none
Outlook 2010 keeps prompting for Exchange server password

    Question

  • I have found tons of threads about this issue, but have not been able to find a solution yet.

    I am running Exchange 2010 SP1 in a small domein environment, 1 DC, 1 Exchange Server

    I was running exchange 2010 SP1 for about a year, after this year i was asked to implement Outlook anywhere.

    Since i have implemented this feature, the existing clients (desktops in the domain) are often prompted for their exchange password.

    Remote (domain/laptop) users only need to enter their password once, when they start Outlook, which is acceptable, but doesnt seem to be how its designed ?

    What can be the cause of this issue ? Can someone please guide me through it, im not an Exchange 2010 Expert :)

    Thank you

    Wednesday, April 04, 2012 10:04 AM

Answers

  • If you have Outlook Anywhere enabled, then you should force all Outlook clients to use HTTP when connecting.  Ensure you have  "On fast networks, connect using HTTP..."  AND "On slow networks, connect using HTTP...".  If you don't, anytime you dock, undock, get a new IP address, refresh your IP address, go to sleep, idle, anything that causes your IP stack wants to renegotiate connectivit will cause a password prompt to appear, EVERYTIME.

    Changing the authentication mechanism can help, but I've found by forcing everyone to use HTTP will mitigate the prompting of credentials.

    These settings can be found under your Outlook profile, "More Settings > Connection > Exchange Proxy Settings."

    I hope this helps.  Let me know if you need further assistance.


    Travis J. Moore Exchange | Senior Engineer Planet Technologies | www.Go-Planet.com

    Thursday, April 12, 2012 11:21 PM

All replies

  • If you go to

    control panel - user account - Advanced tab - manage passwords

    are there any cached passwords there?

    Wednesday, April 04, 2012 10:40 AM
  • Can you please tell me what authentication are you using on , have tried changing to NTLM authentication on the security tab . Is this for One user or for all the users .Just a simple question, have you restarted the server after the SP1 have been applied? Give it a try If it doesn't help check with ExBPA and update the thread.  Thanks

    Wednesday, April 04, 2012 11:16 AM
  • I have not tried the NTLM authentication yet, i have 2 external users who are not on the domain with their machines, will they still be able to authenticate ?

    SP1 was installed from the begining. 

    BPA didnt give me any strange things.

    Wednesday, April 04, 2012 12:00 PM
  • Ok it's two user can you ask one of them to check and see what authentication settings they have set on users outllook client 

    Go to > Data Files >Connections > Outlook Anywhere >click on Exchange Proxy Settings >Check what authentication is set if it's baisc tell him to change it to NTLM. ( Outlook - 2010 )

    Or what you can give a try as below with one of the user :- 

    Before you do anything else, close Outlook and any WebEx applications. You should also note that we’ll be modifying system generated files here, so proceed with caution or not at all.

    Open up windows explorer window and then paste the following text into the address bar, which should bring you to a folder with a single folder inside with a really long name.

    %userprofile%\AppData\Roaming\Microsoft\Protect

    What you’ll need to do is just rename that folder to something else (I suggest appending -old onto the end of it so that you could easily rename it back if things go wrong)

    Now re-open Outlook and then type in your password hopefully for the last time, making sure to check the box to remember it. You should now see that the original folder was re-created again.

    At this point Outlook should remember your passwords, but you can close Outlook and reopen it to make sure. If you encounter problems with this, you can remove the new folder and then rename the -old folder back to the original name to put everything back the way it was. Thanks

    Wednesday, April 04, 2012 12:37 PM
  • Its the internal users who have the problem, not the 2 external, they understand they need to insert a password.

    The internal users are on the domain, they previously had no problem, untill i turned on Outlook anywhere.
    Can i Safely enable NTLM auth on the server ? should this fix my problem ?

    Wednesday, April 04, 2012 12:40 PM
  • If your not using NTML can I assume you;re using Kerberos?

    If you are using Kerberos try using Klist on the clients to purge the locally held tickets.

    Another approach would be to install Wireshark on a client and try and capture the password prompt. This should show you exactly how it is trying to authenticate and whether the issue is on the client, the exchange box or the DC.

