Link to home
Start Free TrialLog in
Avatar of stcs
stcs

asked on

Why does Outlook prompt for password?

Can I start by saying I have never had this issue before. Using a simple single ALL in one Exch 2010 single server scenario. I have searched the support communities relentlessley for a fix. I am unfortunately another one of millions out there that is trying to work through the changes required for Exchange 2010 server to workaround the new UCC /SAN ssl cert rules.
I am now using DNS SRV for external  Autodiscover service location. We obviously have different internal name space (*.local) and external name space. I have spent days reading around and sifting through relevant helpful articles and although the workarounds are easy to understand, fixing the potential problems as a direct consequence of applying the workaround are proving to be quite challenging.
I have worked through the changes required to redirect 2010 Exchange Server to use the External DNS name but ever since applying the url changes, Oultook clients (domain joined) are always getting a windows security password promt few seconds after they have opened outlook in the mornings always. The windows security dialogue box pops up and is invariably prepopulated with the username@smtpemailaddress. Users have to always change that to that Domain\username (we dont use UPNs) and enter the password and then it doesnt show up again until outlook is closed and reopened. This happens on Win7& outlook 2010 as well as win7&outlook 2007 users. I have checked the Autodiscover virtual directory in IIS and SSL authentication settings. SSL is set to require cert and ignore Client cert. I have also enabled kernel mode authentication? This wasnt enabled before but I read about this somewhere and thought I should try it. The wierd thing is that my computer win7/outlook 2010 doesnt get this password prompt. The impact of ignoring this windows security dialogue box is that other applications (MIS) that are mail enabled will not open outlook for the user to send email directly from the MIS application, and I noticed OOF is also broken. I then run the repair mailbox which then forces a windows security box to launch and once the correct username format is entered with the password everthing is fine...until you exit outlook.
Its a very irritating problem and I have run out of sensible ideas to try.
I have run Autodiscover tests both internally and externally and are both succesful.

Any help greatley appreciated.
Avatar of jaynee
jaynee
Flag of Australia image

So perhaps it's a password persistence problem.
Check Control panel, user accounts, Manage your credentials  and see what the persistence setting of that username/password combo is, on your machine where you don't get the login dialog compared to the machines where the user does get the dialog.

I'm guessing that the persistence settings needs to be "Enterprise" - if it isn't, delete that entry and re-enter from scratch.
Have you tried recreating outlook profile ?


If issue persists, Rejoin workstation to domain.

Update group policies,


- Manjunath Sullad
What is your Autodiscover URL's currently set to? I suspect the security error is informing you that the certificate installed on the server (remote.domain.co.uk) does not match the name of the server the internal Outlook clients are trying to reach (i.e. server.domain.local).

This would indicate that autodiscover is trying to force the clients to use the internal name of the server.

You could try setting all client-access url's to the external address (this may help: http://technet.microsoft.com/en-us/library/dd876959%28v=exchg.141%29.aspx) and add an internal dns entry to your network to point the external exchange hostname to the internal IP of the server (i.e. remote.domain.co.uk > 192.168.100.0).
Avatar of stcs
stcs

ASKER

Jaynee,
Thanks for your suggestion. I have checked and compared the differences between my computer and 3 others, no difference, all computers have the persistence setting as Enterprise.
I dont understand why it pops up the logon box.  Autodiscover url changes from local FQDN hostname.localdomain to Public name mail.internetsmtpdomain has broken outlook some where.
If I change back to original FQDN local.domain (obviously not a solution) everything works fine. Something is going a miss here.
Interestingly I did some further testing and deleted the outlook profile for a user on the computer that has the same problem. When I started outlook for this user as expected it went through the motions of Autodiscovering the user outlook properties but instead of automatically configuring the mailbox properties, I got challenged with a windows logon prompt! and this has never been the case before when users have been able to automatically configure their own outlook profiles without having to enter their password, as they are all domian joined clients and already authenticated to the AD domain and thats what i would expect.

It seems that because the Autoconfigure services url now refers to an external (external to AD trusted) domain name the integrated windows authentication (single sign on) isnt passing the credentials as it did before and would do if it was using the original default FQDN.local - is my reasoning correct?

Experts - is there a way to make this work without any complicated processes?
I have seen this problem solved elsewhere by entering credentials manually with the ip address(es) of the exchange server instead of the FQDN, into the top part as well as the "Generic Credentials" part in Credential Manager.
Avatar of stcs

ASKER

`Try Majunath's suggestion to rejoin the workstation to the domain.'

I cant see how re-joining the workstation to the domain will help as there are no Netlogon errors in the event viewer. Besides I have almost 100 workstations!
sorry about that stcs - I realised that and edited it out of my post just before you posted above.
ASKER CERTIFIED SOLUTION
Avatar of stcs
stcs

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stcs

ASKER

close
Avatar of stcs

ASKER

I was updating the exchange server configuration to allow for the use of a single name ssl certificate, because the UCC/SAN certs no longer support private local domain names.

I must have accidently enabled Outlook Anywhere on the CAS server which then automatically updated outlook profiles to enable exchange server proxy settings for RPC/HTTP, which can cause authentication pop ups.

I tried all suggestions, created new outlook profiles, new user credentials in the windows password vault but nothing seemed to fix the pop ups, anit was annoying becuase domain joined clients didn't really need to use Outlook anywhere.

I then read another posting on a website that had a similar issue and then realised my mistake to enable Outlook anywhere withiut understanding how it worked with Autodiscover to configure the profile for users.