Link to home
Create AccountLog in
Avatar of farrnate
farrnateFlag for United States of America

asked on

Outlook 2010 Prompts for password at launch. ISA issues?

I've been working through an issue where (as part of Exch 2003 to 2010 transition) where my tests mailbox prompts for password within a few moments of launch of Outlook 2010 (this only happens for users on Exch 2010 server).  I put in the password and the session is as expected.  I also see a prompt from the ISA server.  

The existing topology is Exch 2003 is on the edge with a public IP.  Works as expected.  I set up Exch 2010 with new public IP, routing groups, free/busy/public folder replication, SAN cert (legacy, mail, autodiscover) on 2010 and exported to 2003.  Split DNS? (I added ourdomain.com to internal dns with legacy, autodiscover) Before we had only ourdomain.local

This environment was set up so that ISA was only for web browser traffic from users to the web.  

At this point I have proxy set up to the ISA server on Exch 2010 with a bypass list of *.ourdomain.local  (That fixed the cert revocation list issue for the SAN cert)  

The best I can guess is I have a configuration problem somewhere and Outlook/exchange is hitting ISA which causes the password prompt.  I'm not sure what to look at next.  

Ultimately I'm working for a smooth as possible move to Exch 2010 and decomission the old server.  My exec team is really pushing and it doesn't help that the database is way over limit.  I need to begin moving mailboxes as soon as possible.

Also: Though I have tested mail flow, I have not change public dns to point to the new Exch 2010 IP address yet.  I have been testing as much as possible without changing dns.
Avatar of EMJSR
EMJSR
Flag of United States of America image

It does not necessarily have to be an issue with ISA. It could just be the Outlook Anywhere option. If you do not need this feature, I would turn it off and then the password prompt should go away.

Please see the attached image as a reference. You can find the option within the profile's mail account settings.
outlook-anywhere.JPG
It is probably your setting for OA. On a domain joined machine, run Outlook.exe /RPCDIAG and see how Exchange is connecting.

If you look at the Conn tab, you should see either HTTPS (Outlook Anywhere) or TCP/IP (MAPI). If it is HTTPS and the Authn tab shows Basic, then it should prompt you for a password as on domain joined machines it will not utilize the existing Kerberos token..

To fix this you can simply change the authentication type from Basic to NTLM within the Outlook Anywhere settings, and then change it on the web listener within ISA. The only issue you might run into is that OWA (for silent redirection) requires Basic authentication.. so you would have to setup a new listener / FQDN for Outlook Anywhere. That is described in the whitepaper below. If you do not want to go through this trouble, you can turn off Outlook Anywhere also.

This is described in more detail in the two links below:

Blog from the Exchange Product Group on ISA 2006SP1 / Exchange 2010 integration: http://blogs.technet.com/b/exchange/archive/2009/12/17/3409102.aspx

Whitepaper for TMG / UAG integration with Exchange 2010 (same concept applies with ISA 2006SP1):
http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx

Disabling Outlook Anywhere:
http://technet.microsoft.com/en-us/library/bb124537(v=exchg.141).aspx
Avatar of nashiooka
nashiooka

I had a similar issue.  Basically whenever I moved a database between DAG nodes users would get prompted.  This was because Outlook technically soea disconnect.  Having Outlook Anywhere enabled means that on disconnect Outlook attempts to connect using HTTPS, causing the prompt.

The second part of this was I couldn't uncheck the "Connect to Microsoft Exchange using HTTP" checkbox, it kept rechecking.  After researching I learned autodiscover was rechecking the box because there was indeed a server enabled to OA in the site!

I acknowledge that you are getting the prompts more often, than just on switchover.  You may be disconnecting which would need separate troubleshooting, but here's what I ultimately did to fix it.

To mitigate this issue we overrode the setting using GPO, but we had to download another template as the setting isn't in the office templates.

http://support.microsoft.com/kb/2426686

Good luck.
Goto exrca.com site. Click on client tab, download it and run it. Select required option and run the test. Test result will help you to narrow down the root cause.
Avatar of farrnate

ASKER

Would the web listener be affected by the following:

ISA server 2000 sp 2 (unique public IP)

Exch 2003/PDC/DNS (unique public IP) recieves public DNS mail.ourdomain.com

Exch 2010 (unique public IP)
Oddly enough.  I deleted the user from my test machine.  Logged back in and autodiscover found and connected to the CAS array name and connected.  This was new.  Usually it would fail and ask for credentials.  I ran outlook.exe /rpcdiag and it showed connecting via tcp/ip for the mailbox and https for calendars (calendars are still on 2003).  I got a cert prompt since the fqdn is not on the SAN (least of my issues) then it seemed to connect great.  

