locked
RODC and Outlook 2007 - Credential windows pops up RRS feed

  • Question

  •    Hello to all, we installed several RODCs on branch offices and we do not have any writable DCs on these offices. We have Exchange 2007 on a core site and users use Outlook 2007 on branch offices. RODC is configured on branch offices to store some users and machines credencitial of the RODCs office so they can be changed queried/locally, when necessary. The weird part is that when a visitor arrives at a brach office (he/she is not member of the password replication group of the RODC site so his/her password is not stored locally) Outlook 2007 continually pops up the credential window and its is solved just when the user object is inserted on the local password replication group for this specific RODC. I believe that this should not be necessary because authentication request should be forwarded for a writable DC qhen a user is not part of the RODC password replication group. Could you help on this subject? Any opinions?

       Apps. reference that works on RODC: http://technet.microsoft.com/en-us/library/cc732790.aspx (Outlook is included).

       Best regards, EEOC.

    Thursday, September 20, 2012 4:55 PM

Answers

  •    Hello, the point is that a visitor to the RODC site, that does not have their password stored on the RODC, get Outlook pop up windows asking authentication and when user enter password the windows keeps poping up. When this visitor user is inserted on the password replication group for the local RODC, all works fine. On my understanding, if there a visitor is on a RODC site and is not on the local password replication group, a RWDC should authenticate the user if WAN link is up and running. Do you agree with that?

        Best regards, EEOC.

    Yes, you are correct. If users password is not cached & users login to the RODC site, they will redirected to the RWDC for the authentication & machine will establish secure channel with the RWDC. Regarding,caching both PRP & machine account password helps in logon during WAN link failure. Simply caching users password will not allow users login if WAN is down, because like users machine too performs authentication to he AD & if machine account password is not cached  only user then user will not be able to login to the domain. User can be validated but his system will be treated as unauthorized.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Saturday, September 22, 2012 1:14 PM
    • Marked as answer by Yan Li_ Monday, October 1, 2012 1:36 AM
    Friday, September 21, 2012 12:41 PM

All replies

  •    Hello to all, we installed several RODCs on branch offices and we do not have any writable DCs on these offices. We have Exchange 2007 on a core site and users use Outlook 2007 on branch offices. RODC is configured on branch offices to store some users and machines credencitial of the RODCs office so they can be changed queried/locally, when necessary. The weird part is that when a visitor arrives at a brach office (he/she is not member of the password replication group of the RODC site so his/her password is not stored locally) Outlook 2007 continually pops up the credential window and its is solved just when the user object is inserted on the local password replication group for this specific RODC. I believe that this should not be necessary because authentication request should be forwarded for a writable DC qhen a user is not part of the RODC password replication group. Could you help on this subject? Any opinions?

       Apps. reference that works on RODC: http://technet.microsoft.com/en-us/library/cc732790.aspx (Outlook is included).

       Best regards, EEOC.

    • Merged by Yan Li_ Friday, September 21, 2012 3:11 AM
    Wednesday, September 19, 2012 9:21 PM
  • Hi,

    Do you mean that when that user use outlook, credential windows pops up for him to enter password? How about enter the password?

    If RODC cache account's password, then when the WAN link to the hub site is offline, RODC could authenticated the user. It seems like your user could not contact to your RWDC, so he is always find your RODC. Please refer to the below link for more about RODC:

    Password Replication Policy

    http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx

    Understanding “Read Only Domain Controller” authentication

    http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Friday, September 21, 2012 3:19 AM
  •    Hello to all, we installed several RODCs on branch offices and we do not have any writable DCs on these offices. We have Exchange 2007 on a core site and users use Outlook 2007 on branch offices. RODC is configured on branch offices to store some users and machines credencitial of the RODCs office so they can be changed queried/locally, when necessary. The weird part is that when a visitor arrives at a brach office (he/she is not member of the password replication group of the RODC site so his/her password is not stored locally) Outlook 2007 continually pops up the credential window and its is solved just when the user object is inserted on the local password replication group for this specific RODC. I believe that this should not be necessary because authentication request should be forwarded for a writable DC qhen a user is not part of the RODC password replication group. Could you help on this subject? Any opinions?

       Apps. reference that works on RODC: http://technet.microsoft.com/en-us/library/cc732790.aspx (Outlook is included).

       Best regards, EEOC.

    Exchange doesn't uses RODC, but Outlook works with the RODC. When a new user comes to the RODC site, who doesn't have his password cached (better to cache machine's password too), then he need to contact RWDC site for the access/service ticket, even though RODC is available locally.

    By default, RODC can't issue kerberos ticket as for each services, you need to contact RWDC to obtain valid access/service ticket for the resources.

    All About (RODC) Read Only Domain Controllers   http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

    User once authenticated by RWDC, then they can work with RODC but RODC alone can't authenticate the users.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, September 21, 2012 10:00 AM
  •    Hello, the point is that a visitor to the RODC site, that does not have their password stored on the RODC, get Outlook pop up windows asking authentication and when user enter password the windows keeps poping up. When this visitor user is inserted on the password replication group for the local RODC, all works fine. On my understanding, if there a visitor is on a RODC site and is not on the local password replication group, a RWDC should authenticate the user if WAN link is up and running. Do you agree with that?

        Best regards, EEOC.

    Friday, September 21, 2012 11:54 AM
  •    Hello, the point is that a visitor to the RODC site, that does not have their password stored on the RODC, get Outlook pop up windows asking authentication and when user enter password the windows keeps poping up. When this visitor user is inserted on the password replication group for the local RODC, all works fine. On my understanding, if there a visitor is on a RODC site and is not on the local password replication group, a RWDC should authenticate the user if WAN link is up and running. Do you agree with that?

        Best regards, EEOC.

    Yes, you are correct. If users password is not cached & users login to the RODC site, they will redirected to the RWDC for the authentication & machine will establish secure channel with the RWDC. Regarding,caching both PRP & machine account password helps in logon during WAN link failure. Simply caching users password will not allow users login if WAN is down, because like users machine too performs authentication to he AD & if machine account password is not cached  only user then user will not be able to login to the domain. User can be validated but his system will be treated as unauthorized.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Saturday, September 22, 2012 1:14 PM
    • Marked as answer by Yan Li_ Monday, October 1, 2012 1:36 AM
    Friday, September 21, 2012 12:41 PM