locked
Mac Outlook 2011 authentication failure RRS feed

  • Question

  • Since the MS updates of March 2015, I've not been able to log on to my Exchange 2007 account with Outlook 2011 (on OS X Yosemite, not joined to an AD domain). I can log on using Thunderbird or OWA, and other users seem to be able to log on using their clients (mostly Windows clients).

    The Exchange server is running Windows 2008 Server. On the server side the event reads

    - System

      - Provider

       [ Name]  Microsoft-Windows-Security-Auditing
       [ Guid]  {[my-guid]}
     
       EventID 4625
     
       Version 0
     
       Level 0
     
       Task 12544
     
       Opcode 0
     
       Keywords 0x8010000000000000
     
      - TimeCreated

       [ SystemTime]  2015-03-16T12:37:02.515Z
     
       EventRecordID 8662389
     
       Correlation
     
      - Execution

       [ ProcessID]  592
       [ ThreadID]  720
     
       Channel Security
     
       Computer [my server name]
     
       Security
     

    - EventData

      SubjectUserSid S-1-0-0
      SubjectUserName -
      SubjectDomainName -
      SubjectLogonId 0x0
      TargetUserSid S-1-0-0
      TargetUserName [my_username]
      TargetDomainName LTKM
      Status 0xc000006d
      FailureReason %%2304
      SubStatus 0x0
      LogonType 3
      LogonProcessName NtLmSsp  
      AuthenticationPackageName NTLM
      WorkstationName LTKM
      TransmittedServices -
      LmPackageName -
      KeyLength 0
      ProcessId 0x0
      ProcessName -
      IpAddress [my_ip]
      IpPort 53838

    Thoughts?

    Monday, March 16, 2015 12:51 PM

Answers

  • I just went through the same thing. I have a Windows 2008 domain AD. There is an update that came down on Tuesday

    http://windowsitpro.com/patch-tuesday/patch-tuesday-kb3002657-causing-authentication-problems-exchange-other-apps

    It affects the netlogon and hampers NTLM and basic authentication. Since Mac's work really well with Kerberos authentication, I just kicked up the authentication a notch.

    On my user accounts, I chose authentication using AES-256 Kerberos because it matched my certificate on my server. You may have to experiment with either 3DES or AES-128 depending on the certificate. Outlook 2011 for Mac uses the virtual directory of EWS. When I authenticate using the Outlook I chose to use Kerberos Authentication not domain\username. I also have the LDAP server on the advanced features populated, usually your main DC carrying your Master Roles, and made sure you have authentication checked. I also made sure in the encryption section you have 3DES checked (most compatible). My Macs are bound to the domain so my users log into the domain using domainname\username. This brings the Kerberos straight through to the Outlook environment. Once I figured out the NTLM and basic authentication was hampered by the update, I went about configuring Kerberos to use with Outlook 2011 for Mac.

    I hope this helps

    Carlos

    Monday, March 16, 2015 9:36 PM

All replies

  • I just went through the same thing. I have a Windows 2008 domain AD. There is an update that came down on Tuesday

    http://windowsitpro.com/patch-tuesday/patch-tuesday-kb3002657-causing-authentication-problems-exchange-other-apps

    It affects the netlogon and hampers NTLM and basic authentication. Since Mac's work really well with Kerberos authentication, I just kicked up the authentication a notch.

    On my user accounts, I chose authentication using AES-256 Kerberos because it matched my certificate on my server. You may have to experiment with either 3DES or AES-128 depending on the certificate. Outlook 2011 for Mac uses the virtual directory of EWS. When I authenticate using the Outlook I chose to use Kerberos Authentication not domain\username. I also have the LDAP server on the advanced features populated, usually your main DC carrying your Master Roles, and made sure you have authentication checked. I also made sure in the encryption section you have 3DES checked (most compatible). My Macs are bound to the domain so my users log into the domain using domainname\username. This brings the Kerberos straight through to the Outlook environment. Once I figured out the NTLM and basic authentication was hampered by the update, I went about configuring Kerberos to use with Outlook 2011 for Mac.

    I hope this helps

    Carlos

    Monday, March 16, 2015 9:36 PM
  • Hi,

    Since other users can be able to log on, then this issue may be caused by the Security patch on the authentication.

    I suggest to re-install Outlook client or switch to another PC to check this issue. If you can log on via other client, then it's the authentication problem on your client.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Tuesday, March 17, 2015 9:13 AM
    Moderator