none
Outlook Anywhere on Windows XP repeatedly prompts for password

    Question

  •  

    Hello all.

     

    Outlook Anywhere (RPC over HTTPS) doesn't work on Windows XP clients. Outlook simply prompts for password again and again. However, Outlook Anywhere works perfectly on Vista clients.

     

    Exchange servers are Exchange 2007 SP 1 with the latest Update Rollup 2 on Windows Server 2003. Clients are Windows XP SP 3 with Office 2007 SP1, fully patched.

     

    If I publish Outlook Anywhere through ISA 2006 and set Outlook to connect through that, the exactly same issue remains. ISA is configured to use a web listener with basic authentication and is meant for ActiveSync clients due to certificate limitations on mobile devices.

     

    I have tried all the different LMCompatibility levels on client as mentioned in this knowledgebase article. No luck whatsoever.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;820281

     

    The RPC virtual directories on CAS servers are set to allow both NTLM and Basic authentication. Autodiscover service defines NTLM as the authentication method. Outlook client are naturally manually configured to try both authentication methods and ISA server.

     

    I'm going to do a little more testing in testing environment where the Windows XP clients worked a few months back when last tried. Anyway all helpful hints are more than welcome!

    Friday, June 13, 2008 10:46 AM

Answers

  •  

    Dear customer

     

    According to certificate-general.JPG, I found the following information:

     

    Issue to: cas-1.tbwa.fi

     

    The mutual authentication in the browser was configured for msstd: cas.tbwa.fi but the certificate subject was only issued to “cas-1.tbwa.fi”.  Since the mutual authentication only works with the value in the “Subject” field of a certificate, the SSL Negotiate failed.

     

    Please try the following suggestion, and check the effect.

     

    1.     Configured the CertPrincipalName on the EXPR provider using the Set-OutlookProvider Cmdlet.

    2.     Check the effect.

     

    Hope it helps.

     

    Rock Wang - MSFT

    Tuesday, July 01, 2008 9:49 AM

All replies

  •  

    Dear customer:

     

    In order to better troubleshoot the issue, I want to confirm the following information with you:

     

    1. on the Exchange server 2007, run the following command, and send the .txt file to v-rocwan@microsoft.com,

     

    get-exchangecertificate | fl * >c:\cert.txt

    Get-OutlookAnywhere -Server servername | fl * >c:\outlookany.txt

     

    1. On the problematic client, open Outlook 2007, navigate to Outlook Anywhere setting, click Exchange Proxy Settings, send the screenshot of it to v-rocwan@microsoft.com,

     

    1. If you disable ISA server 2006, can you connect to Exchange server 2007 when using Outlook 2007 with RPC over HTTP? Please let me know the result.
    2. Download Microsoft Windows Server 2003 Resource Kit Tools from the following link, and install the tool on the problematic Windows XP client.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

    1. Open a command prompt; navigate to the directory where the tool installed, run the following command, and send the result to the forum.

     

    rpcping -t ncacn_http -s ExchServer -o RpcProxy=RPCProxyServer -P "user,domain,*" -I "user,domain,*"-H 2 -u 10 -a connect -F 3 -v 3 -E -R none

     

    Note: please replace the parameters such as RPCProxyServer, User, and domain with the actual name.

     

    For more information about RPCPING utility, you can refer to the following article:

    How to use the RPC Ping utility to troubleshoot connectivity issues with the Exchange over the Internet feature in Outlook 2007 and in Outlook 2003

    http://support.microsoft.com/kb/831051/en-us

     

    1. On Exchange server 2007, according to the following steps run Exbpa tool, send the .xml file to v-rocwan@micosoft.com,

     

    a)       Open EMC, Open EXBPA from toolbox;

     

    b)      Connect to Active Directory;

     

    c)       Input the name of DC; make sure you are using Exchange Administrator account and Domain User account

     

    d)      Click "Connect to the Active Directory Server"

     

    e)      Select entire Organization as the Scan Scope, type "Health Check"

     

    f)       Click "Start Scanning"

     

    g)      When the scan finishes, Click "View a report" in the left pane and click the report in the right pane

     

    h)      Click "Export report", select the type as XML (will save entire data file).

