locked
Exchange 2010 SP2 sporadic password prompts not affecting all users, Outlook 2010 RRS feed

  • Question

  • Hello,

    I have been asked to look at a clients exchange environment, this environment has been a bit of a nightmare, all in all they had 3 different consultants configure different parts of the environment and things are a little on the messy side.

    2 CAS servers EXCAS1 and EXCAS2 in an array named CASARRAY. Two mailbox servers EXMBX1 and EXMBX2 in a DAG.

    They are not using Outlook Anywhere, their remote users VPN into the network.

    OAB down

    Autodiscover succeeds as follows:

    SMTP=admin@example.com
    
    Attempting URL https://casarray.contoso.com/autodiscover/autodiscover.xml found through SCP
    
    Autodiscover to https://casarray.contoso.com/autodiscover/autodiscover.xml starting
    
    getlasterror=0; httpstatus=200.
    
    Autodiscover to https://casarray.contoso.com/autodiscover/autodiscover.xml Succeeded (0x00000000)

    Symptoms :

    Password prompt when opening outlook, at first cancelling this would occasionally lock out the user account. I have since deployed kerberos and this can now be cancelled without affecting outlook usage.

    Password prompt when clicking on public folders before kerberos you could not access the folders if this was cancelled, now even if cancelled it functions fine.

    If a computer is rebooted, the credentials cleared (credential manager), klist purge and outlook profile repaired. The machine runs perfectly with no password prompts for approximately half an hour and then the issue begins to recurs. 

    What I have done so far......

    Confirmed all virtual directories are set to windows authentication with ignore SSL. I also recreated the autodiscover directory from scratch.

    Deployed Kerberos to the CAS array - since this has been done the password prompts no longer affect access or lock out accounts but they are still a major annoyance.

    Set the CASARRAY RPCclientaccess to encryption required and restarted the RPC and AB services.

    The addressbook logging shows kerberos as the authentication method but I found it unusually that some log entries were from contosogroup/contoso/recipients and some were from contosogroup/exchange administrative group/recipients .

    Now I know that there was a botched outlook 2003 decommissioning by a previous consultant and I have attempted to remedy to the best of my abilities, (ADSI, Registry, Manual Removal, etc etc) but I believe something may still remain somewhere.

    If anyone has any questions I am ready and willing to try pretty much anything to get this resolved.

    I really appreciate any input anyone has on these issues as I am rapidly running out of ideas.

    Regards,

    Adam Cooperman - MCP - MCSA - MCSE - MCTS x 4

    Thursday, December 20, 2012 3:48 PM

All replies

  • Hi,

    The fact of having account lock out problem confirm that clients are trying to connect with incorrect password. It is most likely related to cashed credential.

    Open Control Panel > User Accounts > Manage Your Credentials > Look under Generic Credentials.

    Edit: MS.Outlook:username@domainname:PUT and change the password.

    check also this article:

    http://www.askdrtech.com/solutions/post/Fix-For-Outlook-2007-Constantly-Asking-for-Password.aspx

    • Proposed as answer by Amine.G Friday, December 21, 2012 7:43 AM
    • Unproposed as answer by Adam Cooperman Friday, December 21, 2012 9:34 AM
    Thursday, December 20, 2012 11:58 PM
  • We have tried clearing credential manager and it has made no difference. Since kerberos has been deployed the accounts no longer lock out but the prompts still exist.

    Please let me know if you have any other ideas

    Friday, December 21, 2012 9:35 AM
  • Take a netmon and see whatthat says?

    Are you sure the PF DB in not causing this?

    Do the Aemail auto-config test and see if allnpass.

    u


    Sukh

    Friday, December 21, 2012 10:44 AM
  • Enable Audit account logon events (failure only) to identify what is trying to logon with incorrect credential (account lock out)

    Friday, December 21, 2012 1:22 PM
  • Adam-

    Since they are using a CAS Array, do they have a load balancer in place or are they changing DNS records in the event of a server failure?  Are you seeing any errors in the event viewer of the CAS server(s)?  Also, I might have missed this but are these VM's or physical servers?

    Saturday, December 22, 2012 2:44 PM
  • Ok I have done some further research into this issue, it appears I can access the OAB in IE when accessing the CASARRAY but going directly to either member gives an authentication prompt. (edit: this may have been due to an account lockout)

    All machines are VM's (except 2 of the DC's)

    There are audit failures on the exchange servers.

