Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

SBS 2008 / Exchange 2007 / Outlook 2010 Authentication popup's

Hi,

This might seem like a small problem to solve for a customer, but I think I have googled and tried most fixes out there, might aswell start back from scratch as there are obviously something I have not picked up.

The server is a SBS 2008 with Exchange 2007.
The clients are Windows 7 with Outlook 2010.

The clients are domain-members and users are logged in with domainuser-accounts for the exchange-account.

There is an external approved SSL certificate that matches the FQDN for the  IIS-webapplication-site.

The problem is occational popups (several per hour) prompting for authentication for Exchange.

Outlook is only used on workstatsions in internal LAN for this domain, not external usage.The domain name is correctly configured and E-mail flow in/out is working properly.

In addition symptoms Outlook wont load global address-book on demand, and the test for autoconfig fails even after it actually autoconfigures a new profile in Outlook.

Problem started early last month, and I have done most of the basic stuff as looked at the IIS Authentication for the related webapp folders, enabel kernal-mode auth, made sure all updates are installed incl "Rollup 10 For Exchange 2007 SP1".

I have also temporarily turned off Outlook Anywhere proxy in Outlook on a client but no luck, same auth-popup...

Where can I go from here?
0
Welten
Asked:
Welten
  • 11
  • 10
  • 4
1 Solution
 
Shreedhar EtteCommented:
- Open IIS > Go to Autodiscover Virtual Directory> Go Authentication> Under Authentication Select Windows Authentication

- On Right Hand Side you will find Providers Click on it.

- Add NTLM from Available Providers.

- Restart IIS Admin Service

- After above changes check the Outlook.
0
 
Alan HardistyCommented:
What names are included in your SSL certificate?

Do you have the following included?  :

remote.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername
sites
0
 
WeltenAuthor Commented:
Only mail.externaldomain.com - "remote." was changed to "mail." during initial setup of SBS2008.

I have several customers with only this single-type cert with no such problems.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Alan HardistyCommented:
Well - I always install a Multi-Name SSL cert on my customer's SBS 2008 / SBS 2011 servers and have never had this problem.

Is your cert a SAN / UCC (multi-name cert) or a single name cert?
0
 
Alan HardistyCommented:
Does Autodiscover / Activesync work properly?
0
 
WeltenAuthor Commented:
For the /autodiscover authentication Basic and Windows auth is enabled, the others are disabled.

NTLM is not an option here, only Anonymous, ASP.Net Impersonation, Basic, Digest, Forms and Windows.
0
 
Alan HardistyCommented:
Demazter's article might help you here, but I would start with your SSL certificate and get the right names into it:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2300-Outlook-continually-prompting-for-username-and-password.html
0
 
Shreedhar EtteCommented:
Please once again read the comments...
0
 
WeltenAuthor Commented:
I just set up my Outlook (external) to read the admin-account through Outlook Anywhere and that works alright from the outside.

I have not configured autodiscover SRV records in the external DNS so I configured it manually, but no problems with that.

The SSL is a single-name SSL cert for mail.externaldomain.com, and as I said it has been working perfectly for 3 years, it's not expired and is obviously working as from what I can see in https://mail.externaldomain.com - I have also several other (20-ish) customers operating with only a single-name cert for SBS 2008 like this and never had a problem with that.

Regarding the article you refer to;

 - I know about the issue resolved by Rollup 9. Later updates are installed, this should not be a problem.

 - OK, autodiscover could be realted to the problem. This hotname does not resolve as I havent set it up, but again for the sites I have configured it I have set up as _autodiscover._tcp.externaldomain.com SRV IN 0 0 mail.externaldomain.com to avoid the need for more than a single name cert and after that autodiscover works. For this installation the issue is on the LAN side of things, this is not an issue at other installations why is it here?

 - Kernelmode auth is enabled

 - No IE Proxy is in use.
0
 
Alan HardistyCommented:
Well - my recommendation is to buy a SAN / UCC SSL certificate, which is also Microsoft's and not doing so means you are running an unsupported environment.

Can't offer any other suggestions as I don't have problems with my SBS servers when I install a SAN / UCC certificate.
0
 
WeltenAuthor Commented:
OK I hear what you are saying, I have now bought a new cert from certificatesforexchange.com - this process is going to take 4 to 24 hours to confirm, so in the mean time - as I seriously doubt that is the problem - I'd like to move the focus to the following;

I have now been externally connected to the server with Outlook 2010 configured with Outlook over SSL for more than an hour with no auth popup's. On the inside clients get the popup's about every (+/-) 10 minuttes. There must be some difference to what the client on the inside/outside sees here.. ideas?
0
 
Alan HardistyCommented:
Glen will be happy about your certificate purchase :)

Get the certificate installed - which shouldn't take that long to get approved, then once the certificate is installed, troubleshoot further if there is still a problem.

Until the cert is installed, further troubleshooting isn't a good use of anyone's time IMHO.
0
 
WeltenAuthor Commented:
New certificate is installed - covers the following hostnames;

mail.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername
sites

In addition I have added autodiscover.externaldomain.com to the local DNS and pointed it to the local server. I have also made the webapplications site the default.

Restarted server after installation - restarted client - no change to the problem.
0
 
Alan HardistyCommented:
Okay - please re-run the Connect To The Internet Wizard from the SBS Console and let the Wizard Complete.
0
 
WeltenAuthor Commented:
Done!

Now the test for autodetect finishes successfully, but the clients still have popups for auth.
0
 
Shreedhar EtteCommented:
- Open IIS > Go to Autodiscover Virtual Directory> Go Authentication> Under Authentication Select Windows Authentication

- On Right Hand Side you will find Providers Click on it.

- Add NTLM from Available Providers.

- Restart IIS Admin Service

- After above changes check the Outlook.
0
 
WeltenAuthor Commented:
As I said earlier;

For the /autodiscover authentication Basic and Windows auth is enabled, the others are disabled.

NTLM is not an option here, only Anonymous, ASP.Net Impersonation, Basic, Digest, Forms and Windows.
0
 
Alan HardistyCommented:
Is it just an Authentication Window or another window that the users are seeing?
0
 
Shreedhar EtteCommented:
Please check attached image:
autodiscover.JPG
0
 
WeltenAuthor Commented:
Solution found!

There was a local Norwegian CRM-addin (Mamut add-in!) in Outlook that made Outlook pop-up it's default auth question because it's failing. When I disabled the add-in there seems to be no more prompt and everything is back to normal!
0
 
WeltenAuthor Commented:
The "Providers.." -link is not there, only the "Advanced Settings..."
0
 
Alan HardistyCommented:
If only we had ESP.
0
 
WeltenAuthor Commented:
SO true!!! :-)

Anyhow, thank you for all your suggestions...
0
 
Alan HardistyCommented:
I was getting closer in http:#a37801135

If you have screen dumped the window - might have got there quickly afterwards.

Still - you have a solution which is the main thing.
0
 
WeltenAuthor Commented:
Found the solution myself unrelated to any of the suggestions given to me here.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 11
  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now