none
Outlook Anywhere on Windows XP Clients running Outlook 2010 continually getting password prompt.

    Question

  • I have a few Windows XP clients in the field with Outlook 2010 on them.   When they try to access our mail server using Outlook Anywhere (RPC over HTTP) they continually get prompted for credentials and none are accepted.   We don't have any reported issues with Vista or Win 7 machines.   What could this possibly be?

     

    Tuesday, April 12, 2011 3:12 PM

Answers

  • ·         Hi
        
    In XP you have to configuring the common name of the certification(the name after “Issue To”) after the “msstd:” in user’s profile. Otherwise, the Outlook will always repeatedly prompts for password. XP is not willing to look at next lines on a SAN certificate, but Windows vista/7 does. And we should use the command to set outlook provider as well: Set-OutlookProvider EXPR -CertPrincipalName:" "msstd:yourdmoain"

                   You can read these two threads about your issue.
                   Outlook Anywhere on Windows XP repeatedly prompts for password
                   Exchange 2010+Outlook Anywhere+Windows XP not working together

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 13, 2011 8:28 AM
    Moderator
  • I'm convinced this is an issue with our SSL certificate.   The SAN (subject alternative name)  on our certificate starts with domain.com rather than mail.domain.com  which I believe is the source of the issue.   Windows XP doesn't search the SAN field beyond the first entry.  Windows Vista and 7 seem to support multiple strings in the SAN field on the certificate.

     

     

    Friday, April 15, 2011 4:28 PM
  • To expand on my findings.   It appears that Windows XP does not support what most 3rd Party SSL Authorities call a "Star" or "Wildcard" certificate.    The certificate is built with the following Subject Alternative Names:

     

    *.domain.com

    domain.com

    server.domain.com

     

    Apparently XP doesn't look much further than the 1st SAN line to get a "match" to the certificate.   Vista and 7 does.   So the wildcard cert works fine for those clients.   The fix is to purchase a "UC" (Unified Communications) certificate.   The SAN lines on those do not contain the wildcard and are usually built in the following order for Exchange 2010:

     

    mail.domain.com

    autodiscover.domain.com

     

    Installing the UC certificate on our Exchange server fixed the issue.  

     

    See this KB article for UC Certificate Vendors: http://support.microsoft.com/kb/929395

    Thursday, April 21, 2011 1:26 PM

All replies

  • ·         Hi
        
    In XP you have to configuring the common name of the certification(the name after “Issue To”) after the “msstd:” in user’s profile. Otherwise, the Outlook will always repeatedly prompts for password. XP is not willing to look at next lines on a SAN certificate, but Windows vista/7 does. And we should use the command to set outlook provider as well: Set-OutlookProvider EXPR -CertPrincipalName:" "msstd:yourdmoain"

                   You can read these two threads about your issue.
                   Outlook Anywhere on Windows XP repeatedly prompts for password
                   Exchange 2010+Outlook Anywhere+Windows XP not working together

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 13, 2011 8:28 AM
    Moderator
  • I originally thought that was the issue.. so I've done the above listed command.. and the situation persists.

     

    Wednesday, April 13, 2011 2:39 PM
  • Hi
       1.You can read this
    article and check your outlook setting on windows XP.
       2. It is the similar discussion about your issue. Maybe you can get help from
    there.
       3.
    Is Outlook>Account Settings > Microsoft Exchange Settings > Security tab^^ "Always prompt for logon credentials" unchecked?
       4.update xp os to sp3 and install all the patch and check the user and password format .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, April 14, 2011 2:07 AM
    Moderator
  • I'm convinced this is an issue with our SSL certificate.   The SAN (subject alternative name)  on our certificate starts with domain.com rather than mail.domain.com  which I believe is the source of the issue.   Windows XP doesn't search the SAN field beyond the first entry.  Windows Vista and 7 seem to support multiple strings in the SAN field on the certificate.

     

     

    Friday, April 15, 2011 4:28 PM
  • To expand on my findings.   It appears that Windows XP does not support what most 3rd Party SSL Authorities call a "Star" or "Wildcard" certificate.    The certificate is built with the following Subject Alternative Names:

     

    *.domain.com

    domain.com

    server.domain.com

     

    Apparently XP doesn't look much further than the 1st SAN line to get a "match" to the certificate.   Vista and 7 does.   So the wildcard cert works fine for those clients.   The fix is to purchase a "UC" (Unified Communications) certificate.   The SAN lines on those do not contain the wildcard and are usually built in the following order for Exchange 2010:

     

    mail.domain.com

    autodiscover.domain.com

     

    Installing the UC certificate on our Exchange server fixed the issue.  

     

    See this KB article for UC Certificate Vendors: http://support.microsoft.com/kb/929395

    Thursday, April 21, 2011 1:26 PM
  • Thanks to post your answer
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 22, 2011 1:45 AM
    Moderator
  • I realize this is question is marked as answered, but I just wanted to add my experience.

     

    We were able to use the wildcard cert by setting CertPrincipalName to "msstd:*.domain.com".

     

    Rick

    Friday, May 13, 2011 3:33 PM
  • Thanks Rick!

    Your contribution solved my problem.
    I to use a wildcard certificate on my UAG server were the Exchange webservices are published.
    I was breaking my head over this. Until I noticed the difference between W7 and XP.

    This lead me to this post and to your comment.
    I don't have any rights on the Exchange organizational level, so i can't change the certificate principal name. But I added "msstd:*.mydomain.ext" to a Group Policy and bingo..... connected.

    John

    Wednesday, May 02, 2012 12:39 PM
  • I know this is an old thread but I thought I'd post this update for Exchange 2013 since this comes up pretty quick when you search for this issue. Took me quite a bit of research to figure this out, so hopefully it will help anyone who has Exchange 2013 with Windows XP clients.

    In Exchange 2013 setting the value for EXPR will only affect connections from EXTERNAL Outlook clients. For internal clients, you need to set the value for EXCH

    Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com

    (this is for a wildcard cert; you can put in your own CPN as needed).

    Tuesday, May 14, 2013 4:48 PM