Outlook 2007 Prompting for Password
Phil Carter
into a couple of challenges. My DC is Windows 2008, almost default
configuration. I then brought up a separate 2008 server, and loaded
Exch07SP1 on it, default install options. I have another 2008 server acting
as the client with Outlook 2007 installed on it.
When I open Outlook 2007 for the first time after setting up the Exchange
profile, it always prompts me for the username and password. I think this
has something to do with the auto discovery service or OAB. If I cancel this
prompt, I can use Outlook just fine. When I schedule a new calendar event, I
can't see any free/busy data.
Now, if instead of canceling that initial password prompt, I enter in my
username/password, I can see the free/busy calendar data, however, I get a
certificate warning.
I'd like the new Outlook 2007 with Exchange 2007 to behave like
Exchange/Outlook 2003 and stop prompting legitimate domain users for login
credentials when Windows should be supplying them automatically. Is this a
known bug with Exchange/Outlook 2007? This is as close to an out-of-the-box
setup I could get. I've loaded up this lab several times, all with the same
results. I've scoured around, however I can't find any concrete explanations
of why this is happening, and/or how to solve it.
Any help much appreciated,
Phil
Mierdaan
wrote:
Have you replaced the IIS certificate your exchange server is using
with one signed by your DC?
andy webb
CAS role and running in IIS on the server. IIS integrated authentication is
failing perhaps because the server isn't in your trusted sites list, or
perhaps because your desktop doesn't trust the self-issued certificated used
by the Exchange server.
"Phil Carter" <philc...@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlS...@TK2MSFTNGP03.phx.gbl...
Phil Carter
https://exchange.contoso.com/Autodiscover/Autodiscover.xml
When I hit this URL from IE, it always prompts me for authentication instead
of using integrated auth. (Maybe it thinks the server is in the INTERnet
zone instead of the INTRAnet zone???) When I hit the root
(https://exchange.contoso.com), I downloaded the cert and installed it in my
trusted roots. Now Outlook doesn't throw a certificate error, but it still
prompts for the password. Any idea how to get the Autodiscover Integrated
Authentication working right? I feel that I'm so close to getting closure on
this.
Andy, Thanks for your help so far,
Phil
"andy webb" <aw...@swinc.com.spamsucks.com> wrote in message
news:464E1065-8620-4E70...@microsoft.com...
Phil Carter
website a signed certificate. The EWS services are all using this new
certificate, but Exchange 2007 is still getting prompted for authentication.
Is there a setting I need to adjust to make integrated authentication work
for EWS? From the IIS logs on the Exchange server, I see HTTPS posts failing
(error 401) to /Autodiscover/Autodiscover.xml. Again, this is most likely
failing because integrated auth isn't working... Any ideas how to fix this
one?
Thanks,
Phil
"andy webb" <aw...@swinc.com.spamsucks.com> wrote in message
news:464E1065-8620-4E70...@microsoft.com...
Alan J. English
the same issue.
Alan
"Phil Carter" <philc...@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlS...@TK2MSFTNGP03.phx.gbl...
Phil Carter
I tried that to no avail. Outlook 2007 still prompts after adding every
possible URL in IE's trusted sites. It should be noted that the Exchange IIS
is using a cert from my domain trusted CA, so the clients trust the
certificates all the way up the chain. Just for testing, I enabled anonymous
access only for the Autodiscover virtual directory. Doing that made Exchange
2007 not prompt for credentials.(!)
What would cause the Autodiscover virtual directory to prompt Outlook
clients when:
1) Windows Integrated Authentication is selected in IIS
2) The proper URLs are being accessed by the client. Outlook's "Test E-mail
AutoConfiguration" comes back good.
3) The EWS sites are using a certificate trusted all the way up
Again, this is a "default" out-of-the-box Exchange 2007 SP1 installation on
Windows Server 2008 RTM. My client is (now) Vista SP1 with Outlook 2007.
Thanks,
Phil
"Alan J. English" <aeng...@schiffhardin.com> wrote in message
news:%23ezrsvd...@TK2MSFTNGP02.phx.gbl...
SvenC
> Try adding the Exchange server to the list of trusted sites in IE. I
> had the same issue.
By default trusted sites are not trusted to use integrated auth.
I suppose you should put it in your local intranet zone.
--
SvenC
Phil Carter
zone didn't do the trick either.
There has to be SOME WAY to make Outlook 2007 NOT PROMPT the user for
authentication for
https://exchange.domain.com/autodiscover/autodiscover.xml. I have it working
properly in another lab using beta versions. I'm trying to figure out why
Outlook 2007 is getting hung up on this, and pretty much getting nowhere.
It's almost as if Outlook 2007 doesn't trust the IIS website, so it reverts
back to "basic" authentication instead of trying Windows Integrated Auth.