    I took Sukh828's advice and I have run a NETMON here is the result.

    TEST - is my test pc

    CASARRAY - is the CASARRAY

    EXCAS1 and EXCAS2 - are the array members

    Contoso.com -  is the domain

    DCxx - are DC's


    151055  07:27:59 08/01/2013        1834.2190475                     TEST          casarray.contoso.com     HTTP      HTTP:Request, GET /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:4055, TCP:4054, IPv4:111}
    151057  07:27:59 08/01/2013        1834.2216638                     casarray.contoso.com     TEST          HTTP      HTTP:Response, HTTP/1.1, Status: Ok, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authentication                {HTTP:4055, TCP:4054, IPv4:111}
    152286  07:28:11 08/01/2013        1846.7942765                     TEST          DC01            KerberosV5        KerberosV5:TGS Request Realm: HRW-UK.LOCAL Sname: HTTP/excas1.contoso.com         {TCP:4078, IPv4:79}
    152288  07:28:11 08/01/2013        1846.7957596                     DC01            TEST          KerberosV5                KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18)       {TCP:4078, IPv4:79}
    153368  07:28:22 08/01/2013        1857.2734330                     TEST          DC01            KerberosV5        KerberosV5:TGS Request Realm: HRW-UK.LOCAL Sname: HTTP/excas2.contoso.com         {TCP:4103, IPv4:79}
    153374  07:28:22 08/01/2013        1857.2748805                     DC01            TEST          KerberosV5                KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18)       {TCP:4103, IPv4:79}

    Any further assistance would be greatly appreciated.


    Tuesday, January 8, 2013 7:41 AM
  • That KDC_ERR_CLIENT_REVOKED (18) seems to be caused due to a lockout. You can verify this http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx

    Just going over some basic.  Below all good?

    Start Outlook. 2.Hold down the Ctrl key, right-click the Outlook icon in the notification area, and then click Test E-mail AutoConfiguration. 3.Verify that the correct email address is in the E-mail Address box. 4.In the Test E-mail AutoConfiguration window, click to clear the Use Guessmart check box and the Secure Guessmart Authentication check box. 5.Click to select the Use AutoDiscover check box, and then click Test. Make sure that this test is successful and that Outlook can retrieve the correct URLs for the Availability service

    Can you do the Netmon again without the account being locked out?


    Sukh

    Tuesday, January 8, 2013 10:09 AM
  • Autodiscover was not originally configured correctly but since my previous work is now configured correctly and succeeds as expected.

    I am running another netmon now, I will post logs in a second.

    Thanks,

    Adam

    Tuesday, January 8, 2013 10:25 AM
  • Here is the log from restarting outlook and netmon, it shows the response ok for the OAB download.

    7392 10:26:16 08/01/2013 19.9838421 Unavailable casarray.contoso.com TESTVM HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authentication {HTTP:361, TCP:318, IPv4:1809}
    7767 10:26:17 08/01/2013 20.8375502 OUTLOOK.EXE TESTVM casarray.contoso.com MSRPC MSRPC:c/o Request: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x29  Opnum=0xB  Context=0x0  Hint=0xE0 {MSRPC:47, TCP:45, IPv4:1809}
    7785 10:26:17 08/01/2013 20.8585798 OUTLOOK.EXE casarray.contoso.com TESTVM MSRPC MSRPC:c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x29  Context=0x0  Hint=0xF4  Cancels=0x0 {MSRPC:47, TCP:45, IPv4:1809}
    7786 10:26:17 08/01/2013 20.8637769 OUTLOOK.EXE TESTVM casarray.contoso.com MSRPC MSRPC:c/o Request: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2A  Opnum=0xB  Context=0x0  Hint=0xA0 {MSRPC:47, TCP:45, IPv4:1809}
    7787 10:26:17 08/01/2013 20.8685983 OUTLOOK.EXE casarray.contoso.com TESTVM MSRPC MSRPC:c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2A  Context=0x0  Hint=0x5C  Cancels=0x0 {MSRPC:47, TCP:45, IPv4:1809}
    7795 10:26:17 08/01/2013 20.8727562 OUTLOOK.EXE TESTVM casarray.contoso.com MSRPC MSRPC:c/o Request: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2B  Opnum=0xB  Context=0x0  Hint=0x74 {MSRPC:47, TCP:45, IPv4:1809}
    7799 10:26:17 08/01/2013 20.8822491 OUTLOOK.EXE casarray.contoso.com TESTVM MSRPC MSRPC:c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2B  Context=0x0  Hint=0x68  Cancels=0x0 {MSRPC:47, TCP:45, IPv4:1809}
    7813 10:26:17 08/01/2013 20.9185329 TESTVM casarray.contoso.com HTTP HTTP:Request, GET /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:468, TCP:467, IPv4:1809}
    7816 10:26:17 08/01/2013 20.9217958 casarray.contoso.com TESTVM HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authentication {HTTP:468, TCP:467, IPv4:1809}
    8873 10:26:22 08/01/2013 25.7644440 OUTLOOK.EXE TESTVM casarray.contoso.com MSRPC MSRPC:c/o Request: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2C  Opnum=0xB  Context=0x0  Hint=0x7C {MSRPC:47, TCP:45, IPv4:1809}
    8875 10:26:22 08/01/2013 25.7661457 OUTLOOK.EXE casarray.contoso.com TESTVM MSRPC MSRPC:c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2C  Context=0x0  Hint=0x5C  Cancels=0x0 {MSRPC:47, TCP:45, IPv4:1809}
    Tuesday, January 8, 2013 10:28 AM
  • After about a minute after outlook started a password prompt appeared.
    Tuesday, January 8, 2013 10:29 AM
  • Here is the log from after the password is entered.

