I'm running low on ideas, so thought I'd post here and see if this rings any bells for anyone. We're doing a multi-domain and multi-exchange 2003 org consolidation, and taking the opportunity to upgrade to Exchange 2007 and Windows 2008. We've built a new, clean AD domain/forest, and a new clean Exchange 2007 Organization, and are now migrating users and services over to it piece by piece. We've got Windows 2008 DCs in the head office, and a Windows 2003 DC we'll need for compatibility with an older applications; and Windows 2008 RODCs in our branch offices. All the Exchange servers are in the head office: a pair of CA/HT servers, using Win 2008 NLB, and a pair of Mailbox servers, in a SCC cluster. Storage is on a NAS; we don't need an Edge server as we have appliances performing that role. OutlookAnywhere and Autodiscover are enabled and working. Everything worked great initially, we migrated our first pilot users over and all was fine. Then, not long after we added the second small group of pilot users, we started to see this problem: About once a day - the exact time varies but it's usually early afternoon - one after another of the users running Outlook 2007 get a pop-up to supply their credentials. When they enter their password it is not accepted, and the pop-up comes back immediately to try again. Those pilot users who are still on Outlook 2003 do not see the problem. The pop-up usually requests credentials for the first node of our CA/HT pair, but may also be for the NLB cluster, for the mailbox cluster, for the local DC, or for the autodiscover address. The service asking for the credentials may vary as people repeatedly enter their credentials. After a short period of time - a few minutes - their credentials are accepted and everything is back to normal. We've mostly been looking at OAB generation/web distribution, sincethat is one of the few things Outlook 2007 would talk to a CAS node for when on the LAN. We found that we were having a known problem with OAB Generation on a Windows Server 2008 Cluster, butwe've put a workaround in place while waiting for the offical fix and now can generate OABs fine, and people can download them. We also rebuilt the Virtual Directories for OABGen, and changed the URL to the NLB cluster's address rather than the first node. This gave us a couple of days respite from the problem, and we thought we'd cracked it, but the problem came back. It seems now, though, that it is no longer asking for credentials for the first node.Our suspicion is supported by a Network Monitor trace we took during the problem. We see the client requesting the oab.xml file, and getting a 401 error back - "401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied." This response is frequently followed in the trace by an immediate Kerberos AS request to the local DC. When the problem is not happening though, we're able to download the oab.xml without trouble. One other clue: disabling and reenabling encryption in Outlook seems to force the problem to reoccur for a user. Any thoughts? Thanks, Graham.

Did I say NAS? I meant SAN of course... I'm just a simple Exchange admin, and all those big boxes in our datacentre scare me. Pretty much irrelevant to the problem, I imagine -but our Storage experts have already explained this to me twenty times and they might think i'm not paying attention if I keep getting it wrong!

Dear customer: In order to clarify your issue, I want to confirm the following information with you: 1. Did the problematic users are migrated from Exchange server 2003 or new created on Exchange server 2007? 2. Send the screenshot of the error to v-rocwan@microsoft.com for analyze. 3. What did you operate before get a pop-up to supply their credentials? 4. Create a new user and enable mailbox on Exchange server 2007, and check whether you encounter the same issue. Note: when you send e-mail to me, please let me know the subject of the post. Thanks for your cooperation. Rock Wang - MSFT

Everyone has been migrated from Exchange 2003 to 2007 Not sure there's anything useful there - it's just a standard request for credentials - but sure, I'll send on. Don't really understand the question. There's no triggering event we've been able to find. That's an interesting avenue, we'll try that.

Happens at my site as well.. Any answers? Thanks, Adam

Dear customer: In order to better troubleshoot the issue, please help collect the following information: 1. Did Outlook 2007 can download OAB successfully in LAN? 2. Open Outlook 2007, press Ctrl key and at the same time right click Outlook icon on the Task Bar, select Test E-mail AutoConfiguration option, when the Test E-mail AutoConfiguration dialog box is displayed, your e-mail address is automatically populated. Note: If you are logged into the domain, the E-mail address field is populated by using the account youre logged onto the machine with. If you have multiple profiles configured and youre using one that isnt your own, you will need to change the e-mail address in this field and enter a password. 3. To test Autodiscover ensure ONLY the Use Autodiscover option is selected. A password does not have to be entered when you are logged into the domain. Your logged in credentials are used. Finally, click on the AutoConfigure button to start the Autodiscover request to the Autodiscover service. 4. After Outlook sends your E-mail Address and credentials to the Autodiscover service the various Results, Log, and XML tabs will show status and results of Autodiscover request. 5. Click Results tab, send the screenshot of it to v-rocwan@microsoft.com for analyze. 6. Click log tab, send the screenshot of it to me for analyze. 7. Click XML tab, send the screenshot of it to me for analyze. Note: when you send e-mail to me, please let me know the subject of the post. Thanks for your cooperation. Rock Wang - MSFT

the same problem with my site, thank you for help me.

Dear customer: You can try to collect the basic information according to the previous post, and send it to me for analyze. Note: when you send e-mail to me, please let me know the subject of the post. Thanks for your cooperation. Rock Wang - MSFT

same problem here - Rock, how can Iemail you logs?

Hi grahamHave you manged to solve the problem with the autentication problem. we have the same issue?

Hi Graham,You wouldnt by any chance be running Symantecantivirus would you?Pete

I'm having the same issue after removing an Exchange 2003 server after adding a 2007 Exchange. Ran with both servers active for about 4 months, then Dell helped us remove the Exchange 2003. All Outlook 2007 users are prompted by our Mailbox server for credentials. One user is logged in as the frontDesk profile on XP. Their email however is setup as their username. They are prompted and never successful at supplying their credentials to our mailbox server. BOOO!