none
Outlook password prompts on Windows 7. Stored credential​s in Control Panel ends with ":PUT"

    Question

  • Hello,

    I posted this question on Exchange Client forum but moderator asked me to put this question under windows client forum.

    We have a messaging environment on Exchange 2010. Some of our users get intermittent password prompt issues with their Outlook profile. We perform different troubleshooting steps to resolve it. Lets put all other troubleshooting aside for now and discuss about a common observation I have seen in most cases.

    Most of our users are on Outlook 2010 with Windows 7 (also some combination of Outlook 2007 and Windows XP). When we launch Credential Manager in Control Panel, there are some strange entries under Generic Credential the looks like "MS.Outlook:user@casarray.domain.com:PUT". If we delete the credentials that end with ":PUT", the password prompt goes away.

    I have done a lot of search, but there is no information on Microsoft site on from where ":PUT" gets added, how this occurs, if this is an Outlook or OS issue, this looks like bug for a while but no hotfix available (or know to me atleast). We have many thousands mailbox users in our environment and anyone may come across this problem. It is not pratical to delete these strange credentials for every single user manually. There should be at least a hotfix for this problem.

    Can anyone explain me more about these ":PUT" credentials under Credential Manager? What does it signifies and how it can be retified permanently?

    Thanks,

    Rajdeep


    • Edited by RajdeepSen Thursday, August 23, 2012 10:58 AM
    Thursday, August 23, 2012 10:55 AM

All replies

  • Hi,

    The entry in generic credentials appears because the users chose to save their password when accessing Outlook. After the credential is stored, users do not need to input credential for the program, such as outlook. About the issue, it occurs since users changed their password, but credential stored always is sent for authentication, domain controller detects the incorrect password and then users receive the credential prompt.

    When users input correct username and password, they should access outlook normally, but next time launching outlook, the credential stored still is sent as before, again, the credential prompt pops up.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, August 24, 2012 1:24 PM
  • Hi Diana,

    Thank you so much for such a great explanation.

    I am still looking for help for the other part. When a user changes the password, he is being prompted for password in Outlook. The user enters his credentials with new password and also check "Remember my credentials". This option ideally updates the credential manager but old the credentials (as explained by you) still show up in the Credentials Manager with trailing ":PUT" characters. It doesn't go away and users have to delete it manually or else, when the Outlook is re-opened, it prompts for password again. It looks like it is still fetching credentials from the wrong one (:PUT) and not the latest one that user saved after resetting password.

    This is buggy. Windows should either remove stale credentials automatically or atleast it should refer to the latest saved credential for authentication. Is there a permanent fix for this or is this something not reported yet?

    Thanks,

    Rajdeep

    Friday, August 24, 2012 2:24 PM
  • Hi Rajdeep,

    Windows 'Credential Store' supports different type of network passwords. Each type uses different kind of encryption and storage mechanism. Also each type of password requires different level of access privileges for decryption. "Generic Password"(Generic Credentials) type is used to store all user specific credentials and only that user can decrypt such passwords. After user changes his password, he cannot decrypt credentials stored and has to resave it after deletion.

    If you would not like to store the credential on clients, we can disable Credential Manager completely, you can refer the method below:

    1. Login to a specific client as administrator, open Registry Editor.

    2. Locate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, create a DWORD value DisableCredMan and set it to 1, reboot the client, the client will not store credentials.

    Best regards

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, August 27, 2012 4:05 AM
  • Hi Diana,

    Thanks for your reply. It sounds like, we have only two options here -

      •  we can completely disable Credential Manager by modifying registry (as suggested above) so that user can't store any credential on client machine and they will be always prompted for password every time they open Outlook.
      • User would have to manually delete old credentials (trailing ":PUT") and then enter new credentials and save it until next password expiration. There is no way that we can configure to cleanup old credentials automatically without any manual interventions.

    Please let me know if I misunderstood this by any chance.

    Thanks,

    Rajdeep

    • Proposed as answer by kitteboo Wednesday, May 08, 2013 8:24 PM
    Tuesday, August 28, 2012 8:23 AM
  • Hi Rajdeep,

    At the moment, I have a new idea, let's check if the entry stored is changed after users change their password and choose to save password.

    You can run the following command before and after the issue happens, paste the output here:

    cmdkey /list

    Thanks

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, August 29, 2012 9:21 AM
  • Hi Diana,

    I will have my colleagues at helpdesk team check this with a user who will reset password next time. This may take a few days. I will update this thread once I have more information.

    Thanks,

    Rajdeep

    Wednesday, August 29, 2012 10:03 AM
  • Hi Rajdeep,

    I have done testing on my machine, I saved password for Outlook and then changed my password, when opened Outlook I received credential prompt, then I typed new password and checked "Save my password", I opened Outlook again and typed new password and checked "Save my password", after that the credential dialog box disappears.

    So the entries stored are updated after changing password.

    Thanks

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 30, 2012 6:43 AM
  • Hi Diana,

    It appears like you had to check "Remember my credentials" twice as per the above post. I just have to check it once after I change my password. To reproduce the password prompt again, I removed my old credential from vault. It created a new entry again which also had a trailing ":PUT". This is now confusing, how a new save credential has ":PUT", it is supposed to show up after password expires. However, this has never caused problem to me and most of the user in our environment. But there are some users who have to remove such credentials and then save new password to get rid of the password prompt. I have requested my colleague at Helpdesk to run "cmdkey /list" before and after the issues occurs for any end user at his site.

    Thanks,

    Rajdeep

    Thursday, August 30, 2012 7:46 AM
  • Hi Rajdeep,

    During my testing, I checked the entries stored in Credential Manager, and related Outlook entry always ends with :PUT, PUT means Pointer to User Target, I think it should not related to the issue.

    Thanks

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 30, 2012 8:05 AM
  • Hi Diana,

    I appreciate your quick reply. All information provided by you are really helpful. I will provide the credential information when we deal with any affected user next time.

    Thanks,

    Rajdeep

    Thursday, August 30, 2012 8:09 AM
  • This has already been covered by Microsoft and their resolution is scrappy at best.

    http://support.microsoft.com/kb/2762344

    Monday, March 04, 2013 10:34 AM
  • I believe that is "scrappy" with a silent "s".
    Thursday, June 27, 2013 7:30 PM
  • So our options are to leave it a manual process of deleting the entries in CredMon or disabling CredMon altogether?

    Thursday, June 27, 2013 7:33 PM