    70993 10:29:48 08/01/2013 232.4293286 OUTLOOK.EXE casarray.contoso.com TESTVM MSRPC MSRPC:c/o Response: Exchange Server STORE EMSMDB Interface {A4F1DB00-CA47-1067-B31F-00DD010662DA}  Call=0x2D  Context=0x0  Hint=0x70  Cancels=0x0 {MSRPC:47, TCP:45, IPv4:1809}
    93354 10:30:23 08/01/2013 267.4897800 TESTVM DC01 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:1174, IPv4:1822}
    93358 10:30:23 08/01/2013 267.4912133 DC01 TESTVM KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25) {TCP:1174, IPv4:1822}
    93431 10:30:23 08/01/2013 267.6174974 TESTVM DC01 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:1175, IPv4:1822}
    93434 10:30:23 08/01/2013 267.6192645 DC01 TESTVM KerberosV5 KerberosV5:AS Response Ticket[Realm: contoso.com, Sname: krbtgt/contoso.com] {TCP:1175, IPv4:1822}
    93457 10:30:24 08/01/2013 267.6592992 TESTVM DC01 KerberosV5 KerberosV5:TGS Request Realm: contoso.com Sname: HTTP/casarray.contoso.com {TCP:1177, IPv4:1822}
    93460 10:30:24 08/01/2013 267.6622422 DC01 TESTVM KerberosV5 KerberosV5:TGS Response Cname: acooperman {TCP:1177, IPv4:1822}
    93464 10:30:24 08/01/2013 267.6626824 Unavailable TESTVM casarray.contoso.com HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:1161, TCP:1160, IPv4:1809}
    93470 10:30:24 08/01/2013 267.6653526 Unavailable casarray.contoso.com TESTVM HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authentication {HTTP:1161, TCP:1160, IPv4:1809}
    93594 10:30:24 08/01/2013 267.8915907 TESTVM DC01 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:1180, IPv4:1822}
    93597 10:30:24 08/01/2013 267.8952836 DC01 TESTVM KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25) {TCP:1180, IPv4:1822}
    93610 10:30:24 08/01/2013 267.9092210 TESTVM DC01 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:1181, IPv4:1822}
    93611 10:30:24 08/01/2013 267.9114271 DC01 TESTVM KerberosV5 KerberosV5:AS Response Ticket[Realm: contoso.com, Sname: krbtgt/contoso.com] {TCP:1181, IPv4:1822}
    93622 10:30:24 08/01/2013 267.9123417 TESTVM DC01 KerberosV5 KerberosV5:TGS Request Realm: contoso.com Sname: HTTP/casarray.contoso.com {TCP:1182, IPv4:1822}
    93624 10:30:24 08/01/2013 267.9145268 DC01 TESTVM KerberosV5 KerberosV5:TGS Response Cname: acooperman {TCP:1182, IPv4:1822}
    93628 10:30:24 08/01/2013 267.9148542 TESTVM casarray.contoso.com HTTP HTTP:Request, GET /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:1179, TCP:1178, IPv4:1809}
    93633 10:30:24 08/01/2013 267.9194785 casarray.contoso.com TESTVM HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authentication {HTTP:1179, TCP:1178, IPv4:1809}
    94511 10:30:26 08/01/2013 269.7051387 OUTLOOK.EXE TESTVM casarray.contoso.com NSPI NSPI:Windows stub parser: Requires full Common parsers. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading these parser sets. {MSRPC:36, TCP:35, IPv4:1809}

    It appears to be authenticating to DC01 instead of the Casarray for the password prompt. 

