We have an Exchange 2010 SP1 (Latest Updates) box running on a Server 2008 R2 DC and on some of the INTERNAL Outlook clients keep prompting for a username and password when in the past they did not. It only happens for internal clients, external Outlook users (using Outlook Anywhere) haven't reported any issues. Outlook both internally and externally configure using AutoDiscover and use Outlook Anywhere internally and externally. The certificate on the server is a wilcard with multiple SANs listed issued by an internal CA. The internal CA is trusted on both internal and external clients. Is this an issue with Exchange, a update applied, Outlook or the network setup? Connection Status says connected using TCP/IP. ------------------- Reitzel Technology www.reitzeltechnology.com

Are internal clients supposed to be connecting via OA ? What does this return for internal clients? - http://technet.microsoft.com/en-us/library/dd638082.aspx Can you reproduce the issue? Does it happen to all users or some? Sukh

I have used the Microsoft Exchange Remote Connectivity Analyzer and it found no issues. Outlook works fine, just every so often at random times it will prompt. I don't know how to reproduce it. ------------------- Reitzel Technology www.reitzeltechnology.com

wasn't the RCA. Find out what the user is doing when this happens next. Checked the logs on the Exch servers?Sukh

Nothing in the logs except the normal stuff Exchange logs, not Red X's. I am wondering is it an update since it didn't happen before.------------------- Reitzel Technology www.reitzeltechnology.com

Not sure, not much to go on. What make you feel this is an update which caused the issue?Sukh

It didn't do this when we first deployed the server out after migrating from Exchange 2007. Exchange 2007 never did this. Everything is set correctly and the PC that is causing the issue is a member of the domain. Outlook Anywhere is set is Basic Authentication. One of my friends uses Exchange 2010 and they use Outlook Anywhere inside the network like I do, except their Exchange build is 14.1.323.3 and mine is 14.1.355.2. DHCP, AD, DNS, and File Services are on the Exchange Server. We have another 2003 R2 DC in the domain as well with DNS running as a backup. DNS for our .Com domain and internal domain are on the Windows DNS Servers for the internal network, but the URLs are pointing correctly.------------------- Reitzel Technology www.reitzeltechnology.com

So you have Exch on a DC? Something which isnt recommended, would not surprise me if this has something to do with it. Plan on moving it off the DC? you're on the latest RU6. Maybe apply another update SP2 and see how it goes?Sukh

We cannot move Exchange off the Domain Controller as none of the other servers are x64 so they won't run Exchange 2010. And we don't have 3 servers to have at least 3 DCs. Is SP2 for Exchange 2010 out already? Exchange 2007 was also on the DC and we had 0 issues. ------------------- Reitzel Technology www.reitzeltechnology.com

SP2 - http://www.microsoft.com/download/en/details.aspx?id=28190 if you decide to install. Sukh

Thanks. Do you think that the OAB could have something to do with it?------------------- Reitzel Technology www.reitzeltechnology.com

I've seen it cause issue like yours before, but if the URL's are set correctly it shouldn't. It;s difficult to capture issues like these. The next time it happens, or if you know of a user who this happens to on a regular basis, then I would consider having NetMon and Outlook logging enabled at the time of issue. This does depend on how the long the prompts last for and what actions are taken to stop the prompts.Sukh

Urls are correct. I read somewhere that I should try turning on Kernel Authentication on the Exchange 2010 Virtual Directories, I'm not sure if I should or not.------------------- Reitzel Technology www.reitzeltechnology.com

Some same turn this on or off depending on what it is set to.Sukh

One outlook client just prompted and I Cntrl-Click Outlook Icon and did Connection Status and hit reconnect and it went away. Nothing in logs and nothing was being done to the server or network------------------- Reitzel Technology www.reitzeltechnology.com

Are you sure they arent switching from from HTTPS and TCPIP for some reason. Sukh

I have 2 machines with Outlook open and they say TCP/IP. I did notice when it was disconnected it said HTTPS insted and the password pop up box had in the title name "Connecting to mail.reitzel...com" not the internal domain name or anything. mail.reit...com is our external hostname we use for outlook anywhere. So maybe it could be switching ------------------- Reitzel Technology www.reitzeltechnology.com

Didn't you say you use OA both internallt and externally. If you're connected using TCP/IP, then say a slow network connections is detected, then Outlook will swap to HTTPS, this is when you may be getting the passowrd prompt.Sukh

Outlook Anywhere is configured externally and internally using AutoDiscover. We have to use AutoDiscover to do Personal Archives. I have both of the boxes "On fast..." & "On slow..." uncheck in Outlook RPC Config. How do I prevent them from switching? The network is Gigabit, I don't see why it would be detecting slow...------------------- Reitzel Technology www.reitzeltechnology.com

