• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2338
  • Last Modified:

Credential popup from outlook 2010 driving me nuts.

So this has happened on and off for many months. Now it just got super annoying.  I give up. I have looked at countless threads and have tried everything.
Most of our users have no problems with Outlook 2010 connecting to our in-house Exchange 2010 servers. There are several who do. And of course its the wrong people with the problem. When ever they start Outlook, they get asked for credentials, and many times this happens randomly throughout the day. What I noticed today was that while comparing my Outlook connection settings (I have no problems) with those who have problems, I see that they are going through a proxy server. I've looked everywhere I can find, all of our settings are the same. How can I fix this? Outlook anywhere is configured. Many of our laptop users check their email with outlook when the get home after work. No VPN needed. The folks with the problem are connecting to our OWA url to get to our internal server. Please help me out with this one!
0
mauisun
Asked:
mauisun
  • 14
  • 11
1 Solution
 
mauisunAuthor Commented:
If I uncheck the proxy setting then they don't get the popup asking for the credentials but then outlook doesn't work from home.
0
 
Adam FarageEnterprise ArchCommented:

If I uncheck the proxy setting then they don't get the popup asking for the credentials but then outlook doesn't work from home.

That is a work around, fix it. If you are fixing it by unchecking the "proxy settings" that means you are using Basic authentication for Outlook Anywhere, which would be causing the excess popup.

By default Outlook 2007+ will use MAPI for any connection to Exchange that is under 100ms response time, and anything over 100ms will use RPC/HTTPS (the "proxy" settings) which is really just Outlook Anywhere. Same thing occurs if you are working remotely, except TCP/MAPI is not available so it does just RPC/HTTPS. My numbers above may be a bit off, but basically fast connection = TCP/MAPI, slow connection = RPC/HTTPS

To resolve this for domain joined machines that are internal to the network, you can enable Ntlm as the default authentication method for Outlook Anywhere. This will utilize the existing kerberos ticket on the machine from user login, and should permanently resolve this situation if the machine is either local to the network (and domain joined, as it needs to authenticate off AD for the kerberos ticket) OR the machine is domain joined and outside of the network (because of cached authentication).

Too long / don't read: if the machine is domain joined then you can setup Ntlm authentication for OA.

Now to actually fix this:

- Open Exchange Management Shell
- Run the following:

Get-OutlookAnywhere | Set-OutlookAnywhere  -ClientAuthenticationMethod NTLM -IISAuthenticationMethod Basic,NTLM

Open in new window


- Restart IIS on all Client Access Servers

When this is done you can test by having a client restart. If the Outlook profile is not hosed (which I have seen maybe one or two out of every 300 when I have done this previously) it should change the "proxy" settings from Basic authentication to NTLM.
0
 
mauisunAuthor Commented:
I'm going to attach two screen shots. The first one is my connection settings. There is no proxy and authn is set for negotiate. The second is a person a few feet away from me. He has a server listed in proxy and authn is Clear (ntlm).
I've blacked out the server names and smtp addresses. The server names are the same for both examples.
I just want to make sure I'm on the same page as you before I change a setting. Thanks.
1.jpg
2.jpg
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mauisunAuthor Commented:
Also, when I run Get-OutlookAnywhere, I see the different CAS servers in the array, and for all of them, clientauth is set for basic and iisAuth is also set for basic.
0
 
Adam FarageEnterprise ArchCommented:
You are attempting to connect over HTTPS, so you will need to run the change as denoted above.
0
 
mauisunAuthor Commented:
I've made the changes and instructed folks to reboot their machines. A couple people needed to do it more than once but then the pop went away. I'm thinking you're a genius. I'll see how things go in the morning. thanks for your help.
0
 
Adam FarageEnterprise ArchCommented:
Glad it works, I think I will actually write a blog about this.. since I see it at least once a month.
0
 
mauisunAuthor Commented:
... Adam, and now most folks at home can't connect with outlook anymore. I got it to work on one computer but not any of the others of tried. I'm trying to set it up on my own home computer but it won't work. Suggestion on where to look? The MS remote connectivity analyzer site says everything is good..
0
 