     

    i)        Compress the XML and send it to v-rocwan@microsoft.com.

     

    Thanks for cooperation. If anything is unclear, please feel free to let me now.

     

    Rock Wang – MSFT

    Wednesday, June 18, 2008 11:08 AM
  •  Rock Wang– MSFT wrote:

    If you disable ISA server 2006, can you connect to Exchange server 2007 when using Outlook 2007 with RPC over HTTP? Please let me know the result.

     

    On default we are not using ISA for Outlook Anywhere, i.e. I can not connect with ISA disabled.

     

    I just tried to publish Outlook Anywhere through ISA to rule out some possible causes like certificate issues. It was quick enough to test as we already had ISA in place that's used solely for ActiveSync.

     

     Rock Wang– MSFT wrote:

    Open a command prompt; navigate to the directory where the tool installed, run the following command, and send the result to the forum.

     

    rpcping -t ncacn_http -s ExchServer -o RpcProxy=RPCProxyServer -P "user,domain,*" -I "user,domain,*"-H 2 -u 10 -a connect -F 3 -v 3 -E -R none

     

    Here are the results for both an actual server and the CAS NLB cluster:

     

    RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
    OS Version is: 5.1, Service Pack 3

    RPCPinging proxy server cas-1.tbwa.fi with Echo Request Packet
    Sending ping to server
    Response from server received: 200
    Pinging successfully completed in 370 ms

     

    RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
    OS Version is: 5.1, Service Pack 3

    RPCPinging proxy server cas.tbwa.fi with Echo Request Packet
    Sending ping to server
    Response from server received: 200
    Pinging successfully completed in 411 ms

     

     Rock Wang– MSFT wrote:

    Thanks for cooperation. If anything is unclear, please feel free to let me now.

     

    Likewise.

     

    I just emailed you the extra information requested.

     

    Thanks in advance.

    Thursday, June 19, 2008 9:39 AM
  •  

    Dear customer:

     

    Thanks for your reply.

     

    From outlookany log file, I found the following information:

     

    ExternalHostname           : cas.tbwa.fi

    ClientAuthenticationMethod : Ntlm

    IISAuthenticationMethods   : {Basic, Ntlm}

     

    You can try the following methods to fix the issue:

    1. On the CAS server, run the following command to set ClientAuthenticationMethod to basic,

     Set-OutlookAnywhere -Identity:CAS01\Rpc (Default Web Site) -ClientAuthenticationMethod:Basic

     

    1. Open Outlook 2007, in Microsoft Exchange Proxy Settings, uncheck “only connect to proxy servers that …” option, and under proxy authentication settings, select basic authentication.

    1. Restart Outlook 2007, and check the effect, please let me know the result.

     I hope the information above can address your concerns. If anything is unclear, please feel free to let us know.

     

    Rock Wang - MSFT

    Thursday, June 19, 2008 11:00 AM
  • Hello there.

     

    Thanks for the suggestion but I've already tried out the first one. Only difference is that with basic authentication the "Save password" tick box is unavailable at the Outlook password prompt.

     

    However, I haven't tried unchecking the "Only connect to proxy servers that have this name in their certificate" option. I will look more into that at Monday once I'm back at work and I'll let you know how it went.

     

    Thursday, June 19, 2008 1:52 PM
  •  Rock Wang– MSFT wrote:

     

    On the CAS server, run the following command to set ClientAuthenticationMethod to basic,

     

    Open Outlook 2007, in Microsoft Exchange Proxy Settings, uncheck “only connect to proxy servers that …” option, and under proxy authentication settings, select basic authentication.

     

    OK. I just tried with the following permutation:

     

    Exchange/ClientAuthenticationMethod: Basic

    Outlook/Only connect to proxy servers... *unchecked*

    Outlook/Proxy authentication settings: Basic

     

    Alas the issue remains.

