Outlook 2010 & 2007 prompts for password continuously.  Possible certificate issue.

Posted on 2011-10-05
Last Modified: 2012-05-12
Outlook 2007 and 2010 prompt for password continuously.  After HOURS on the phone with Microsoft, we got this fix a few years ago for Office 2007 so it will not prompt for credentials continuously.  The fix is this registry entry:


This solved the password prompting issue, but I have noticed a problem when trying to update the global address list. (Office 2007: Tools>Send/Receive>Download Address book and then click ok.)
The process fails.  (See screenshot1.jpeg and screenshoot2.jpeg)

 Screen Shot 1
 Screen Shot 2
I did see where the Send/Receive windows say “Saving Sync Log” (screenshot1.jpeg), but I do not know where this is at.

When “Always prompt for login credentials” (under account setup) is checked, you can update the Global Address book without any problems.  (See attached screen shot screenshot3.jpeg)

 Screen Shot 3
The above registry entry does not work on Office 2010.  What I can understand is this is due to changes in 2010 on how it uses RPC.  I did discover this work around though:

When “Always prompt for login credentials” (under account setup) is checked, everything works fine.  User is not prompted for password (except the first time when they open outlook and you can update the Global Address book.

Please see the additional information below.

Any help is GREATLY appreciated.

Additional information:
1)      Client machines are Windows 7

2)      We have two Exchange servers.  One is Mailbox and Hub Transport.  The other is CAS.  Bother servers are dc, gc, and server 2k3 R2 SP2 64-bit.

3)      Exchange version on both servers is 8.3 (Build 83.6)

4)      We do not have a UCC.  I do think this is part if not all of the problem.  I am not familiar enough with exchange and IIS to request a certificate and then install it and setup everything correctly.  We did not do this when Exchange was setup due to issue with our domain being registered with another company.  This has all been resolved and we can do this now.  I am trying to get a contractor in to request, install, and setup the UCC.

5)      This shows up in System Log on all domain computers:  The server mentioned here is my CAS server:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/jackson.hsisdad.local. The target name used was HTTP/jackson.HSISDAD.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (HSISDAD.LOCAL) is different from the client domain (HSISDAD.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Question by:doug67coug
    LVL 5

    Accepted Solution


      Check the below article...May be helpful to you.
    LVL 15

    Expert Comment


    Author Comment

    @Morasiva:  That did have an affect on my global address book issue.  However the solution in the article does not work.  If I disable proxy settings all toghether, it works great!  If I add FQDN of CAS in bypass list it does not work.  Any idea?

    Does anyone have an idea regarding the password prompting in Outlook 2010.  I do have a work around, but it is not a fix.

    Assisted Solution

    Ok I found that changing my default gateway to my core switch instead of the firewall/proxy as the gateway allowed the before mentioned solution that Morasiva suggested to work with out any problems.

    Author Closing Comment

    Make sure you don't send any of the exchange web traffic through any type of proxy server.  Though it may not block the content, it may cause a long enough delay that Outlook will fail.

    After instaling a new UCC and setting autodiscover to only use the domains sited on the certificate, my prompting for password issue was sovled

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Outlook Free & Paid Tools
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now