That is the default behavoir, see if this helps - http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/158b6a0f-133a-4363-844e-e96698bc9a95/ Sukh

Would it help if I changed the Outlook Anywhere Authentication from Basic to NTLM? Internal clients are domain bound to the AD that has the Exchange server in it, but I also have uses that are bound to a completly different forest that use Outlook Anywhere to connect, would it affect them? Example of internal username: RTS\first.last Example of external user's username: RBI\first.last Which is it better to be set on? Basic or NTLM?------------------- Reitzel Technology www.reitzeltechnology.com

Would it help if I changed the Outlook Anywhere Authentication from Basic to NTLM? Internal clients are domain bound to the AD that has the Exchange server in it, but I also have uses that are bound to a completly different forest that use Outlook Anywhere to connect, would it affect them? Example of internal username: RTS\first.last Example of external user's username: RBI\first.last Which is it better to be set on? Basic or NTLM? ------------------- Reitzel Technology www.reitzeltechnology.com Hi Alan, Not I don’t think so. As you mentioned that: --external Outlook users (using Outlook Anywhere) haven't reported any issues. --Connection Status says connected using TCP/IP. I believe the Outlook client is not connecting via Outlook Anywhere which should show as http. Change the authentication will not help and it might, very likely, affect the external Outlook users. To troubleshoot this issue, we need to know when, and what is prompted for the credentials. In another words, is it prompt for mailbox login, or for web-based service? So Please try to reproduce this issue or wait, and then capture a screenshot for the credential prompt box. Meanwhile, capture a screenshot for the problematic client’s Connection Status. Besides, please help collect the following information: 1. If you enter the correct credentials (type in a notepad and then copy and paste it in the box, do NOT use a saved password), does the issue continues? 2. If you cancel the prompt box, can you continues send/receive email message in Outlook? 3. Does the issue occurs in OWA? 4. Check the application event log in your Exchange server and the GC server to see if there is any error recorded. 5. Verify the IIS log in your CAS server to see if there is any error. Thanks. Fiona Liao TechNet Community Support

By the way, you may verify the web-based service virtual directory permission setup according to the article below: http://blogs.technet.com/b/exchange/archive/2010/09/23/3411146.aspx Hope it is helpful.Fiona Liao TechNet Community Support

It is changing from connecting over TCP/IP to connecting over HTTPS for internal clients. The only reason it didn't happen in 2007 was Outlook Anywhere was using NTLM authentication. Because when it randomly pops up (I guess when a slow link is detected) it will pop up the connect to box like external clients get and when I check the connection status, it shows HTTPS disconnected. So I close out of Outlook and reopen it and it will connect without a password and the connection is TCP/IP. The permissions are the same they were when I set up Exchange and I have reset the virtual directorys to defaults more than once. ------------------- Reitzel Technology www.reitzeltechnology.com

You can have NTLM selected with basic too. NTLM should give you an integrated experience, with basic you will get prompted for credentials which seems like the case with you. If you are seeing HTTPS, then Outlook is attempting to connect via OA. Try and disable/adjust as mentioned in the other link or add NTLM and test.Sukh

I changed it to NTLM but autodiscover keeps setting it to Basic.------------------- Reitzel Technology www.reitzeltechnology.com

Where are you chaning this from?Sukh

I changed it from the Managament Console. If I manually set it to NTLM it works, but then autodiscover will change it back------------------- Reitzel Technology www.reitzeltechnology.com

try via the shellSukh

What is the command for that?------------------- Reitzel Technology www.reitzeltechnology.com

See this - not sure now - but basic may still wor as this via IIS i.e for OA. http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665/Sukh

Same here. Did an update process last night, reboot, now a majority of my clients continuously are prompted for credentials. This has happened before with a few clients, on and off, ever since we put in SBS 2011. I've changed the security in IIS and changed the authentications, still nothing. This is happening to Outlook 2003, 2007 and 2010 clients, so it doesn't appear to be a client issue. Going to go through all the links you've provided to double check everything. EDIT: To make things weird, Outlook actually shows connected, but the prompts keep on coming.

I will be updating to SP2 this evening to see if the issue resolves, on top of going through my configuration for anything glaring.

OK, so here is what seems to have worked for me, disabling Basic Authentication on the autodiscover website. But, can't do it through IIS, need to do it from an admin exchange powershell, and here is the command. If you left everything as default during your Exchange install, this should work as is. Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -WindowsAuthentication $true -BasicAuthentication $false

Hi Jimmy, Thanks for your update and sharing. It is glad to see the issue is resolved. Just for your reference: http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/9d1d0c7a-a943-405c-be13-99115c160bbd/ Fiona Liao TechNet Community Support