Solved

SBS 2008 / Exchange 2007 / Outlook 2010 Authentication popup's

Posted on 2012-04-03
25
825 Views
Last Modified: 2012-04-08
Hi,

This might seem like a small problem to solve for a customer, but I think I have googled and tried most fixes out there, might aswell start back from scratch as there are obviously something I have not picked up.

The server is a SBS 2008 with Exchange 2007.
The clients are Windows 7 with Outlook 2010.

The clients are domain-members and users are logged in with domainuser-accounts for the exchange-account.

There is an external approved SSL certificate that matches the FQDN for the  IIS-webapplication-site.

The problem is occational popups (several per hour) prompting for authentication for Exchange.

Outlook is only used on workstatsions in internal LAN for this domain, not external usage.The domain name is correctly configured and E-mail flow in/out is working properly.

In addition symptoms Outlook wont load global address-book on demand, and the test for autoconfig fails even after it actually autoconfigures a new profile in Outlook.

Problem started early last month, and I have done most of the basic stuff as looked at the IIS Authentication for the related webapp folders, enabel kernal-mode auth, made sure all updates are installed incl "Rollup 10 For Exchange 2007 SP1".

I have also temporarily turned off Outlook Anywhere proxy in Outlook on a client but no luck, same auth-popup...

Where can I go from here?
0
Comment
Question by:Welten
  • 11
  • 10
  • 4
25 Comments
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 37800382
- Open IIS > Go to Autodiscover Virtual Directory> Go Authentication> Under Authentication Select Windows Authentication

- On Right Hand Side you will find Providers Click on it.

- Add NTLM from Available Providers.

- Restart IIS Admin Service

- After above changes check the Outlook.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800391
What names are included in your SSL certificate?

Do you have the following included?  :

remote.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername
sites
0
 
LVL 1

Author Comment

by:Welten
ID: 37800406
Only mail.externaldomain.com - "remote." was changed to "mail." during initial setup of SBS2008.

I have several customers with only this single-type cert with no such problems.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800425
Well - I always install a Multi-Name SSL cert on my customer's SBS 2008 / SBS 2011 servers and have never had this problem.

Is your cert a SAN / UCC (multi-name cert) or a single name cert?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800427
Does Autodiscover / Activesync work properly?
0
 
LVL 1

Author Comment

by:Welten
ID: 37800464
For the /autodiscover authentication Basic and Windows auth is enabled, the others are disabled.

NTLM is not an option here, only Anonymous, ASP.Net Impersonation, Basic, Digest, Forms and Windows.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800468
Demazter's article might help you here, but I would start with your SSL certificate and get the right names into it:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2300-Outlook-continually-prompting-for-username-and-password.html
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 37800471
Please once again read the comments...
0
 
LVL 1

Author Comment

by:Welten
ID: 37800537
I just set up my Outlook (external) to read the admin-account through Outlook Anywhere and that works alright from the outside.

I have not configured autodiscover SRV records in the external DNS so I configured it manually, but no problems with that.

The SSL is a single-name SSL cert for mail.externaldomain.com, and as I said it has been working perfectly for 3 years, it's not expired and is obviously working as from what I can see in https://mail.externaldomain.com - I have also several other (20-ish) customers operating with only a single-name cert for SBS 2008 like this and never had a problem with that.

Regarding the article you refer to;

 - I know about the issue resolved by Rollup 9. Later updates are installed, this should not be a problem.

 - OK, autodiscover could be realted to the problem. This hotname does not resolve as I havent set it up, but again for the sites I have configured it I have set up as _autodiscover._tcp.externaldomain.com SRV IN 0 0 mail.externaldomain.com to avoid the need for more than a single name cert and after that autodiscover works. For this installation the issue is on the LAN side of things, this is not an issue at other installations why is it here?

 - Kernelmode auth is enabled

 - No IE Proxy is in use.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800543
Well - my recommendation is to buy a SAN / UCC SSL certificate, which is also Microsoft's and not doing so means you are running an unsupported environment.

Can't offer any other suggestions as I don't have problems with my SBS servers when I install a SAN / UCC certificate.
0
 
LVL 1

Author Comment

by:Welten
ID: 37800755
OK I hear what you are saying, I have now bought a new cert from certificatesforexchange.com - this process is going to take 4 to 24 hours to confirm, so in the mean time - as I seriously doubt that is the problem - I'd like to move the focus to the following;

I have now been externally connected to the server with Outlook 2010 configured with Outlook over SSL for more than an hour with no auth popup's. On the inside clients get the popup's about every (+/-) 10 minuttes. There must be some difference to what the client on the inside/outside sees here.. ideas?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800781
Glen will be happy about your certificate purchase :)

Get the certificate installed - which shouldn't take that long to get approved, then once the certificate is installed, troubleshoot further if there is still a problem.

Until the cert is installed, further troubleshooting isn't a good use of anyone's time IMHO.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 1

Author Comment

by:Welten
ID: 37800932
New certificate is installed - covers the following hostnames;

mail.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername
sites

In addition I have added autodiscover.externaldomain.com to the local DNS and pointed it to the local server. I have also made the webapplications site the default.

Restarted server after installation - restarted client - no change to the problem.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37800973
Okay - please re-run the Connect To The Internet Wizard from the SBS Console and let the Wizard Complete.
0
 
LVL 1

Author Comment

by:Welten
ID: 37801081
Done!

Now the test for autodetect finishes successfully, but the clients still have popups for auth.
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 37801113
- Open IIS > Go to Autodiscover Virtual Directory> Go Authentication> Under Authentication Select Windows Authentication

- On Right Hand Side you will find Providers Click on it.

- Add NTLM from Available Providers.

- Restart IIS Admin Service

- After above changes check the Outlook.
0
 
LVL 1

Author Comment

by:Welten
ID: 37801122
As I said earlier;

For the /autodiscover authentication Basic and Windows auth is enabled, the others are disabled.

NTLM is not an option here, only Anonymous, ASP.Net Impersonation, Basic, Digest, Forms and Windows.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37801135
Is it just an Authentication Window or another window that the users are seeing?
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 37801179
Please check attached image:
autodiscover.JPG
0
 
LVL 1

Accepted Solution

by:
Welten earned 0 total points
ID: 37801211
Solution found!

There was a local Norwegian CRM-addin (Mamut add-in!) in Outlook that made Outlook pop-up it's default auth question because it's failing. When I disabled the add-in there seems to be no more prompt and everything is back to normal!
0
 
LVL 1

Author Comment

by:Welten
ID: 37801239
The "Providers.." -link is not there, only the "Advanced Settings..."
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37801300
If only we had ESP.
0
 
LVL 1

Author Comment

by:Welten
ID: 37801324
SO true!!! :-)

Anyhow, thank you for all your suggestions...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37801352
I was getting closer in http:#a37801135

If you have screen dumped the window - might have got there quickly afterwards.

Still - you have a solution which is the main thing.
0
 
LVL 1

Author Closing Comment

by:Welten
ID: 37820840
Found the solution myself unrelated to any of the suggestions given to me here.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now