    Wednesday, April 04, 2012 12:44 PM
  • I see its currently set to Basic Authentication using the Management Console

    there are only 3 options:

    Basic
    NTLM
    Negotiate Ex authentication (help says do not use)

    Wednesday, April 04, 2012 12:47 PM
  • Is autodiscover switched on?
    Wednesday, April 04, 2012 12:59 PM
  • Yes it is
    Wednesday, April 04, 2012 1:00 PM
  • First Can you give a try with the 2nd option what i mentioned with one of the user... renaming the folder.. Thanks 
    Wednesday, April 04, 2012 1:09 PM
  • Outlook should not prompt for a password at all ? i should just use windows authentication doesnt it ?
    Wednesday, April 04, 2012 1:11 PM
  • See you mentioned that it's happening with the internal users correct ? when they connect  from LAN or from Home Network ? pls specify and as only these two users are having the issue NOT all, so it's always first preference to check from the users side instead of Server.
    Wednesday, April 04, 2012 1:30 PM
  • All internal users face this problem on LAN. Including new users, autodiscover automaticly enables outlook anyware in outlook. Above i mentioned i have 2 external users, of who i wondered if enabling NTLM would cause a problem for them. If not, isnt setting the security to NTLM the best practise ?


    Wednesday, April 04, 2012 1:34 PM
  • NTML is more secure than basic authenticaion and would mean users would never have to type in their username and password when using Outlook.  However NTML will only work with external clients if you have a compatibale firewall. For details see here

    http://www.sysadminlab.net/exchange/outlook-anywhere-basic-vs-ntlm-authentication-explained

    The autodiscover feature may be why you internal users are receiving requests for their password. Read the autodiscover section in this artcile. although it's for 2007, 2010 works in the same way

    http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2300-Outlook-continually-prompting-for-username-and-password.html

    or here

    http://demazter.wordpress.com/2010/02/09/outlook-continually-prompting-for-username-and-password-2/

    Wednesday, April 04, 2012 1:43 PM
  • Thanks for the links, they are helpful

    So it seams basic authentication causes the prompts. 
    Im using a Sonicwall firewall, altough im not sure if it support NTLM, i think i might find my solution in the autodiscover as well.

    My internal users, including notebook users, dont even know about this feature. They have a VPN client to connect their outlook to the office. Most are used to this and seems to be the recommended approuch. 

    As mentioned, i installed the outlook anywhere because of the 2 external users who need access.

    Would the solution be to make sure all internal (domain member) computers use the normal exchange connection and the 2 external users manualy set the connection to use https over rpc.

    Would that work ? if so, how hard is this to implement, cant imagine im the first in this :)

    Thanks again

    Wednesday, April 04, 2012 1:56 PM
  • I think you'll have to use basic authentication if you want external users to access you exchange.

    This forum answer might also be applicable

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/d7ae620e-7301-49e3-ac51-2069cfb1b7ce/

    Wednesday, April 04, 2012 2:08 PM
  • Hello,

    Any updates?

    Best Regards,

    Lisa

    Monday, April 09, 2012 6:58 AM
  • I'm in the same boat as others here.  I have switched off of Kerberos to NTLM and it still asks

    It says need password at the bottom.  It still allows email in and out.  Any thoughts?

    -Jim Ponder


    JimPonder

    Thursday, April 12, 2012 8:11 PM
  • If you have Outlook Anywhere enabled, then you should force all Outlook clients to use HTTP when connecting.  Ensure you have  "On fast networks, connect using HTTP..."  AND "On slow networks, connect using HTTP...".  If you don't, anytime you dock, undock, get a new IP address, refresh your IP address, go to sleep, idle, anything that causes your IP stack wants to renegotiate connectivit will cause a password prompt to appear, EVERYTIME.

    Changing the authentication mechanism can help, but I've found by forcing everyone to use HTTP will mitigate the prompting of credentials.

    These settings can be found under your Outlook profile, "More Settings > Connection > Exchange Proxy Settings."

    I hope this helps.  Let me know if you need further assistance.