    Tuesday, June 24, 2008 6:41 AM
  •  

    Dear customer:

     

    Thanks for your reply.

     

    Since I didn’t know how you are run the RPCPing command, so please provide me with the following information:

     

    1.     Send the entire command that you have run on your problematic Windows XP client to v-rocwan@microsoft.com,

    2.     Did you input password when you run the command?

    3.     Are all Windows XP machines encountered the issue or only this machine encountered the issue? On another Windows XP client with the same account and configuration, check the effect; please let me know the result.

    4.     Check whether you enable firewall on problematic Windows XP client?

    5.     Do a clean boot on the problematic Windows XP client, and then check the effect.

     

    For more information about clean boot, please refer to the following documents:

    How to configure Windows XP to start in a "clean boot" state

    http://support.microsoft.com/kb/310353

     

    6.     On the client computer, start Internet Explorer, type the fully qualified domain name (FQDN) address in Internet Explorer, and then click Go.

     

    For example, type: https://mail.contoso.com/rpc

     

    7.     Send the screenshot of the result to v-rocwan@microsoft.com.

     

    Thanks for cooperation. If anything is unclear, please feel free to let me know.

     

    Rock Wang - MSFT

    Tuesday, June 24, 2008 11:38 AM
  • Hello again.

     

    1. The entire command was:

     

    Code Snippet
    rpcping -t ncacn_http -s cas.tbwa.fi -o RpcProxy=cas.tbwa.fi -P "teemut,tbwa,*" -I "teemut,tbwa,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none

     

     

    2. I did input the password two times, for both the server and the rpc/http proxy.

     

    3. All Windows XP machines suffer from the issue. We do have only 10 WinXP machines though. In fact the testing is done on a virtual machine as a brand new install to test this particular issue. RPCping ran on another problematic client just replies with the same:

    Response from server received: 200

    Pinging succesfully completed in 391 ms

     

    4. Windows Firewall is disabled on the testing computer. No 3rd party firewall installed.

     

    5. Rebooted numerous times. No effect.

     

    6. and 7. Screenshot taken and sent to you. If I enter username and password three times there it ends up to an error page.

    Tuesday, June 24, 2008 1:19 PM
  • Dear customer:

     

    From your screenshot, I want to confirm the following information with you:

     

    1. Did you install the Mailbox server role on the CAS server? If not, please input the mailbox server name behind –s parameter when you run RPCPing command.


    2. On CAS server, open IIS manager, navigate to default web site, right click it, select properties, click the Directory Security tab, and then click View Certificate, click general, send the screenshot of it to me,


    3. Click detail tab, click thumbprint, send the screenshot of it to me,


    4. Click subject alternative name, send the screenshot of it to me.


    5. Navigate to Rpc virtual directory, right-click Rpc, and then click Properties,


    6. Click the Directory Security tab, and then click Edit under Authentication and access control. Send the screenshot of it to me.


    7. Click Web Service Extensions, in the right pane, click RPC Proxy Server Extension, and then click Properties.


    8. Confirm that the path of the Rpcproxy.dll file is correct. The correct location is the following:


    %systemroot%\system32\rpcproxy\rpcproxy.dll


    9. Please also collect an ExBPA report of the CAS server by using Exchange Best Practice Analyzer tool in Exchange Management Console > Toolbox, to run a health check. Export the report to an .XML file, compress into a .zip file and send to me.


    Note: I need the XML format file as this is the only format I can use to get a full view of the report directly.


    The information collected above is very important to the troubleshooting of this Outlook Anywhere issue. If you have any result, please feel free to let me know.


    Rock Wang - MSFT

     

     

    Wednesday, June 25, 2008 1:40 PM
  • Hi hi.

     

    1. Mailbox role resides on another server. I did try rpcping command with "-s mailboxserver" -switch but the result was all the same. Result number 200 and time between 300 and 500 ms. It seemed to ping the RPC proxy server no matter what's set as the Exchange server. Working as intended I assume.