The HTTPS connections were via NTLM.  This mailbox was created from EMC on 2010 as a new mailbox.  I'll do a local move on one now and check results and post.
Also.  I expect to move a handfull of email boxes at a time.  Will outlook need changed manually from the old exchange server to the new cas array name?  I don't mind doing it but was hoping for a more seamless transition.
Outlook should update the profile on it's own.  Users will be prompted to restart Outlook.  This happens based on the wrong server MAPI response the old server will reply with.  It's basically a referral to the new server.
Just tested that with a test mailbox.  Works great while on Exch 2003, I do a local move request, Log back on to the outlook.exe /rpcdiag and can see it making new connections to the new database.  I then get a popup for ID/pass and one for the isa server.  I can cancel out of them and the connection/function seems fine but they popup every time I launch Outlook.  

Though we don't use ISA for email at all Outlook is using browser settings or proxy settings from exchange to look at internal urls?  

When I put in the ID/password Outlook accepts it.  isa.myserver.local just pops the login screen up again.

I read this from Microsoft but I am not sure how to or if I need to implement this in my ISA.
http://technet.microsoft.com/en-us/library/aa998036(v=exchg.141).aspx
What are the internal URL settings for the WebServicesVirtualDirectory, Get-WebServicesVirtualDirectory -Server <ServerName> | ft *url*

Same thing for the OfflineAddressBook?

Also, the AutodiscoverServiceInternalUri, Get-ClientAccessServer <ServerName> | fl AutodiscoverServiceInternalUri

If these things point to the same namespace you are publishing to external users via ISA you should leverage split DNS so they resolve to a CAS server or load balancer / CASArray internally.  Admittedly this is hard to find in the MS documents but take a look at the below link:

http://blogs.technet.com/b/exchange/archive/2009/12/17/3409102.aspx

In several notes they mention the assumption of split brain DNS.  This is how I implemented autodiscover, OAB, and EWS in my environment, and aside from the prompt on disconnect I mentioned before I've had no issues.

Let me know if that helps.  Thanks
Webservicesvirtualdirectory:
InternalNLBBypassUrl: https: //server.crdius.local/ews/exchange.asmx
InternalUrl: https: //server.domain.local/ews/exchange
ExternalUrl: https: //mail.crdius.com/ews/exchange.asmx

OfflineAddressBook:
InternalUrl: https: //mail.crdius.com/oab
ExternalUrl: https: //mail.crdius.com/oab
(authentication for both says basic, windowsintegrated)

AutodiscoverServiceInternalUri: https: //mail.crdius.com/autodiscover/autodiscover.xml

Can see anything I have done incorrectly?  I have noticed if I use the fqdn on internal url's I get cert errors because the name isn't on the SAN.  At this point I'm willing to reset all my urls.

I don't know about publishing to ISA.  The ISA server here is 2000 and user's web browsers are set to use it.  I would like to bypass ISA completely if possible.  If not possible I need to know how to configure it to work with Exchange.  External DNS has always pointed directly to the public IP of the Exch 2003 server (on the edge).
You must have split brain DNS for that. The way to fix is to create an internal dns record for mail.cdrius.com and point to you CAS server or array's IP address.

Do an nslookup on mail.cdrius.com is it returns the ISA server address then you've confirmed the issue.
nslookup from my local machine for mail.crdius.com and I get the IP address of the Exch 2003 server on the network.  

Looking at DNS internally I see two lookup zones crdius.local and crdius.com

I created crdius.com with A records for: autodiscover, and legacy (both point to the new Exch2010)

crdius.local has: outlook (pointing to cas array IP), and an MX record where Host/child domain: blank
fqdn of mail server: mail.crdius.com

Do I also need an A record for mail.crdius.com pointing to the new Exch 2010?  

Thanks again for the advice.  I appologize for being confused on the issue.

As a side note: On my test account on Exch 2010 I removed the proxy settings from IE and Outlook seems to work just great with no id/pass pop ups.  This is significant for me as I will likely retire the ISA (2000) server completely and use a different solution.  

Looking in to that now (any suggestions?)   Assuming I get this accomplished, I have only a security popup because the Exch 2010 fqdn is not on the SAN certificate.  Can I set the virtual directories to all use mail.crdius.com internally to get rid of this error?  Will the split brain dns help this?  Is there a downside to split brain dns?
ASKER CERTIFIED SOLUTION
Avatar of nashiooka
nashiooka

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I was able to get the virtual directory urls worked out.  They are all currently configured for the external dns name which is on the SAN.  Thus far my cert issues are resolved.  As for ISA I experimented ad naseum with the proxy.  I found that with no proxy settings in IE Outlook performed great but then Internet access was out.  I Used GPO to add additional proxy bypass with our DNS name *.crdius.local and *.crdius.com.  So far all my tests are working.

Next step will be to cut all traffic over to the new Exch 2010 public IP and hope that is works smoothly.  All the tests I've done so far say it should be fine.  Email auto configuration tests show 404 errors on several things that I attribute to public dns pointing to the old server not the new Exchange.  (Unless anyone has any thoughts on that)

At this time I am cautiously optimistic.