none
Outlook keeps asking to authenticate Exchange 2013 RRS feed

  • Question

  • Hi,

    We are busy migrating from Exchange 2010 to Exchange 2013. I have migrated a few test accounts and OWA is working fine. When using OUtlook 2010 or 2007 on the migrated accounts as soon as you launch Outlook it prompts you for a username and password. I enter the details and it asks for the credentials again.

    The following authentication has been set:

    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm}

    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

    Our autodiscovery is still pointing to the Exchange 2010 box as is our certificate in DNS.

    Please assist.

    Monday, August 5, 2013 10:53 AM

Answers

  • Hi,
    Autodiscover should be moved to EX13 before you move any mailboxes and it is also important that you have replaced the self-signed certificate with a certificate your clients trusts.


    Besides from the above, you also need to make sure that the Outlook are at the minimum supported (for Exchange 2013) patch level. That will mean:

    Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000)

    Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000)

    If that isn't the case, Outlook will not be able to connect to Exchange 2013.



    Martina Miskovic

    Monday, August 5, 2013 5:26 PM
  • That legacy URL (/exchange) was used in Exchange 2003 and will not work for Exchange 2013.
    Inform your users to start using https://mail.domain.com/owa or only https://mail.domain.com (/owa will be added automatically)

    Greg Taylor from Microsoft held a session at TechNet NA, that I highly recommend everyone to see. It has a lot of good information on what to think about when it comes to the CAS Role and Coexistence (link below)

    Microsoft Exchange Server 2013 Client Access Server Role
    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B313#fbid=kbksvTyvK5o


    Martina Miskovic

    Monday, August 5, 2013 10:06 PM
  • Yes, when everything is in place it should work for you.
    It is really not that much....just change the URLs and make a DNS change. This is all explained in the TechNet Session I added a link to in my previous post. It is really a good one so check it out.

    Martina Miskovic

    Monday, August 5, 2013 10:26 PM

All replies

  • Hi Shaun,

    Please make sure you've completed all the steps in this topic - http://technet.microsoft.com/en-us/library/jj218640(EXCHG.150).aspx. Specifically, step 6.


    Dame Luthas | thelifestrategist.wordpress.com

    Success is Something you Attract by the Person you Become

    If this post is useful, please hit the green arrow on the left & if this is the answer hit "mark as answer"

    • Proposed as answer by Dame Luthas Monday, August 5, 2013 3:46 PM
    Monday, August 5, 2013 3:46 PM
  • Hi,
    Autodiscover should be moved to EX13 before you move any mailboxes and it is also important that you have replaced the self-signed certificate with a certificate your clients trusts.


    Besides from the above, you also need to make sure that the Outlook are at the minimum supported (for Exchange 2013) patch level. That will mean:

    Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000)

    Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000)

    If that isn't the case, Outlook will not be able to connect to Exchange 2013.



    Martina Miskovic

    Monday, August 5, 2013 5:26 PM
  • Hi Guys,

    Thanks for the suggestions.

    With the SSL certificate do you need to registered the internal server name server.contso.com with an CA or can you just register the external mail.contso.com. I have imported the mail.contso.com SSL certificate and assigned it the following services SMTP, IMAP, POP and IIS. On the the virtual directories external and internal site is set as the same. 

    Added DNS cname records for autodiscover and mail.

    All Outlook clients are on the correct level.

    Despite all this the problem is still occuring

    When running the Remote Connectivity Analyzer. Receive the below error:

    Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
      An error occurred while testing the NSPI RPC endpoint.
     
    Test Steps
     
    Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server exch-server.contso.com
      The attempt to ping the endpoint failed.
       <label for="testSelectWizard_ctl12_ctl06_ctl08_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label>
     
    Additional Details

    The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process

    • Edited by Shaun_Ec Monday, August 5, 2013 8:49 PM
    Monday, August 5, 2013 8:34 PM
  • If you are using Split-DNS, you don't need to add the internal server FQDN name in the certificate.
    Just make sure that you change all URLs, change the AutoDiscoverServiceInternalUri and configure the Internal- and ExternalHostname for Outlook Anywhere to be the same.

    Both mail.contoso.com and autodiscover.contoso.com should point the Exchange 2013 Server.

    Martina Miskovic

    Monday, August 5, 2013 8:44 PM
  • Were not using Split DNS. Do we still need an SSL certificate for internal server FQDN name.

    Tried setting both mail.contoso.com and autodiscover.contoso.com  but problem still occurs, changed it back to Exchange 2010. As most of our mailboxes on Exchnage 2010 had to set it back again url - mail.contoso.com/exchange

    The RPC error I'm getting can this be related to it? How do I verify AutoDiscoverServiceInternalUri ?





    • Edited by Shaun_Ec Monday, August 5, 2013 9:30 PM
    Monday, August 5, 2013 9:25 PM
  • Hi,
    Exchange 2010 will not proxy or redirect requests to Exchange 2013. That's why you need to point mail and autodiscover to your Exchange 2013 Server.

    With Exchange 2013, Outlook only connects with Outlook Anywhere so whatever name(s) you use for the Internal- and ExternalHostname, the different URLs and AutoDiscoverServiceInternalUr must be in your certificate.

    If you can't use Split-DNS, then PinPoint DNS Zones might be something for you.

    Verify the AutoDiscoverServiceInternalUri with:
    Get-ClientAccessServer | fl Name, AutoDiscoverServiceInternalUri

    Martina Miskovic

    Monday, August 5, 2013 9:40 PM
  • Thanks Martina, Users on exch 2010 are using mail.contso.com/exchange. How can I enable them to still use this URL.
    Monday, August 5, 2013 9:50 PM
  • That legacy URL (/exchange) was used in Exchange 2003 and will not work for Exchange 2013.
    Inform your users to start using https://mail.domain.com/owa or only https://mail.domain.com (/owa will be added automatically)

    Greg Taylor from Microsoft held a session at TechNet NA, that I highly recommend everyone to see. It has a lot of good information on what to think about when it comes to the CAS Role and Coexistence (link below)

    Microsoft Exchange Server 2013 Client Access Server Role
    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/OUC-B313#fbid=kbksvTyvK5o


    Martina Miskovic

    Monday, August 5, 2013 10:06 PM
  • Thanks for your help. It looks like I'm going to be a popular fella. I'll need to communicate this with the organisation about the change.

    Going to register my internal servers FQDN with the CA.

    Once all this is changed this will resolve my authentication problems?

    Monday, August 5, 2013 10:20 PM
  • Yes, when everything is in place it should work for you.
    It is really not that much....just change the URLs and make a DNS change. This is all explained in the TechNet Session I added a link to in my previous post. It is really a good one so check it out.

    Martina Miskovic

    Monday, August 5, 2013 10:26 PM