I have an Exchange 2003 SP2 organization where many users connect to Exchange 2003 with Outlook clients configured with Outlook Anywhere (RPC over HTTP) within our internal company WAN. Late last week, Outlook Anywhere stopped working for associated external accounts in which we have trust relationships with their domains. Their Outlook clients will continually prompt them for their credentials and in some case their Outlook client will freeze when trying to send a message. Some facts: Outlook Web Access works fine for all users including associated external accounts The public SSL certificate is valid and appears so in OWA If associated external accounts turn off Outlook Anywhere or point to another OWA Server which does NOT require SSL, Outlook Anywhere works Internal accounts on the same domain as the Exchange Organization can use Outlook Anywhere fine with SSL. So the problem only seems to be with associated external accounts using an SSL connection for Outlook Anywhere. Again, OWA itself which uses the same cert works fine and internal accounts can use Outlook Anywhere fine. I see no related errors on the Exchange Servers nor domain controllers. Any ideas?Steve

Hello Steve, Some questions: 1. Does this issue occur to all the OA users or it only happens on the associated external users? 2. Which Outlook version did problematic users work in, Outlook 2003, Outlook 2007, or both of them? 3. Did you change any configuration on server before the issue firstly occurred? You can use the following web site to test the ROH connection for the problematic user: https://www.testexchangeconnectivity.com/ Thanks, Simon

Thanks for replying. I am sure now that the problem is related to directory access only. Outlook hangs or you get prompted for credentials when Outlook tries to perform a directory connection. I believe the Exchange servers are trying to access GC's at other locations when it cannot connect to it's local GC's. 1. I do have cases where users get login popups for internal accounts. So it is NOT just associated external users. It is also intermittent. Some users are effected and some are not at all. It appears that users with a global catalog server in their location are not effected at all but I am not sure if that is related. All the Exchange Servers are centralized in 1 data center with 2 GC's at a different location from users. The Outlook authentication popups are seem to occur during directory lookups. If you ignore the popups, mail still seems to flow. 2. I did some testing and it does appear to be only Outlook 2003 users. It tested one mailbox with both Outlook 2003 and Outlook 2007 and only the Outlook 2003 client gets login popups. But if I do a "Download Address Book" on Outlook 2007, it hangs. So again, the problem seems to be with directory lookups. 3. I can't think of any configuration changes that were made. The problem started last Thursday and the only change before the problem was the day before when I changed the purportedSearch attribute for the CN=Mailbox Enable User object based on http://technet.microsoft.com/en-us/library/aa998426(EXCHG.80).aspx . I don't believe that this best practice change would cause the problem. The workaround we are using is to turn off Outlook Anywhere on Outlook clients which works in most cases. I am seeing a lot of 401 errors in the IIS logs on the OWA servers which increase during heavier usage periods so the problem does seem to be related to heavier load. Any ideas? Steve

Thanks for replying. 1. I do have cases where users get login popups for internal accounts. So it is NOT just associated external users. It is also intermittent. Some users are effected and some are not at all. It appears that users with a global catalog server in their location are not effected at all but I am not sure if that is related. All the Exchange Servers are centralized in 1 data center with 2 GC's at a different location from users. The Outlook authentication popups are seem to occur during directory lookups. If you ignore the popups, mail still seems to flow. 2. I did some testing and it does appear to be only Outlook 2003 users. It tested one mailbox with both Outlook 2003 and Outlook 2007 and only the Outlook 2003 client gets login popups. 3. I can't think of any configuration changes that were made. The problem started last Thursday and the only change before the problem was the day before when I changed the purportedSearch attribute for the CN=Mailbox Enable User object based on http://technet.microsoft.com/en-us/library/aa998426(EXCHG.80).aspx . I don't believe that this best practice change would cause the problem. The workaround we are using is to turn off Outlook Anywhere on Outlook clients which works in most cases. I am seeing a lot of 401 errors in the IIS logs on the OWA servers which increase during heavier usage periods so the problem does seem to be related to heavier load. Any ideas? Steve

I believe I found a hotfix. We are seeing the Exchange Server going to GC's outside its own AD site. This hotfix will stop that from happening. I did this Outlook client side fix and it pointed to the correct GC at my data center and the directory access problem. HKCU\Software\Microsoft\Exchange\Exchange Provider REG_SZ (string): DS Server What do you think? The DSProxy service does not direct an Outlook client to the global catalog servers that you want to use in Exchange Server 2003 http://support.microsoft.com/kb/912584 Steve

Yes, you can schedule a downtime to apply this hotfix. Thanks, Simon

I applied the KB912584 hotfix on the backend Exchange Servers and it worked. So the problem was that Exchange was redirecting Outlook clients to out of AD site GC's for directory lookups which they could not access. Their email delivery was actually fine. It was just the directory access connections that were creating the user authentication popups and Outlook hangs. One thing the KB article failed to mention is that your backend Exchange 2003 SP2 Servers require a reboot for the registry change you make after you install the hotfix to take effect. Thank you for your help.Steve