     

    2-6. Screenshots emailed.

     

    7. and 8. Yeah, the path is correct. With %systemroot% replaced by the actual path though.

     

    9. ExBPA report emailed.

     

    Big thanks for your patience!

     

    Thursday, June 26, 2008 12:19 PM
  •  

    can you browse the website from outside using rpc directory

    for example if your site is published as mail.test.com  try accessing , mail.test.com/rpc    if you are being asked for repeated authentication then let me know

     

    Saturday, June 28, 2008 11:29 AM
  •  

    Dear customer:

     

    From your screenshots, it seems normal.

     

    I noticed that, Autodiscover service defines NTLM as the authentication method. Please change the Autodiscover’s authentication method to basic, and check the effect. Please let me know the result.

     

    Additionally, please help collect the following information:

     

    1.     On the CAS, open IIS manager, right click default web site, select properties, click web site, select enable logging option, and click properties, click advanced tab, select all items below,

    2.     Stop default web site, rename the old file that located C:\WINDOWS\system32\LogFiles\W3SVC1 folder,

    3.     Reproduce the issue, and send the new iis log file to me.

    4.     On the CAS, run the following command, send the txt file to me:

     

    Get-OutlookProvider EXPR | fl >c:\outlookprovider.txt

    5.     Send the LMCompatibility registry value of problematic client and CAS server to the forum.

     

    Thanks for your time and cooperation.

     

    Rock Wang - MSFT

    Saturday, June 28, 2008 12:43 PM
  •  

    Hi all.

     

    @ salman gilani

     

    I can't really browse the rpc directory. On both Windows XP and Vista clients using Internet Explorer 7 the browser asks three times for credentials then displays "Error: Access is Denied." error page.

     

    @ Rock Wang - MSFT

     

    Even with Basic as the Autodiscover advertised authentication method the issue still remains. The only visible difference is that clients using autodiscover configuration (i.e. basic) are missing the save password checkbox.

    1.-3. The log file emailed. The log file didn't seem to have anything related to the rpc, plenty noise from Entourage clients though.

    4. Outlookprovider.txt file emailed.

    5. The registry values are following:

    cas\lmcompatibilitylevel is 2

    client\lmcompatibilitylevel is 2

     

    Monday, June 30, 2008 1:39 PM
  •  

     

    did you try to login from any other xp  machine ,which has different service pack configuration

    are you using a different internal domain name then external?

    Tuesday, July 01, 2008 8:46 AM
  •  

    Dear customer

     

    According to certificate-general.JPG, I found the following information:

     

    Issue to: cas-1.tbwa.fi

     

    The mutual authentication in the browser was configured for msstd: cas.tbwa.fi but the certificate subject was only issued to “cas-1.tbwa.fi”.  Since the mutual authentication only works with the value in the “Subject” field of a certificate, the SSL Negotiate failed.

     

    Please try the following suggestion, and check the effect.

     

    1.     Configured the CertPrincipalName on the EXPR provider using the Set-OutlookProvider Cmdlet.

    2.     Check the effect.

     

    Hope it helps.

     

    Rock Wang - MSFT

    Tuesday, July 01, 2008 9:49 AM
  • Bingo! That's the solution.

     

    Feel kind of stupid now actually as I found more topics discussing the same issue with the same proper solutions:

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2458873&SiteID=17

    http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845%2D88d2%2D4091%2D8088%2Da6bbce0a4304&ID=278

     

    Anyway, as the certificates on the CAS servers are issued to the host names not to the cluster name I am required to disable CertPrincipalName by setting it to none. I don't think that significant security issue to us and much less troublesome than revocing and reissuing the actual certificates.

     

    Code Snippet

    Set-OutlookProvider EXPR -Server $null -CertPrincipalName none

     

     

    Thank you!

     

    • Proposed as answer by Ilantz Tuesday, February 08, 2011 3:39 PM
    Wednesday, July 02, 2008 6:52 AM