?
Solved

Why does Outlook prompt for password?

Posted on 2014-03-11
10
Medium Priority
?
2,146 Views
Last Modified: 2014-03-20
Can I start by saying I have never had this issue before. Using a simple single ALL in one Exch 2010 single server scenario. I have searched the support communities relentlessley for a fix. I am unfortunately another one of millions out there that is trying to work through the changes required for Exchange 2010 server to workaround the new UCC /SAN ssl cert rules.
I am now using DNS SRV for external  Autodiscover service location. We obviously have different internal name space (*.local) and external name space. I have spent days reading around and sifting through relevant helpful articles and although the workarounds are easy to understand, fixing the potential problems as a direct consequence of applying the workaround are proving to be quite challenging.
I have worked through the changes required to redirect 2010 Exchange Server to use the External DNS name but ever since applying the url changes, Oultook clients (domain joined) are always getting a windows security password promt few seconds after they have opened outlook in the mornings always. The windows security dialogue box pops up and is invariably prepopulated with the username@smtpemailaddress. Users have to always change that to that Domain\username (we dont use UPNs) and enter the password and then it doesnt show up again until outlook is closed and reopened. This happens on Win7& outlook 2010 as well as win7&outlook 2007 users. I have checked the Autodiscover virtual directory in IIS and SSL authentication settings. SSL is set to require cert and ignore Client cert. I have also enabled kernel mode authentication? This wasnt enabled before but I read about this somewhere and thought I should try it. The wierd thing is that my computer win7/outlook 2010 doesnt get this password prompt. The impact of ignoring this windows security dialogue box is that other applications (MIS) that are mail enabled will not open outlook for the user to send email directly from the MIS application, and I noticed OOF is also broken. I then run the repair mailbox which then forces a windows security box to launch and once the correct username format is entered with the password everthing is fine...until you exit outlook.
Its a very irritating problem and I have run out of sensible ideas to try.
I have run Autodiscover tests both internally and externally and are both succesful.

Any help greatley appreciated.
0
Comment
Question by:stcs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 7

Expert Comment

by:jaynee
ID: 39920336
So perhaps it's a password persistence problem.
Check Control panel, user accounts, Manage your credentials  and see what the persistence setting of that username/password combo is, on your machine where you don't get the login dialog compared to the machines where the user does get the dialog.

I'm guessing that the persistence settings needs to be "Enterprise" - if it isn't, delete that entry and re-enter from scratch.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39920620
Have you tried recreating outlook profile ?


If issue persists, Rejoin workstation to domain.

Update group policies,


- Manjunath Sullad
0
 
LVL 14

Expert Comment

by:Andy M
ID: 39920842
What is your Autodiscover URL's currently set to? I suspect the security error is informing you that the certificate installed on the server (remote.domain.co.uk) does not match the name of the server the internal Outlook clients are trying to reach (i.e. server.domain.local).

This would indicate that autodiscover is trying to force the clients to use the internal name of the server.

You could try setting all client-access url's to the external address (this may help: http://technet.microsoft.com/en-us/library/dd876959%28v=exchg.141%29.aspx) and add an internal dns entry to your network to point the external exchange hostname to the internal IP of the server (i.e. remote.domain.co.uk > 192.168.100.0).
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:stcs
ID: 39920918
Jaynee,
Thanks for your suggestion. I have checked and compared the differences between my computer and 3 others, no difference, all computers have the persistence setting as Enterprise.
I dont understand why it pops up the logon box.  Autodiscover url changes from local FQDN hostname.localdomain to Public name mail.internetsmtpdomain has broken outlook some where.
If I change back to original FQDN local.domain (obviously not a solution) everything works fine. Something is going a miss here.
Interestingly I did some further testing and deleted the outlook profile for a user on the computer that has the same problem. When I started outlook for this user as expected it went through the motions of Autodiscovering the user outlook properties but instead of automatically configuring the mailbox properties, I got challenged with a windows logon prompt! and this has never been the case before when users have been able to automatically configure their own outlook profiles without having to enter their password, as they are all domian joined clients and already authenticated to the AD domain and thats what i would expect.

It seems that because the Autoconfigure services url now refers to an external (external to AD trusted) domain name the integrated windows authentication (single sign on) isnt passing the credentials as it did before and would do if it was using the original default FQDN.local - is my reasoning correct?

Experts - is there a way to make this work without any complicated processes?
0
 
LVL 7

Expert Comment

by:jaynee
ID: 39921862
I have seen this problem solved elsewhere by entering credentials manually with the ip address(es) of the exchange server instead of the FQDN, into the top part as well as the "Generic Credentials" part in Credential Manager.
0
 

Author Comment

by:stcs
ID: 39921932
`Try Majunath's suggestion to rejoin the workstation to the domain.'

I cant see how re-joining the workstation to the domain will help as there are no Netlogon errors in the event viewer. Besides I have almost 100 workstations!
0
 
LVL 7

Expert Comment

by:jaynee
ID: 39922016
sorry about that stcs - I realised that and edited it out of my post just before you posted above.
0
 

Accepted Solution

by:
stcs earned 0 total points
ID: 39931842
I have figured out now that the logon prompts were popping up because I had inadvertently enabled Outlook anywhere on the CAS, with Basic Authentication. This proxy (RPC/HTTP) configuration gets passed on to the clients via autodiscover and the user profile connection settings are updated accordingly. So now the LAN clients have 2 methods of access (RPC/TCP and RPC/HTTP), RPC/HTTP which uses Basic Authentication causes the logon box pop up, so I then disabled ALL users outlook anywhere which then updates the user profile and removes any RPC/HTTP settings. Problem appears to be solved!

Hope this is useful to someone else.
0
 

Author Comment

by:stcs
ID: 39931899
close
0
 

Author Closing Comment

by:stcs
ID: 39941779
I was updating the exchange server configuration to allow for the use of a single name ssl certificate, because the UCC/SAN certs no longer support private local domain names.

I must have accidently enabled Outlook Anywhere on the CAS server which then automatically updated outlook profiles to enable exchange server proxy settings for RPC/HTTP, which can cause authentication pop ups.

I tried all suggestions, created new outlook profiles, new user credentials in the windows password vault but nothing seemed to fix the pop ups, anit was annoying becuase domain joined clients didn't really need to use Outlook anywhere.

I then read another posting on a website that had a similar issue and then realised my mistake to enable Outlook anywhere withiut understanding how it worked with Autodiscover to configure the profile for users.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Easy CSR creation in Exchange 2007,2010 and 2013
Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
This video shows where to find the word count, how to display it, and what it breaks down to in Microsoft Word.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question