copy paste those results so I just had to do a screen grab and do some blurring.


 

Confirm that in Internet explorer the name it is trying to contact is listed in the proxy exceptions list.

Then try and open the autodiscover URL in IE on the problem machine and if you get prompted for credentials then enter the problem user credentials and see what you get, you should get error code 600

Also ensure IE is set to bypass the proxy for local addresses.

Hey man, I'm not 100% clear.  We don't use any proxies of any kind.  I don't have any exceptions list or anything.  Am I understanding you?  Sorry!

From a problem user's workstation, I can browse to the autodiscover URL.  I am prompted for a password.  Enter it and I get Error code 600

Hey man, I'm not 100% sure of the policies and procedures that govern this site, but I have a proposition for you.  What is the best way to contact you directly?  phone or email.

While you have IE open as that user on the autodiscover page try the autoconfig test.

Also whilst logged onto the machine as the user create a new outlook profile, what email address does outlook fill in and can it open successfully?

Sorry, I can't be contacted for work outside of EE. You can hire alanhardisty or demazter though...

Also what is your version of exsetup.exe?

Tried what you said and ran the autoconfig test.  Fails with all the same errors as above.  It defaults to roger@internaldomainname.com.  I enter the password and it fails.  When I change the email address to the actual user's email address...it passes with flying colors.

Understood on your last comment about hiring.  thanks!!

8.3.83.6

Is there a service or anything I would need to restart to make that change effective?  IIS?

OK, I'm afraid to speak too soon, but it looks like that may have done it!!  You are a genius!!  As soon as I did that.  Restarted IIS, and then opened a user's outlook and no PROMPTS!!!!  I can't tell you how appreciative I am for you sticking with me!! Thanks MegaNuk3.  I'm going to watch this for just a little longer and I will award your points later!!  Thanks again!

You mentioned, it all started after configuring the self signed certificate and this is only for couple users.

Have you checkk the certificates on these two computers, if these certificates are added to trusted root certificates. - Habz

Habz.  no, I did not check those user's individually.  Probably should have.  Appreciate the input!

MegaNuk3 is the man!  This was not my AOE and he really stuck with me.  Very appreciative!

Glad to hear it is sorted. You can try turning SSL on again and changing the autodiscoverserviceinternaluri back to https again and see if the fault comes back if it doesn't then we know your SCP was faulty

Did you try turning on autodiscover HTTPs again?

I have not.  Lost so much time with this client, I am trying to play catchup with all my others.  I'll take a stab at it over the weekend.

Ok