Outlook 2007 & 2010 clients prompting for authentication on Exchange 2010 Server

Hi guys,

I have previously asked about this question before here and we have since resolved the autodiscover issues (testexchangeconnectivity.com shows passes for both Outlook tests) but the problem persist.

Users can be happily using Outlook for some time and then suddenly, they are prompted to enter their username and password before they can send/receive emails again.

To compound matters the authentication window is easily lost behind other Windows and the average user doesn't realised they are being prompted but they notice their email not working, resulting in a support call.

If autodiscover isn't the issue anymore, does anyone have any suggestions on where we should be looking for the cause?

Thanks in advance.
defectaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vijaya Babu SekarAssociate Ops ManagerCommented:
0
Hendrik WieseInformation Security ManagerCommented:
Try the following:

1.      Close outlook
2.      Open %userprofile%\AppData\Roaming\Microsoft\Protect
3.      Rename the folder to OLD at the end
4.      Restart machine
5.      Outlook will ask for the password, enter the password and click remember credentials
6.      Problem should now be solved

Hope this helps :)
0
defectaAuthor Commented:
I have checked the accepted solution in the link above and I appear to already be using the Windows Authentication settings suggested for Autodiscover. But I have a basic and anonymous authentication methods working also. Can that be a problem? See attached.ISS_auth
Further down in the same thread someone suggests changing Default Website and RPC.

I have just changed the authetication for RPC at this stage.

I will wait and see if that helps. I have been unable to reproduce this issue on queue so its a waiting game unfortunately.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Sushil SonawaneCommented:
Make your exchange server update with latest service pack and Server OS also updated with service pack.
0
defectaAuthor Commented:
HendrikWeise, restarting the machine or Outlook seems to temporarily solve the problem so I would have no what of knowing if that solution works because I have not yet found how to replicate the issue. It's seemingly random.

As its happens to many clients I will keep this option as a last resort as I believe at this stage its server related. Unless you can help me understand otherwise?
0
Hendrik WieseInformation Security ManagerCommented:
Hi,

That is the same method I used when it happened a couple of months ago and did not experience the issue again. :)
0
defectaAuthor Commented:
How many clients was it happening on?
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I believe the following is what is happening:

1. You have WAN connectivity to Exchange
2. Due to WAN issues/traffic, Exchange connectivity is restored over the Internet
3. Connectivity is now using Basic authentication

My recommendation would be to change Outlook to use RPC/HTTPS for both slow and fast networks.  This way users are only prompted for authentication only when Outlook is launched.
0
wshtyCommented:
curious - can you please confirm, that your users (or you) can plan meetings on the outlook calendar with other employees (via calendar management assistant - or similar meaning; that means that the one who sets up the meeting can see the available timeframes of the other users before setting it up) when outlook is seemingly working fine?
0
Hendrik WieseInformation Security ManagerCommented:
Properly about 20 odd.
0
defectaAuthor Commented:
Mnkhawaja, ideally I dont want my users to ever see the authentication, the way it used to work before we migrated to the new servers. If they are only ever on the LAN they shouldn't ever see the authentication if everything is setup correctly.

Or is that not the case? Is this a new "feature" that I wasn't aware of until now?
0
Simon Butler (Sembee)ConsultantCommented:
I have to disagree with the recommendation to use Outlook Anywhere for everything. That isn't required in this instance.
Authentication prompts shouldn't occur on internal users ever.

Outlook connects to Exchange at frequent intervals for autodiscover. You need to verify where the authentication prompt is coming from before you start changing things on the servers.

For example, I have seen this happen when external DNS servers were configured in the clients, perhaps as additional DNS servers.

Do check via the Outlook connectivity tool that Outlook hasn't started to use Outlook Anywhere. That can generate prompts, but shouldn't be happening.

Simon.
0
defectaAuthor Commented:
Just reporting back and the changes to the RPC authentication didn't help. The problem still persists.

Simon, is the highlighted option the connectivity tool you speak of? See attached image.outlook_connectivity
0
Simon Butler (Sembee)ConsultantCommented:
Yes, Connection Status will show you what is happening.
If the protocol is HTTPS then it is using Outlook Anywhere.

Simon.
0
defectaAuthor Commented:
Thanks Simon, I will report back when I catch another instance of this issue.
0
defectaAuthor Commented:
I havent been able to catch another instance of this. There was one instance a few weeks back but it totally slipped my mind to diagnose the connection as described above.

