Outlook 2007 Prompts for Authentication. Exch 2007 SP3 on 2008 R2 Server
I am having a really hard time with a new Exchange 2007 migration. I manage several Exchange servers.. but this is the First combination of Exchange 2007 SP3 running on Windows 2008 R2. It was migrated from Exchange 2007 SP1 running on 2003 Server by building this new server, moving mailboxes and public folders, removing the old server. This is a single server environment. The issue I have is that all Outlook 2007 users are prompted for credentials when they open outlook. Some people have reported success with this issue by enabling Kernel Mode Authentication in IIS7. This did not work for me. The only thing that worked is to modify my SSL Settings under the Autoconfigure virtual to ACCEPT client certificates rather than IGNORE. This took care of the prompt, but broke autoconfigure and out of office. As I said this is a Single server environment. All Virtual directories, Authentication settings, and SSL are the default settings configured during install.I installed a SAN Cert from Godaddy with all the required URLS.. and the cert does not seem to be a problem. All other servers I manage work fine with the default settings, but this is the only one with this particular combination (Exch 2007 on 2008 R2) I have a few Exch 2010 on Svr 2008 R2, A Few Exch 2007 on Svr 2008, and a variety of exchange server running on server 2003. They are All small businesses with a single exchange server deployment. I compared all virtual directory settings against my other 2007 and 2010 servers on IIS7 and they seem to be the same. Any Ideas?
August 25th, 2010 6:29pm

You mention IIS. Outlook uses MAPI protocol to connect to mailboxes on the LAN (locally) and Outlook Anywhere uses some web-related functionality (IIS, SSL certs) to connect remotely. Is the problem occurring for Outlook users onsite - using solely Outlook as opposed to Outlook Aywhere? Some people have reported success with this issue by enabling Kernel Mode Authentication in IIS7. This did not work for me. Advice formerly was to disable Kernel Mode authentication. Do you really mean enable? And would someone from MSFT please fix the formatting on this forum! How does the font get so small! I'm editing the HTML to make it readable
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 6:41pm

You shouldn't need to touch the client certificate settings - that can cause further problems. Therefore I would suggest that you put it back and then run IISRESET to ensure that it is seen by IIS. You also shouldn't need to touch the authentication settings. Did you change that at the site or the virtual directory level? Exchange should work straight out of the box, so something has been changed here. Are you sure that it is Exchange generating the prompt? I often see this problem where autodiscover is doing its thing and is pointing to the wrong URL or the DNS is not correct. Therefore the first thing to do is use the Test Email Autoconfiguration setting (hold down CTRL and right click on the Outlook icon in the system tray) and see what autodiscover returns and then ensure those resolve to the server. Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
August 25th, 2010 6:56pm

Yes I mean enable. Just a quick search.. here is one such article explaining to Check the box for "Enable Kernel Mode Auth" in IIS http://demazter.wordpress.com/2010/02/09/outlook-continually-prompting-for-username-and-password-2/ when searching for Outlook Authentication prompts, I found several articles where people enabled this and it worked. I didnlt find any that recommended disabling it. However a google search just now for Outlook Authentication Kernel Mode Authentication returned articles 99% of which were talking about DISABLING it. Either way, it was off by default, I enabled it.. IIS reset.. no luck.. Disabled it.. IISreset again. I generally only try one fix at a time. If it fails, I undo it.. since the Default settings have historically been fine.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 7:53pm

This is all RPC.. RPC over HTTP is off on the outlook clients with the issue... But even over RPC, outlook connects to Autodiscover via HTTPS. Autoconfiguration is perfect when I have the default settings. (tested with Test E-mail Autoconfiguration). Everything else also works fine, except Outlook prompts for a Username password when you start it. Some users are remote using RPC over VPN (rpc over http is off) and a slight connection hiccup, they are prompted again for credentials. Once I changed the SSL to accept client cert.. as one article suggested, the Auth prompt went away, but Autodiscover and out of office broke. Autodiscover basically returns an error that says a client certificate is needed. (it's NOT set to required) When I set it back to IGNORE client certs.. Autodiscover works again, but Outlook Prompts ofr Password. So I'm pretty sure Autodiscover is configured properly. SSL Changes were made on Autodiscover Virtual and currently that SHOULD be the ONLY non default setting. But as you say.. It should work out of the box.. so Something changed. On a side note something similar (outlook auth prompts) appears to be known issue in Small Business Server 2008 with a certain patch and security rollup 9 fixed it. That was a while ago and I'm not running SBS.. but it stands to reason EXCH SP3 with all the latest updates, running on 2008 R2 could possibly have an issue with default settings?
August 25th, 2010 8:08pm

