Why does Outlook prompt for password?

Can I start by saying I have never had this issue before. Using a simple single ALL in one Exch 2010 single server scenario. I have searched the support communities relentlessley for a fix. I am unfortunately another one of millions out there that is trying to work through the changes required for Exchange 2010 server to workaround the new UCC /SAN ssl cert rules.
I am now using DNS SRV for external  Autodiscover service location. We obviously have different internal name space (*.local) and external name space. I have spent days reading around and sifting through relevant helpful articles and although the workarounds are easy to understand, fixing the potential problems as a direct consequence of applying the workaround are proving to be quite challenging.
I have worked through the changes required to redirect 2010 Exchange Server to use the External DNS name but ever since applying the url changes, Oultook clients (domain joined) are always getting a windows security password promt few seconds after they have opened outlook in the mornings always. The windows security dialogue box pops up and is invariably prepopulated with the username@smtpemailaddress. Users have to always change that to that Domain\username (we dont use UPNs) and enter the password and then it doesnt show up again until outlook is closed and reopened. This happens on Win7& outlook 2010 as well as win7&outlook 2007 users. I have checked the Autodiscover virtual directory in IIS and SSL authentication settings. SSL is set to require cert and ignore Client cert. I have also enabled kernel mode authentication? This wasnt enabled before but I read about this somewhere and thought I should try it. The wierd thing is that my computer win7/outlook 2010 doesnt get this password prompt. The impact of ignoring this windows security dialogue box is that other applications (MIS) that are mail enabled will not open outlook for the user to send email directly from the MIS application, and I noticed OOF is also broken. I then run the repair mailbox which then forces a windows security box to launch and once the correct username format is entered with the password everthing is fine...until you exit outlook.
Its a very irritating problem and I have run out of sensible ideas to try.
I have run Autodiscover tests both internally and externally and are both succesful.

Any help greatley appreciated.
Who is Participating?
stcsAuthor Commented:
I have figured out now that the logon prompts were popping up because I had inadvertently enabled Outlook anywhere on the CAS, with Basic Authentication. This proxy (RPC/HTTP) configuration gets passed on to the clients via autodiscover and the user profile connection settings are updated accordingly. So now the LAN clients have 2 methods of access (RPC/TCP and RPC/HTTP), RPC/HTTP which uses Basic Authentication causes the logon box pop up, so I then disabled ALL users outlook anywhere which then updates the user profile and removes any RPC/HTTP settings. Problem appears to be solved!

Hope this is useful to someone else.
jayneeIT ManagerCommented:
So perhaps it's a password persistence problem.
Check Control panel, user accounts, Manage your credentials  and see what the persistence setting of that username/password combo is, on your machine where you don't get the login dialog compared to the machines where the user does get the dialog.

I'm guessing that the persistence settings needs to be "Enterprise" - if it isn't, delete that entry and re-enter from scratch.
Manjunath SulladTechnical ConsultantCommented:
Have you tried recreating outlook profile ?

If issue persists, Rejoin workstation to domain.

Update group policies,

- Manjunath Sullad
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Andy MInternal Systems ManagerCommented:
What is your Autodiscover URL's currently set to? I suspect the security error is informing you that the certificate installed on the server (remote.domain.co.uk) does not match the name of the server the internal Outlook clients are trying to reach (i.e. server.domain.local).

This would indicate that autodiscover is trying to force the clients to use the internal name of the server.

You could try setting all client-access url's to the external address (this may help: http://technet.microsoft.com/en-us/library/dd876959%28v=exchg.141%29.aspx) and add an internal dns entry to your network to point the external exchange hostname to the internal IP of the server (i.e. remote.domain.co.uk >
stcsAuthor Commented:
Thanks for your suggestion. I have checked and compared the differences between my computer and 3 others, no difference, all computers have the persistence setting as Enterprise.
I dont understand why it pops up the logon box.  Autodiscover url changes from local FQDN hostname.localdomain to Public name mail.internetsmtpdomain has broken outlook some where.
If I change back to original FQDN local.domain (obviously not a solution) everything works fine. Something is going a miss here.
Interestingly I did some further testing and deleted the outlook profile for a user on the computer that has the same problem. When I started outlook for this user as expected it went through the motions of Autodiscovering the user outlook properties but instead of automatically configuring the mailbox properties, I got challenged with a windows logon prompt! and this has never been the case before when users have been able to automatically configure their own outlook profiles without having to enter their password, as they are all domian joined clients and already authenticated to the AD domain and thats what i would expect.

It seems that because the Autoconfigure services url now refers to an external (external to AD trusted) domain name the integrated windows authentication (single sign on) isnt passing the credentials as it did before and would do if it was using the original default FQDN.local - is my reasoning correct?

Experts - is there a way to make this work without any complicated processes?
jayneeIT ManagerCommented:
I have seen this problem solved elsewhere by entering credentials manually with the ip address(es) of the exchange server instead of the FQDN, into the top part as well as the "Generic Credentials" part in Credential Manager.
stcsAuthor Commented:
`Try Majunath's suggestion to rejoin the workstation to the domain.'

I cant see how re-joining the workstation to the domain will help as there are no Netlogon errors in the event viewer. Besides I have almost 100 workstations!
jayneeIT ManagerCommented:
sorry about that stcs - I realised that and edited it out of my post just before you posted above.
stcsAuthor Commented:
stcsAuthor Commented:
I was updating the exchange server configuration to allow for the use of a single name ssl certificate, because the UCC/SAN certs no longer support private local domain names.

I must have accidently enabled Outlook Anywhere on the CAS server which then automatically updated outlook profiles to enable exchange server proxy settings for RPC/HTTP, which can cause authentication pop ups.

I tried all suggestions, created new outlook profiles, new user credentials in the windows password vault but nothing seemed to fix the pop ups, anit was annoying becuase domain joined clients didn't really need to use Outlook anywhere.

I then read another posting on a website that had a similar issue and then realised my mistake to enable Outlook anywhere withiut understanding how it worked with Autodiscover to configure the profile for users.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.