Adam FarageEnterprise ArchCommented:
Make sure they are using domain\username and the correct password. Do NOT use username@domain.com
0
 
mauisunAuthor Commented:
I'm trying. I just tried to set up outlook from scratch. I'm getting the "outlook must be online" error while I set it up.
0
 
Adam FarageEnterprise ArchCommented:
Check the proxy settings in your old profile. Make sure they are set to NTLM instead of Basic.
0
 
mauisunAuthor Commented:
i've made sure the proxy settings are the same between a computer that was already setup and one I'm trying to setup. The one that is already working is a domain computer on the wifi at my house (no vpn) and a non-domain computer (no vpn) at my house. I still can't get it working. One thing I did notice is that the domain joined laptop connects really slow to email. It took about 3 minutes to connect to exchange and download the 6 emails that I got so far this morning. It is authenticating NTLM though.
0
 
Adam FarageEnterprise ArchCommented:
From your home machine that cannot connect but has an outlook profile configured, please run Outlook.exe /RPCDIAG.
Also make sure you do not have any credentials cached within the machine. Usually its within the Control Panel > Credential Store.

If you have cached credentials in there, that will most likely break this.
0
 
mauisunAuthor Commented:
outlook won't open. It gives the outlook must be online to connect to exchange error.
0
 
Adam FarageEnterprise ArchCommented:
This might be an issue with the Outlook Anywhere hostname. If you run Get-OutlookAnywhere from the Exchange Server, what is the ExternalURL for it? Is that ExternalURL valid, and is there a valid DNS A record for it?
0
 
mauisunAuthor Commented:
When I run the command I get the correct data. See the thing is, this has been up and running and working for 2 years at least. The random popup for credentials for some internal users has been around just as long. It would happen for a while and then go away. Users have always been able to setup and connect outlook without being on the domain while at home. Maybe I got new problems since we did windows updates a couple days ago. Tonight I'm uninstalling the updates from this past weekend.
0
 
mauisunAuthor Commented:
To add more to my last comment, we have 200 users and there have always been 10 or so folks who got the credential popup. Now there is maybe 15. That part is gone. Thanks for the help with that by-the-way.
0
 
mauisunAuthor Commented:
Have you ever heard of a firewall getting in the way of NTLM? Our exchange servers are at a colocation. We are behind their firewalls. I think they are palo alto. I don't know for sure. I guess more to check on.
0
 
Adam FarageEnterprise ArchCommented:
Have you ever heard of a firewall getting in the way of NTLM? Our exchange servers are at a colocation. We are behind their firewalls. I think they are palo alto. I don't know for sure. I guess more to check on.

YES, IPS and Stateful Packet Inspection (SPI) can screw it up, and if they are also doing any wan acceleration it will rip out the GUID within the packets.. I would contact your service provider (e.g: colo) and explain to them the situation. I have a feeling they might be doing a WAN opt solution.
0
 
mauisunAuthor Commented:
I just removed the Windows updates that from this past weekend. I removed the updates from both CAS servers. Bam. Both my test machines are up and running. I'll know more in the morning after I get in.
0
 
Adam FarageEnterprise ArchCommented:
Interesting.. do you know the update by change?
0
 
mauisunAuthor Commented:
I removed the following:
KB's: 2973337, 890830, 2966583, 2973351, 2973201, 2962872, and the MS Exchange Server Standard Anti-spam filter update v3,3,13907.466 (didn't have a kb next to it.
0
 
Adam FarageEnterprise ArchCommented:
the AntiSpam filter is out. Let me look into the others and see if they would have broke something else. Curious at this point, since I am doing a roll out now..
0
 
Adam FarageEnterprise ArchCommented:
0
 
mauisunAuthor Commented:
I'm not sure which one either. All the clients are still behaving the way they should as of now.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now