Avatar of doug67coug
Flag for United States of America

asked on 

Outlook 2010 & 2007 prompts for password continuously. Possible certificate issue.

Outlook 2007 and 2010 prompt for password continuously.  After HOURS on the phone with Microsoft, we got this fix a few years ago for Office 2007 so it will not prompt for credentials continuously.  The fix is this registry entry:


This solved the password prompting issue, but I have noticed a problem when trying to update the global address list. (Office 2007: Tools>Send/Receive>Download Address book and then click ok.)
The process fails.  (See screenshot1.jpeg and screenshoot2.jpeg)

 Screen Shot 1
 Screen Shot 2
I did see where the Send/Receive windows say “Saving Sync Log” (screenshot1.jpeg), but I do not know where this is at.

When “Always prompt for login credentials” (under account setup) is checked, you can update the Global Address book without any problems.  (See attached screen shot screenshot3.jpeg)

 Screen Shot 3
The above registry entry does not work on Office 2010.  What I can understand is this is due to changes in 2010 on how it uses RPC.  I did discover this work around though:

When “Always prompt for login credentials” (under account setup) is checked, everything works fine.  User is not prompted for password (except the first time when they open outlook and you can update the Global Address book.

Please see the additional information below.

Any help is GREATLY appreciated.

Additional information:
1)      Client machines are Windows 7

2)      We have two Exchange servers.  One is Mailbox and Hub Transport.  The other is CAS.  Bother servers are dc, gc, and server 2k3 R2 SP2 64-bit.

3)      Exchange version on both servers is 8.3 (Build 83.6)

4)      We do not have a UCC.  I do think this is part if not all of the problem.  I am not familiar enough with exchange and IIS to request a certificate and then install it and setup everything correctly.  We did not do this when Exchange was setup due to issue with our domain being registered with another company.  This has all been resolved and we can do this now.  I am trying to get a contractor in to request, install, and setup the UCC.

5)      This shows up in System Log on all domain computers:  The server mentioned here is my CAS server:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/jackson.hsisdad.local. The target name used was HTTP/jackson.HSISDAD.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (HSISDAD.LOCAL) is different from the client domain (HSISDAD.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
ExchangeWindows Server 2003Outlook

Avatar of undefined
Last Comment

8/22/2022 - Mon