Sc0t
asked on
Outlook 2010 prompting for credentials
Hello,
I have an interesting issue with a group policy running on our new Windows 7 workstations.
Our setup is as follows:
Our server is running Windows Server 2003 with Exchange 2003.
Our old Windows XP workstations are running Office 2007.
Our new Windows 7 workstations are running Office 2010.
Our Windows XP workstations run fine with our current group policy but we have found that when we add our new Windows 7 workstations to the same policy Outlook 2010 stops connecting to the server after about a week and requests you type in a username and password. I have tried the users domain details but it fails to authenticate. The strange part is Outlook works for about a week and then just stops working after that it starts requesting for authentication details.
If I remove the workstation from the group policy and perform a “gpupdate /force” on the host then Outlook will once again connect to the server.
I have checked the event logs on the server and found the following events:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 09/10/2014
Time: 11:29:58
User: NT AUTHORITY\SYSTEM
Computer: Server1
Description:
Pre-authentication failed:
User Name: sthompson
User ID: linkwon\ sthompson
Service Name: krbtgt/linkwon.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.1.40.7
Does anyone know of any differences in Office 2010 that may be causing this issue where Outlook 2010 requests authentication?
I have an interesting issue with a group policy running on our new Windows 7 workstations.
Our setup is as follows:
Our server is running Windows Server 2003 with Exchange 2003.
Our old Windows XP workstations are running Office 2007.
Our new Windows 7 workstations are running Office 2010.
Our Windows XP workstations run fine with our current group policy but we have found that when we add our new Windows 7 workstations to the same policy Outlook 2010 stops connecting to the server after about a week and requests you type in a username and password. I have tried the users domain details but it fails to authenticate. The strange part is Outlook works for about a week and then just stops working after that it starts requesting for authentication details.
If I remove the workstation from the group policy and perform a “gpupdate /force” on the host then Outlook will once again connect to the server.
I have checked the event logs on the server and found the following events:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 09/10/2014
Time: 11:29:58
User: NT AUTHORITY\SYSTEM
Computer: Server1
Description:
Pre-authentication failed:
User Name: sthompson
User ID: linkwon\ sthompson
Service Name: krbtgt/linkwon.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.1.40.7
Does anyone know of any differences in Office 2010 that may be causing this issue where Outlook 2010 requests authentication?
Could you share the Group Policy that is being applied with us for further review please?
Also have you tried installing Office 2010 on a XP machine and then applying the GPO to it to see if its an issue with Office 2010?
ASKER
Please see file attached of our GPO.
Win7-GPO.rtf
Win7-GPO.rtf
Right I can see your policies controlling a lot of RPC Authentication methods which might be the cause.
Also i'm assuming this happens to all of the Windows 7 clients that are joined to the domain?
To ensure the issue is being caused by the GPO you attached, can you place the machine into an OU with no policies being received (Block Inheritance) then see if the issue still occurs, at least then we have ruled in/out the Group Policy being the issue. If the issue occurs without the GPO it maybe pointing to a client side issue maybe something like "Cached Exchange Mode" being enabled or a corrupt local mail profile (This would be highly unlikely)
Definitely install Office 2010 onto an XP machine and provide the result.
Also worth noting, that Outlook has something in built which shows you all the connections it's making/attempting to make. To view it locate the notification area Outlook icon in the task bar (the icons on the right of the screen by the clock) and then ctrl+right-click to bring up a slightly different context menu, in there click Connection Status, then in here it will tell you where it is trying to connect to.
Also ensure that Office 2010 is updated up to SP1 which has fixes for this sort of issue.
Also i'm assuming this happens to all of the Windows 7 clients that are joined to the domain?
To ensure the issue is being caused by the GPO you attached, can you place the machine into an OU with no policies being received (Block Inheritance) then see if the issue still occurs, at least then we have ruled in/out the Group Policy being the issue. If the issue occurs without the GPO it maybe pointing to a client side issue maybe something like "Cached Exchange Mode" being enabled or a corrupt local mail profile (This would be highly unlikely)
Definitely install Office 2010 onto an XP machine and provide the result.
Also worth noting, that Outlook has something in built which shows you all the connections it's making/attempting to make. To view it locate the notification area Outlook icon in the task bar (the icons on the right of the screen by the clock) and then ctrl+right-click to bring up a slightly different context menu, in there click Connection Status, then in here it will tell you where it is trying to connect to.
Also ensure that Office 2010 is updated up to SP1 which has fixes for this sort of issue.
ASKER
Also i'm assuming this happens to all of the Windows 7 clients that are joined to the domain?
Answer: Yes it does.
When I remove the workstation from the group policy e.g. no GPO being applied then Outlook works fine.
Office is up to date with all the latest patches and has sp2 applied.
Answer: Yes it does.
When I remove the workstation from the group policy e.g. no GPO being applied then Outlook works fine.
Office is up to date with all the latest patches and has sp2 applied.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I will try removing the RPC authentication one by one and let you know the result.
Maybe this might help?
https://www.experts-exchange.com/questions/28220779/Outlook-prompting-for-credentials.html
https://www.experts-exchange.com/questions/28220779/Outlook-prompting-for-credentials.html
ASKER
Hi Roshan,
We do not use a proxy on our network.
We do not use a proxy on our network.
Has anything come from removing the RPC parts from the GPO?
ASKER
At the moment I am waiting for the issue to re-appear.
I have added two machines to the GPO in question but at the moment Outlook is working as expected.
The strange thing is previously it took about a month before the machines that were in this particular GPO stopped working and Outlook started requesting for authentication credentials.
As soon as we removed the machines from the GPO they all started working again.
I have added two machines to the GPO in question but at the moment Outlook is working as expected.
The strange thing is previously it took about a month before the machines that were in this particular GPO stopped working and Outlook started requesting for authentication credentials.
As soon as we removed the machines from the GPO they all started working again.
Right ok, its probably wise to do what I said,
I know its a pain but I've had to go through this many times even internally we agreed its not best to manage too many authentication settings (RPC's) via GPO as these issues can surface, if you implement them then you need to be prepared to do things like this to find out which setting is causing the problem.
I know its a pain but I've had to go through this many times even internally we agreed its not best to manage too many authentication settings (RPC's) via GPO as these issues can surface, if you implement them then you need to be prepared to do things like this to find out which setting is causing the problem.
If you wanted you could put the Windows 7 machines in a separate OU and then exclude them from this policy (If it isn't required)