    I really have been around the houses with this issue, all help is appreciated.

    Adam

    Tuesday, January 8, 2013 10:32 AM
  • Nothing in there, was Netmon running when you got the prompt?

    Also, can you post the a PIC or describe the password prompt dialogue box?

    Does it say what it's trying to connect to?

    Also, when y ou get the prompt, can you hold Ctrl>Right Click Outlook systray icon and click Connection status and see if you see a connecting...

    Also, hit the reconnect now to see if you get the password prompt?


    Sukh

    Tuesday, January 8, 2013 10:35 AM
  • Login prompt : 

    -Windows Security

    -Microsoft Outlook

    -Connecting to A.cooperman@contoso.com

    -contoso.com\acooperman

    -*Password here*

    -Use another account

    -Ok - Cancel

    Connection Status (password prompt in background): 

    casarray.contoso.com - mail - established

    casarray.contoso.com - mail - established

    EXMBX1.CONTOSO.COM - public folder - established (this is the only one in caps)

    no requests failed

    If I cancel the password prompt connection status remains the same.

    I am not 100 % netmon was filtered correctly so I am recreating the issue with a log now.

    Thanks

    Adam

    Tuesday, January 8, 2013 11:12 AM
  • It also appears to be two separate issues. One seems to be caused by OAB authentication and the other when clicking on public folders (where sometimes an immediate password prompt is received).

    When cancelling the prompt for the OAB the account is locked out and the OAB is not accessible, also outlook shows as needs password even though send and receive functionality is unhindered. After cancelling the prompt generated by OAB you cannot look up addresses.

    Cancelling the public folder prompt seems to have no adverse effects at all, before kerberos was deployed they would be inaccessible if you cancelled the prompt.

    Do you have suggested filters for netmon ? I am currently using authentication and ipv4.address is that adequate for your troubleshooting ? 

    Cheers,

    Adam

    Tuesday, January 8, 2013 11:22 AM
  • Can you check what type of OAB distribution you have > Web based or PF based or both?

    What authentication menthods do you have on OAB?


    Sukh

    Tuesday, January 8, 2013 12:38 PM
  • Web based distribution, windows authentication with kernel mode switched off.

    The Virtual Directory has been converted to an application for the purpose of kerberos.

    Cheers,

    Adam

    Tuesday, January 8, 2013 2:53 PM
  • Just to clarify, they have some 2003 clients on the network, who are not experiencing issues. These clients appear to still be using public folders for distribution, (:edit ) they are listed in the EMC under organisation - mailbox - oab. 



    Tuesday, January 8, 2013 3:05 PM
  • The connections status is showing TCP under and not HTTPS ?

    IF you download the OAB via Outlook manually does that succeed?

    Can you do the below check

    1.Click Start, point to Programs, and then click Administrative Tools.

    2.In Local Security Settings, expand Local Policies.

    3.Click Security Options.

    4.Note the LAN Manager authentication level.

    Check the Domain Controller's Policies

    1.Click Start, point to Programs, and then click Administrative Tools.

    2.In the Domain Controller Security policy, expand Security Settings\Local Policies.

    3.Click Security Options. 4.Note the LAN Manager authentication level.


    Sukh

    Tuesday, January 8, 2013 3:21 PM
  • All connections are TCP/IP.

    Client : 

    Network Security: LAN Manager authentication level - Send LM & NTLM - use NTLMv2 session security if negoriated.

    DC : 

    Network Security: LAN Manager authentication level - Send NTLM response only

    Cheers,

    Adam

    Tuesday, January 8, 2013 3:26 PM
  • IF you download the OAB via Outlook manually does that succeed on Outlook 2010?