Right, Outlook does connect to Autodiscover, EWS, etc. via HTTPS, even locally. I had overlooked that. ------------------------------------------------- Otherwise, I came across this in another forum. It has to do with Outlook 2010 but with some sugested solutions for these continual password prompts: http://social.technet.microsoft.com/Forums/en/office2010/thread/cd38f3f2-892f-470c-b52e-17b8beeb275e Around May 22 in particular, some suggestions are made. They may or may not help.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 10:15pm

So Nobody has an idea? I cant find many people running Exchange 2007 SP3 on 2008 R2. I was thinking: The domain is still 2003.. No 2008 or 2008 R2 Domain controllers.. perhaps I need to update that?
August 30th, 2010 10:53pm

Have you tried to run the BPA to see if there are any issues with your topology?Yanir Ben-Nun / System Team Leader / IT / IS Professional
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2010 9:58am

BPA checks out fine. I added a 2008 R2 DC to the environment as well to be sure it was not some weird authentication issues running 2008 R2 in a 2003 domain. So I'm back where I started. No clue. I have read and read and read and every other solution was invalid or has not worked. Again, cant find anyone with a problem running 2008 R2. Autodiscover is Broken with the SSL set to Accept client certs, but my internal users don’t get prompted for a password. (OOF and OAB are broken) Changing SSL on the Autodiscover directory to IGNORE client certs requires all my users to login, but all services work. This wouldn’t be so bad, but it will prompt them several times throughout the day..
September 15th, 2010 3:18pm

Hey x51b, Did you find a resolution to this? I recently migrated from SBS 2003 server to a Windows 2008 R2 with Exchange 2007 SP3. My outlook 2007 clients were getting prompted for authentication. I resolved this by doing the same thing and setting SSL set to Accept client certs. However, now they get a SSL cert prompt saying the" The name of the security certificate is invalid or does not match the name of the site" The SSL cert is owa.domain.com and owa/activsync work just fine. I performed the KB Artilce 940726 to set all the internal urls to owa.domain.com. The outlook clients are getting a certifcate prompt from autodiscover.domain.com which does not match the ssl cert of owa.domain.com. You say yes to the cert and email works just fine ,but OOF is broken. DNS resolves owa.domain.com correctly to the server ip address. Any help is greatly appreciated. Thanks in advance....
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2010 11:20pm

I have the same issue. Outlook is just connected randomly by HTTPS or TCP/IP, and it is prompted when connecting thru HTTPS. How do I set outlook2007 to connect thru TCP/IP internally? Anyone please help. Thanks all.
November 6th, 2010 10:04pm

X51B Execute Get-OutlookProvider | fl and check autodiscover config settings are correct.. You can compare the result with another servers also. Try this command so that outlook doesnt prompt for username and password. SET-OUTLOOKPROVIDE EXPR –Server $null Sumanth G
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 8:44am

Thanks for the post. I compared the autodiscover config settings with another exchange server running Windows 2008 NON-R2 with exchange 2007 SP2 and everything looks the same. I ran the Set-outlookprovider command and the command completed successfully but no settings of 'EXPR'have been modified. Therefore, it was already set to null. Should I try this for 'web' or 'exch'? I am starting to think this is a Widnows 2008R2 with Exchange 2007 SP3 issue. Like I stated I checked my settings with another non-r2 server with exchange sp2 and everything looks the same. ANY suggestion would be greatly appreciated.
November 8th, 2010 10:53am

Thanks for the post. I compared the autodiscover config settings with another exchange server running Windows 2008 NON-R2 with exchange 2007 SP2 and everything looks the same. I ran the Set-outlookprovider command and the command completed successfully but no settings of 'EXPR'have been modified. Therefore, it was already set to null. Should I try this for 'web' or 'exch'? I am starting to think this is a Widnows 2008R2 with Exchange 2007 SP3 issue. Like I stated I checked my settings with another non-r2 server with exchange sp2 and everything looks the same. ANY suggestion would be greatly appreciated. You are now posting in two places with the same issue, which is confusing for everyone. I suggest that you stick with your own thread, rather than hijacking another one. http://social.technet.microsoft.com/Forums/en-US/exchangesvrmigration/thread/17cb4461-2053-417c-bac4-5a97abcaacb0/ Simon.Simon Butler, Exchange MVP Blog | Exchange Resources
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 5:14pm

In my case the best solution was to apply the article: http://support.microsoft.com/kb/956531/en-us
December 29th, 2010 11:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics