Solved

Why does Outlook prompt for password?

Posted on 2014-03-11
10
2,021 Views
Last Modified: 2014-03-20
Can I start by saying I have never had this issue before. Using a simple single ALL in one Exch 2010 single server scenario. I have searched the support communities relentlessley for a fix. I am unfortunately another one of millions out there that is trying to work through the changes required for Exchange 2010 server to workaround the new UCC /SAN ssl cert rules.
I am now using DNS SRV for external  Autodiscover service location. We obviously have different internal name space (*.local) and external name space. I have spent days reading around and sifting through relevant helpful articles and although the workarounds are easy to understand, fixing the potential problems as a direct consequence of applying the workaround are proving to be quite challenging.
I have worked through the changes required to redirect 2010 Exchange Server to use the External DNS name but ever since applying the url changes, Oultook clients (domain joined) are always getting a windows security password promt few seconds after they have opened outlook in the mornings always. The windows security dialogue box pops up and is invariably prepopulated with the username@smtpemailaddress. Users have to always change that to that Domain\username (we dont use UPNs) and enter the password and then it doesnt show up again until outlook is closed and reopened. This happens on Win7& outlook 2010 as well as win7&outlook 2007 users. I have checked the Autodiscover virtual directory in IIS and SSL authentication settings. SSL is set to require cert and ignore Client cert. I have also enabled kernel mode authentication? This wasnt enabled before but I read about this somewhere and thought I should try it. The wierd thing is that my computer win7/outlook 2010 doesnt get this password prompt. The impact of ignoring this windows security dialogue box is that other applications (MIS) that are mail enabled will not open outlook for the user to send email directly from the MIS application, and I noticed OOF is also broken. I then run the repair mailbox which then forces a windows security box to launch and once the correct username format is entered with the password everthing is fine...until you exit outlook.
Its a very irritating problem and I have run out of sensible ideas to try.
I have run Autodiscover tests both internally and externally and are both succesful.

Any help greatley appreciated.
0
Comment
Question by:stcs
10 Comments
 
LVL 7

Expert Comment

by:jaynee
ID: 39920336
So perhaps it's a password persistence problem.
Check Control panel, user accounts, Manage your credentials  and see what the persistence setting of that username/password combo is, on your machine where you don't get the login dialog compared to the machines where the user does get the dialog.

I'm guessing that the persistence settings needs to be "Enterprise" - if it isn't, delete that entry and re-enter from scratch.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39920620
Have you tried recreating outlook profile ?


If issue persists, Rejoin workstation to domain.

Update group policies,


- Manjunath Sullad
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39920842
What is your Autodiscover URL's currently set to? I suspect the security error is informing you that the certificate installed on the server (remote.domain.co.uk) does not match the name of the server the internal Outlook clients are trying to reach (i.e. server.domain.local).

This would indicate that autodiscover is trying to force the clients to use the internal name of the server.

You could try setting all client-access url's to the external address (this may help: http://technet.microsoft.com/en-us/library/dd876959%28v=exchg.141%29.aspx) and add an internal dns entry to your network to point the external exchange hostname to the internal IP of the server (i.e. remote.domain.co.uk > 192.168.100.0).
0
 

Author Comment

by:stcs
ID: 39920918
Jaynee,
Thanks for your suggestion. I have checked and compared the differences between my computer and 3 others, no difference, all computers have the persistence setting as Enterprise.
I dont understand why it pops up the logon box.  Autodiscover url changes from local FQDN hostname.localdomain to Public name mail.internetsmtpdomain has broken outlook some where.
If I change back to original FQDN local.domain (obviously not a solution) everything works fine. Something is going a miss here.
Interestingly I did some further testing and deleted the outlook profile for a user on the computer that has the same problem. When I started outlook for this user as expected it went through the motions of Autodiscovering the user outlook properties but instead of automatically configuring the mailbox properties, I got challenged with a windows logon prompt! and this has never been the case before when users have been able to automatically configure their own outlook profiles without having to enter their password, as they are all domian joined clients and already authenticated to the AD domain and thats what i would expect.

It seems that because the Autoconfigure services url now refers to an external (external to AD trusted) domain name the integrated windows authentication (single sign on) isnt passing the credentials as it did before and would do if it was using the original default FQDN.local - is my reasoning correct?

Experts - is there a way to make this work without any complicated processes?
0
 
LVL 7

Expert Comment

by:jaynee
ID: 39921862
I have seen this problem solved elsewhere by entering credentials manually with the ip address(es) of the exchange server instead of the FQDN, into the top part as well as the "Generic Credentials" part in Credential Manager.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:stcs
ID: 39921932
`Try Majunath's suggestion to rejoin the workstation to the domain.'

I cant see how re-joining the workstation to the domain will help as there are no Netlogon errors in the event viewer. Besides I have almost 100 workstations!
0
 
LVL 7

Expert Comment

by:jaynee
ID: 39922016
sorry about that stcs - I realised that and edited it out of my post just before you posted above.
0
 

Accepted Solution

by:
stcs earned 0 total points
ID: 39931842
I have figured out now that the logon prompts were popping up because I had inadvertently enabled Outlook anywhere on the CAS, with Basic Authentication. This proxy (RPC/HTTP) configuration gets passed on to the clients via autodiscover and the user profile connection settings are updated accordingly. So now the LAN clients have 2 methods of access (RPC/TCP and RPC/HTTP), RPC/HTTP which uses Basic Authentication causes the logon box pop up, so I then disabled ALL users outlook anywhere which then updates the user profile and removes any RPC/HTTP settings. Problem appears to be solved!

Hope this is useful to someone else.
0
 

Author Comment

by:stcs
ID: 39931899
close
0
 

Author Closing Comment

by:stcs
ID: 39941779
I was updating the exchange server configuration to allow for the use of a single name ssl certificate, because the UCC/SAN certs no longer support private local domain names.

I must have accidently enabled Outlook Anywhere on the CAS server which then automatically updated outlook profiles to enable exchange server proxy settings for RPC/HTTP, which can cause authentication pop ups.

I tried all suggestions, created new outlook profiles, new user credentials in the windows password vault but nothing seemed to fix the pop ups, anit was annoying becuase domain joined clients didn't really need to use Outlook anywhere.

I then read another posting on a website that had a similar issue and then realised my mistake to enable Outlook anywhere withiut understanding how it worked with Autodiscover to configure the profile for users.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

As freelancing is becoming more and more common in the tech industry, certain obstacles are proving to be a challenge to those who are used to more traditional, structured employment. This article is meant to help identify such obstacles and offer a…
This article will shed light on the latest trends when it comes to your resume building needs. For far too long, the traditional CV format has monopolized the recruitment market.
This video shows where to find the word count, how to display it, and what it breaks down to in Microsoft Word.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now