    Sukh

    Tuesday, January 8, 2013 3:30 PM
  • Just testing now one second.
    Tuesday, January 8, 2013 3:31 PM
  • on an admin user it downloaded ok ( the issue can be sporadic I am not sure if it was just lucky)

    On a standard user account (which I have previously downloaded the addressbook on successfully) it is now passing me a prompt which even the correct password will not allow through and I am unable to download the oab. I am checking the account has not been locked out. Bear me with me.

    Tuesday, January 8, 2013 3:35 PM
  • This is the log of the password prompt from appearing and having a password entered to reappearing.

    1890 15:34:35 08/01/2013 12.2252295 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:345, TCP:344, IPv4:170}
    2802 15:34:41 08/01/2013 18.2338380 10.27.31.156 10.27.30.20 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:550, IPv4:173}
    2803 15:34:41 08/01/2013 18.2351325 10.27.30.20 10.27.31.156 KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18) {TCP:550, IPv4:173}
    2805 15:34:41 08/01/2013 18.2353262 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2808 15:34:41 08/01/2013 18.2360424 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:549, TCP:548, IPv4:170}
    2809 15:34:41 08/01/2013 18.2362506 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2814 15:34:41 08/01/2013 18.2393182 10.27.31.156 10.27.30.20 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:551, IPv4:173}
    2815 15:34:41 08/01/2013 18.2418861 10.27.30.20 10.27.31.156 KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18) {TCP:551, IPv4:173}
    2817 15:34:41 08/01/2013 18.2420598 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2820 15:34:41 08/01/2013 18.2426777 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:549, TCP:548, IPv4:170}
    2821 15:34:41 08/01/2013 18.2428627 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2826 15:34:41 08/01/2013 18.2456819 10.27.31.156 10.27.30.20 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:552, IPv4:173}
    2827 15:34:41 08/01/2013 18.2468874 10.27.30.20 10.27.31.156 KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18) {TCP:552, IPv4:173}
    2829 15:34:41 08/01/2013 18.2470518 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2832 15:34:41 08/01/2013 18.2477073 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:549, TCP:548, IPv4:170}
    2833 15:34:41 08/01/2013 18.2478922 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2838 15:34:41 08/01/2013 18.2510205 10.27.31.156 10.27.30.20 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:553, IPv4:173}
    2839 15:34:41 08/01/2013 18.2523119 10.27.30.20 10.27.31.156 KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18) {TCP:553, IPv4:173}
    2841 15:34:41 08/01/2013 18.2524811 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2844 15:34:41 08/01/2013 18.2530617 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:549, TCP:548, IPv4:170}
    2845 15:34:41 08/01/2013 18.2532450 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2850 15:34:41 08/01/2013 18.2570970 10.27.31.156 10.27.30.20 KerberosV5 KerberosV5:AS Request Cname: acooperman Realm: contoso.com Sname: krbtgt/contoso.com {TCP:554, IPv4:173}
    2851 15:34:41 08/01/2013 18.2587661 10.27.30.20 10.27.31.156 KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_CLIENT_REVOKED (18) {TCP:554, IPv4:173}
    2853 15:34:41 08/01/2013 18.2589408 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    2856 15:34:41 08/01/2013 18.2595679 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:549, TCP:548, IPv4:170}
    2857 15:34:41 08/01/2013 18.2597543 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using GSS-API Authorization {HTTP:549, TCP:548, IPv4:170}
    3106 15:34:43 08/01/2013 20.2975791 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3107 15:34:43 08/01/2013 20.2983090 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:592, TCP:591, IPv4:170}
    3108 15:34:43 08/01/2013 20.2985192 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3111 15:34:43 08/01/2013 20.3008730 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3112 15:34:43 08/01/2013 20.3016570 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:592, TCP:591, IPv4:170}
    3114 15:34:43 08/01/2013 20.3019781 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3117 15:34:43 08/01/2013 20.3065507 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3118 15:34:43 08/01/2013 20.3076124 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:592, TCP:591, IPv4:170}
    3119 15:34:43 08/01/2013 20.3077936 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3121 15:34:43 08/01/2013 20.3111099 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3122 15:34:43 08/01/2013 20.3117636 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:592, TCP:591, IPv4:170}
    3123 15:34:43 08/01/2013 20.3119458 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3125 15:34:43 08/01/2013 20.3143155 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}
    3126 15:34:43 08/01/2013 20.3158631 Unavailable 10.27.30.138 10.27.31.156 HTTP HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml Using Multiple Authetication Methods, see frame details {HTTP:592, TCP:591, IPv4:170}
    3127 15:34:43 08/01/2013 20.3160471 Unavailable 10.27.31.156 10.27.30.138 HTTP HTTP:Request, HEAD /OAB/ab7c9727-2e20-44bb-89cd-53803141343b/oab.xml , Using NTLM Authorization {HTTP:592, TCP:591, IPv4:170}

    The account was locked I am attempting the oab download again.

