I am having an issue with our Outlook clients after migration to Exchange 2013 from Exchange 2007.  The clients keep asking for Credentials, even after selecting remember password.  So I click cancel, and on the send/receive tab there is a button that is requesting Username and Password.  I click it and it appears to connect.  It says it is connected and then either I wait a few minutes and there will be another credentials popup, or I try to send out a mail message and get the same thing. I'm not having issues with internal clients.  And our certificate is working fine.  testexchangeserver.com Outlook Anywhere passes.  All settings on Client Outlook match.  Outlook versions are updated to recent version, 2007 and higher.

Exchange Settings (Cleaned Up)

RunspaceId: 7a8e3362-3dcb-4bc2-acf0-c7bc7c3eb687
ServerName: EMAIL
SSLOffloading: True
ExternalHostname: email.server.com
InternalHostname: email.server.com
ExternalClientAuthenticationMethod: Ntlm
InternalClientAuthenticationMethod: Negotiate
IISAuthenticationMethods: {Ntlm}
XropUrl:
ExternalClientsRequireSsl: True
InternalClientsRequireSsl: True
MetabasePath: IIS://email.server.com/W3SVC/1/ROOT/Rpc
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking: None
ExtendedProtectionFlags: {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion: Version 15.0 (Build 620.29)
Server: EMAIL
AdminDisplayName:
ExchangeVersion: 0.20 (15.0.0.0)
Name: Rpc (Default Web Site)
DistinguishedName: CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MX1,CN=Servers,CN=Exchange
                                     Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                     Organization,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=server,DC=com
Identity:Email\Rpc (Default Web Site)
Guid: 3eefa2f5-2656-4b08-8862-e6850d954890
ObjectCategory: server.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass: {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged: 5/19/2013 12:30:16 PM
WhenCreated:  5/13/2013 5:27:42 PM
WhenChangedUTC: 5/19/2013 5:30:16 PM
WhenCreatedUTC: 5/13/2013 10:27:42 PM
OrganizationId:
OriginatingServer: activedirectory.server.com
IsValid: True
ObjectState: Changed

Also noticing that every once in a while the Authentication settings under Security tab in the More Settings portion of setup, keep changing to Anonymous.  The settings within Exchange Proxy Server also keep changing to negotiate.

I would have like to use NTLM across the board so my mobile users do not have keep entering their information.  When I do get the settings changed to NTLM it appears as though it stays connected a little better, but that is until I send a message or if I restart Outlook.

I have been working on this for DAYS and tried every single thing I can think of finding: from changing the settings, rebuilding the autodiscover settings, reinstalled outlook, setup outlook profiles, deleted outlook completely including profiles and many more things.  Has anyone ran into this, and what can I do.  I would like to just redo the RPC virtual directories to see if that helps, but cannot find information anywhere.  Reinstalling Exchange is NOT AN OPTION as I have already moved the boxes because it appeared to be working and worked fine in my test environment.
Really hoping someone can help, let me know what else you need.  I have to get this going, as I have sales people without mail.  I had to move the boxes, as they for some reason were not able to connect to their old boxes after I installed the Exchange 2013 and it was a big mess. Figured it would be easier to move everyone to what I thought was working fine, and ended up being a big mess.

Hi,

yeah i hade same issue with outlook 2007 only, but it was even internally !

first check Autodiscover Virtual Directory (internal and external), keep pressing on CTRL and right click outlook icon and choose test E-mail Autoconfiguration -> check for errors here and logs 

the second step is to check IIS settings on your exchange 2013 to modify SSL settings of some directories to ACCEPT cookies instead of Ignore, but i wouldn't recommend modifying default settings,

But Since Exchange 2013 force using RPC over Https everywhere even internally, you have to create autodiscover SRV Record internally and in your public DNS,

In addition make sure your certificate contains all required SAN: reverse proxy, both exchange fqdn, external name, autodiscover...

Hi,

yeah i hade same issue with outlook 2007 only, but it was even internally !

first check Autodiscover Virtual Directory (internal and external), keep pressing on CTRL and right click outlook icon and choose test E-mail Autoconfiguration -> check for errors here and logs 

the second step is to check IIS settings on your exchange 2013 to modify SSL settings of some directories to ACCEPT cookies instead of Ignore, but i wouldn't recommend modifying default settings,

But Since Exchange 2013 force using RPC over Https everywhere even internally, you have to create autodiscover SRV Record internally and in your public DNS,

In addition make sure your certificate contains all required SAN: reverse proxy, both exchange fqdn, external name, autodiscover...

I think I may have found the issue.  It appears as though the More Settings area of the account setup keeps changing the security settings to Anonymous and changing the Proxy authentication to Negotiate.  Which if you see above in my first post, they should both be NTLM.  No matter how many times I change them, they just revert back.  I can't find the spot to make these permanent from the Exchange side of the server, as I'm sure it will work fine if that is fixed. I have been able to get it to temporarily change them to NTLM and have no issues, but as soon as they revert back the problem comes again, asking for credentials.

Would you happen to know if this is a setting coming from ECP or IIS, also could it possibly only be able to be set from powershell?  I will go through my settings again, to see if I missed something.

Thanks for your help, I think the SRV record helped my situation.  (I did not have that before, just A records on my external.)

SSLOffloading: True
InternalClientAuthenticationMethod: Negotiate

See: http://support.microsoft.com/kb/2834139 

SSLOffloading: True
InternalClientAuthenticationMethod: Negotiate

Hi,
Change the above two settings.

Example:
Set-OutlookAnywhere -id "EMAIL\Rpc (Default Web Site)" -InternalClientAuthenticationMethod NTLM -SSLOffloading $False

See: http://support.microsoft.com/kb/2834139 

Thanks, I changed those settings to NTLM and to False.  I also had our certificate provider redo our certificate to make sure it was EXACTLY the way it is supposed to be.  Name of the server as the common name, and any other names as alternates.  I still have the Credential Request issue.

This is what I fixed when I talked to the Certificate Provider.  They had the wrong first SAN, and this still didn't fix it.

Now I figured how to get e-mail to flow while my mobile users are on the VPN, but for some reason they have to uncheck the "On Fast Connections" box within the proxy settings.  But it will only work for a little bit and then revert them back to having the box checked, and then they are asked for passwords again.

Also, now the mobile phones stopped being able to be setup.  I have only changed one thing, and that was delete the EXPR provider for Outlook, as that is what I was told would allow me to change to settings for each computer and not have the settings just revert back.  For some reason they were working fine, and then all of a sudden they stopped working and the box was checked again.

How do I permanently change the setting to get it to stay to NTLM Authentication, and Exchange Proxy settings to stay they way I save them.  I'm at wits end, it's Monday everyone is mad at me.  I don't understand how something can work just fine in a test environment and then once moved to production it stops working.  I'm beyond frustrated, and tired of getting the evil eye because Microsoft puts out half baked products.  I shouldn't have to troubleshoot a fresh installation.  This is beyond ridiculous.

You can't just Blame Microsoft because you just modified some settings and ruined all the system inter-connectivity !

My advise is to get back to your lab and check the default settings of everything and try reverting it back.

IIS8 will always revert back the settings after a while (30 mins to 2h ), there's some registry to disable recycling, but its not recommended  !

HI,

Have you verified with the same user to logging in to OWA, if credentials are OK then there is some issues with Outlook's communication mode, check that the proper ports are configure in the outlook profile etc.

And also check the correct certificate installed at the client side.

Hope this will help you.

regards,

MB Shaikh.