Hi,

User unable to access Outlook ~ with correct password but always prompt for credential.

However, no issue if I granted same user with domain admins right.

Any idea?  Please advice.  Thanks.

Regards,

Hi Kelvin,

Please check whether the issue happens to all users. If that is the case, please make sure all Exchange services are started and running. And check the Outlook Anywhere authentication in Exchange 2013:

Get-OutlookAnywhere | FL

If the issue only happens to specific users, please do the following changes:

In Control Panel, click Mail > Show Profile. Select the VPN account profile, click Properties > E-mail Accounts > Change > More Settings > Security > Select Negotiate Authentication and uncheck Always prompt for logon credentials > OK.

Then make sure the Server name and User name are correct and can be checked in AD by clicking Check Name.

Additionally, please try to clean up the cached credential in your computer. Then fill in with the format of UPN when it prompted for credentials next time and check the Remember my credential to save it. About how to remove cached credentials, please follow these steps:

1. Launch the Credential Manager from Control Panel > All Control Panel Items > Credential Manager.

2. In the Generic Credentials section youll see a setting for [MS Outlook] which will include your SSO details. Click the downward-pointing arrow to the right of that value.

3. In the expand details, click Remove from vault. Then Outlook will no longer have a stored copy of your password.

Regards,

Hi Winnie,

I have checked and don't think it is related to your suggestion.

Guess it is more to permission issue as there is no problem if I add this normal user to domain admins.

Regards,

Hi Winnie,

I have checked and don't think it is related to your suggestion.

Guess it is more to permission issue as there is no problem if I add this normal user to domain admins.

Hence, it is also working once I changed Outlook Anywhere authentication method to Negotiate.

It was configured as NTLM.

Regards,

Hi Kelvin,

Negotiate authentication is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.

Therefore, if there is no window prompted for credential when using Negotiate Authentication for Outlook Anywhere, the client should be authenticated with NTLM authentication type. If the issue only happens to one specific user, please double confirm my suggestion in my original posting. Also check whether the problematic user can access the mailbox from OWA.

If the user also cant access mailbox from OWA, there may be a permission issue. We can check the Full Access Permission in server side, and make sure the NT AUTHORITY\SELF is listed in Full Access Permission list:

Get-MailboxPermission UserA

Regards,

Hi Winnie,

Don't think it is user permission issue.

All users have no problem when I created new exchange, configured NTLM and re-point DNS A record for both CAS/autodiscover to this new exchange.

I think the issues are related IIS settings.

Regards,