As a workaround I have added some Outlook Admin Templates to Group Policy to disable Outlook Anywhere on all desktop machines on the domain. Here are the links to the templates that I used.
Outlook 2010 Admin template http://support.microsoft.com/kb/2426686
Outlook 2007 Admin template http://support.microsoft.com/kb/961112
I set the RPC/HTTP Connection Flags to 'no flags' for both admin templates. I left all the other settings as default with no changes.
0
defectaAuthor Commented:
Well, it would appear that the authentication prompts are nothing to do with Outlook Anywhere as I just got one and Outlook Anywhere is disabled. And as you can see in the attached screenshot its not connecting via HTTPS.outlook authentication
0
Simon Butler (Sembee)ConsultantCommented:
It rarely is Outlook Anywhere.
The most common cause is Autodiscover or one of the web services, usually due to an SSL certificate issue.

Check the value of

get-clientaccessserver | select identity, AutodiscoverServiceInternalURI

The host name mentioned should
a. Resolve to Exchange
b. Be listed on the SSL certificate
c. The SSL certificate should be valid.

If not, then you will get prompts.

Simon.
0
defectaAuthor Commented:
I am getting the two host names of our two Exchange servers.

I am not really sure that I checking this correctly but the only SSL cert I can find installed on our mailservers IIS, has the external FQDN and not the domain names that are returned with the above PS command. (BTW its not set to expire until 2015 so the cert that is there is valid at least.)

What are the correct steps for checking the SSL cert?
0
Simon Butler (Sembee)ConsultantCommented:
Browse to the site, then look at the properties of the SSL certificate. The alternative names are listed on the advanced properties.

However I would expect the problem is the URL.
Setup a split DNS and change the host names in Exchange to match the SSL certificate.
http://semb.ee/hostnames

Simon.
0
defectaAuthor Commented:
I think I have found what you were talking about by browsing to the OWA site which is the external FQDN of the other sites Exchange server.
(F.Y.I, attempting to access the OWA via our external or internal FQDN redirects to the other sites external FQDN)

Under the details tab of the SSL cert I found an entry called "Subject Alternative Name" and in that entry it has 5 entries.
DNS=(The external FQDN of the other sites Exchange server)
DNS=(The autodiscover address for the other site)
DNS=(The autodiscover address for this site)
DNS=(The internal FQDN of other sites Exchange server)
DNS=(The internal FQDN of our Exchange server)

Does any of that sound any alarm bells for you?

Also , just checking if this SSL cert stuff is applicable if Outlook Anywhere is disabled?
0
Simon Butler (Sembee)ConsultantCommented:
SSL still applies even if you aren't using Outlook Anywhere, because Outlook makes connections to Exchange over SSL for other things.
Those are the correct URLs, therefore that is what you need to change Exchange to use instead.
Ensure that the external host names resolve internally to the internal IP address of the Exchange server/s.

Simon.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Have you run Exchange Connectivity Test to ensure there are no issues with your Exchange.  Go to https://testconnectivity.microsoft.com/ and perform Web Services and Outlook Connectivity tests.
0
defectaAuthor Commented:
@mnkhawaja: Yes we have.

Our Autodiscover is set to resolve via the SRV redirect method which it does so successfully.

All the tests on Testexchangeconnectivity.com pass. Only Outlook Anywhere passes with an exception. See below.
Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
 
 Additional Details
 
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Elapsed Time: 2 ms.  
 
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
It seems like you either have a self signed certificate or your cert provider root certificate is not part of the trusted root certificates in Windows.  Could you please advise as to where you got your SSL certificate from.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
defectaAuthor Commented:
the certificate was acquired from our domain hosts, Web24 but I am reasonably certain that the issue is related not so much to the trust of the root certificate but more with how the certificate has been created.

Forgive me for not understanding the intricacies of the certificate as I haven't set it up. I'm just trying to fix it because its not working as expected and the people that set it up insist that its working fine. The cert has been created to serve multiple domains.

Is that making things clearer or murkier?
0
Simon Butler (Sembee)ConsultantCommented:
If you suspect the certificate then get it reissued using a certificate request from your own server. SSL certificates are easily broken, particularly during the request/response phase because they are just plain text at that stage.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.