    Tuesday, January 8, 2013 3:37 PM
  • This time the address book downloaded successfully but I was greeted with a password prompt about 10-15 seconds after opening outlook.

    Adam
    Tuesday, January 8, 2013 3:44 PM
  • Same user using Outlook 2003, do they have the issue?

    Only some users who use 2010 are effected right, not all?


    Sukh

    Tuesday, January 8, 2013 3:47 PM
  • I'm interested in your CAS Namespaces.

    What URLs have been set for the  OWA, ECP, EWS, EAS  services please?

    I'm curious as to why the autodiscoverinternalURI was changed to casarray - the CasArray is ONLY for RPC client access and the name used should only resolved on the internal network and never on the Internet.  There hard requirement for the CASarray name to be on the certificate. 

    Can you also Dump out the SPNs that have been registered to the ASA that you created - is this a computer object of the ASA/

    and post the results of this pls:

    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialstatus |Fl Name, AlternateServiceAccountConfiguration


    Cheers,

    Rhoderick

    Microsoft Premier Field Engineer, Exchange

    Blog: http://blogs.technet.com/rmilne  Twitter:    LinkedIn:    Facebook:

    Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 8, 2013 3:48 PM
  • That is correct.

    Adam

    Tuesday, January 8, 2013 3:48 PM
  • Download Fiddler install (somewhere in the options menu deselect HTTPS encryption). Start a capture and reproduce issue. Look at the URL's being accessed and their response code.

    Sukh

    Tuesday, January 8, 2013 3:52 PM
  • ASA (which is a computer object) - 

    Name                                 : EXCAS1
    AlternateServiceAccountConfiguration : Latest: 20/12/2012 12:38:13, contoso.com\casarray-asa$
                                           Previous: <Not set>

    Name                                 : EXCAS2
    AlternateServiceAccountConfiguration : Latest: 20/12/2012 12:38:14, contoso.com\casarray-asa$
                                           Previous: <Not set>

    As for why the autodiscoverinternalURI was set how it is, I have no idea, I did not do the original build on this system. 

    Should I get that corrected ? and what is the easiest method ? 

    ECP - 
    https://casarray.contoso.com/ecp
    OWA - https://casarray.contoso.com/owa
    EWS- https://casarray.contoso.com/ews
    EAS - https://casarray.contoso.com/Microsoft-Server-ActiveSync

    I have to nip out for a couple of hours, I will check out fiddler when I get back.

    Thanks for all the advice everyone, I hope we can get to the bottom of this.

    Adam

    Tuesday, January 8, 2013 4:02 PM
  • Check out the following blog post from "The Exchange Team".

    http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

    This might help out with understanding the CAS Array functionality.

    Cheers!

    Tuesday, January 8, 2013 5:24 PM
  • Have you made sure the outlook mail profile is set to negotiate authentication and there is also a check box that say "prompt for username and password" try unchecking this in your mail profile, finish the config change, close and re-open outlook. This might be something in the client...
    Tuesday, January 8, 2013 6:17 PM
  • I have previously tried negotiating as well as kerberos and NTLM. I will test again and post results shortly.

    Adam
    Tuesday, January 8, 2013 6:20 PM
  • Hello guys,

    I am still having trouble with the exchange password prompts.

    I appear to be getting packet loss when pinging the CASARRAY with 65500 byte packets from the machines that are having issues and I am starting to suspect a networking issue somewhere.

    Currently the NLB is set for multicast in a single NIC configuration. We were intending to move that over to a dual NIC configuration using unicast.

    The machines in question forward an authentication request to the domain controller when attempting to download the Offline Address Book, this request fails with kerberos pre-authentication required.

    I will happily post any information people require to help me troubleshoot this issue as it has been a nightmare.

    I am aware that the Autodiscover URL has been changed to CASARRAY, this was due to a previous issue with the exchange 2003 environment and will be corrected in the next couple of days. At the moment autodiscover works perfectly.

    Adam

    Monday, January 28, 2013 4:06 PM