    Travis J. Moore Exchange | Senior Engineer Planet Technologies | www.Go-Planet.com

    Thursday, April 12, 2012 11:21 PM
  • I have to disagree to a point.  The question pertains to the internal users.  I have found (after much blog research) if you have Autodiscover turned on that to set up internal users you have to turn the checkboxes off for  "On fast networks, connect using HTTP..."  AND "On slow networks, connect using HTTP..."  This will set the Outlook to use TCP/IP.  You can check the connection status by CTRL-Right Click the Outlook icon in the task bar and click on connections.  If those two checkboxes are turned off you will see the connection status as TCP/IP and no longer will need to insert username and password.

    Microsoft has information to help create a user GPO for the Outlook Anywhere settings here: http://support.microsoft.com/kb/961112?ppud=4&wa=wsignin1.0

    Here are the Microsofts steps to create the GPO:

    Add the GPO template (article-961112.adm) to the group policy object editor:
    Download the file from here: http://download.microsoft.com/download/F/B/C/FBC43645-89EA-4FB4-828C-DFE27C360233/article-961112.adm 
    • In the Group Policy Object Editor add the Article-961112.adm file:
      1. Right-click Administrative Templates and click Add/Remove Templates.
      2. In the Add/Remove Templates dialog box click Add.
      3. In the Policy Templates dialog box locate and select the Article-961112.adm file. Click Open.
      4. Click Close in the Add/Remove Templates dialog box.
    • Under User Configuration in Administrative Templates expand the policy node labeled Article 961112 Policy Settings.
    • Select the Outlook Anywhere (RPC/HTTP) node to list the following policies under the Setting column in the right-pane:
      • RPC/HTTP Connection Flags
      • Proxy Server Name
      •    Only Connect if Proxy Server certificate has this principal name
      • Proxy authentication Setting

    Here is the GPO I have created to apply to the internal computers so autodiscovery does not keep changing the settings:
    User Configuration - Policies - Administrative Templates

    Article 961112 Policy Settings/Outlook Anywhere (RPC/HTTP)

    Policy Setting Comment
    Only connect if Proxy Server certificate has this principal name Enabled
    Specify the Proxy Server Principal Name (see Explain tab) msstd:mail.yourservername.org
    Policy Setting Comment
    Proxy authentication setting Enabled
    Authentication used to connect with the proxy server. Basic authentication
    Policy Setting Comment
    Proxy Server Name Enabled
    Specify the Proxy Server Name: mail.yourservername.org
    Policy Setting Comment
    RPC/HTTP Connection Flags Enabled
    Select a combination of RPC/HTTP connection flags. (see Explain tab for details) No Flags

    Microsoft Outlook 2010/Account Settings/Exchange

    Policy Setting Comment
    Cached Exchange low bandwidth threshold   Disabled

    Here's to hoping it helps others with the same issues I have had!

    Tuesday, October 30, 2012 6:21 PM
  • Hi
    I also faced the same issue after enabling outlook anywhere. Some users get prompted for username and password. All these users were internal who are connect to LAN. I checked the outlook of the affected internal users and found that outlook anywhere was enabled for these internal users also. I unchecked the "connect to microsoft outlook using http" option in outlook settings and the problem is solved.
    • Edited by KMSameer Monday, January 14, 2013 6:50 PM
    Monday, January 14, 2013 6:49 PM
  • Try this on exchange management shell

    Get-outlookprovider –identity EXPR | remove-outlookprovider

    it solved my issue.

    Please go the link below for more details

    http://ilantz.com/2009/06/18/prevent-outlook-anywhere-aka-rpc-over-http-from-being-automaticly-configured-in-exchange-2007-with-autodiscover/

    • Proposed as answer by lakewood305 Wednesday, April 03, 2013 2:10 PM
    Wednesday, January 16, 2013 11:24 AM
  • I had this problem this morning in my Organitation, I just did the following:

    * Go to all CAS servers

    * Click on Windows icon then type "Services.msc" / right click  and "run as administrator"

    * Restart the services:

          * Microsoft Exchange EdgeSync 

          * Microsoft Exchange POP3

          * Microsoft Exchange IMAP4

          * Microsoft Exchange RPC Client Access, and that was all.

    I hope it helps you guys



    • Edited by j0rt3g4 Friday, May 16, 2014 2:28 AM
    Wednesday, April 03, 2013 3:29 PM