Any more suggestions from the experts? Has anyone deployed Exchange 2007 SP1
on Windows 2008 with Vista/Outlook 2007 clients successfully?
Thanks!
Phil
"SvenC" <Sv...@community.nospam> wrote in message
news:582DB2DE-A749-42F6...@microsoft.com...
SvenC
> Thanks for the suggestion Sven, but putting the URLs in IE's local
> Intranet zone didn't do the trick either.
>
> There has to be SOME WAY to make Outlook 2007 NOT PROMPT the user for
> authentication for
> https://exchange.domain.com/autodiscover/autodiscover.xml. I have it
> working properly in another lab using beta versions. I'm trying to
> figure out why Outlook 2007 is getting hung up on this, and pretty
> much getting nowhere. It's almost as if Outlook 2007 doesn't trust
> the IIS website, so it reverts back to "basic" authentication instead
> of trying Windows Integrated Auth.
Does it work when you run Outlook 2007 on WinXP or Vista?
Maybe there are some security policies with different defaults for
client and server versions?
--
SvenC
Phil Carter
I tested the NTFS "Effective Permissions" for my user account to the
Autodiscover web content folder on the Exchange server. For some weird
reason, it wouldn't work; it threw an error about not being able to resolve
the permissions. I took this to mean there was something wrong with the
domain, and reloaded the lab. In my original lab, I had 3 Windows 2008
servers running under vmware, all created from the same template. Perhaps
the Windows SIDs weren't properly regenerated by vmware which was causing
this hangup?
When I reloaded the lab, I made my domain controller Windows Server 2003,
the Exchange Server Windows Server 2008, and the client Vista. No issues at
all with this setup. This lab configuration more closely matched my
production environment, but I'd imagine that using 3 2008 servers would have
yielded positive results as well.
Thanks to all who helped me troubleshoot this issue!
Phil Carter
"Phil Carter" <philc...@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlS...@TK2MSFTNGP03.phx.gbl...
SvenC
> I tested the NTFS "Effective Permissions" for my user account to the
> Autodiscover web content folder on the Exchange server. For some weird
> reason, it wouldn't work; it threw an error about not being able to
> resolve the permissions. I took this to mean there was something wrong
> with the domain, and reloaded the lab. In my original lab, I had 3 Windows
> 2008 servers running under vmware, all created from the same template.
> Perhaps the Windows SIDs weren't properly regenerated by vmware which was
> causing this hangup?
Does vmware autogenerate new sids? I always use newsid from sysinternals
to create new SIDs for cloned machines.
--
SvenC
Phil Carter
I guess we could rename this thread:
"What happens when you deploy Exchange Server 2007 using duplicate SIDs". :)
VMWare generates a new UUID for each virtual machine, but not the SID. I
should've suspected this from the start, and used sysprep or NewSID. -PC
"SvenC" <Sv...@community.nospam> wrote in message
news:958D8F3B-606A-4071...@microsoft.com...
Christoph Wilfing
VMware does only generate new SIDs if you use Virtual Center with
customization Wizard - which currently does not support Win2k8 (afair) just
Win2k3. Workstation or VMware Server does not regnerate SIDs at all...
BG Christoph
--
If you dont want the milk to get sour...keep it in the cow
wcody...@gmail.com
users were getting prompted over and over for the username and
password. It wasn't checking the certificate that they had installed
via internet explorer. To fix the problem, I opened IIS on the
Exchange server and checked the following directories under the
default website (the root site(default web site), oab, autodiscover).
Under the directory security tab, click Edit in the Secure
Communications section. I had the require SSL checked and the 128bit
encryption, but under Client Certificates, it was set to ignore. Once
I changed that to Accept for each of the folders, stopped and started
IIS, I stopped being prompted all the time for credentials. Hopefully
this will help someone in the future.
Matthew Roach
could kiss you. I have been trying to figure this out for two weeks now and
my users are starting to get fed up with the "hassle" of the prompt. I have
tried the SAN certificates, putting the sites in the trusted and local
intranet zones, etc. and that stupid prompt kept coming up. Until now. It
was such an issue that I came in on the weekend to work.
Words cannot describe the gratitude I have, but I will give it a try...
Thank you very much.
How in the hell did you find this solution?
-Matthew
Brian Wing
I've implemented all of the recommendations from this post as well as those
listed in
http://forums.microsoft.com/technet/showpost.aspx?pageindex=1&siteid=17&postid=2302713&sb=0&d=1&at=7&ft=11&tf=0&pageid=0
Has anyone else had luck and/or have any other thoughts?
One thing I think I have discovered (and frankly not sure why it would even
attempt to look this info up) is that when I open a meeting request in my
calendar with domain users only, I am not prompted, however when the meeting
request has non-domain users (meetings sent by external folks i.e. vendors) I
am prompted, funny thing is I'm the only internal user and I'm prompted for
login to access my own free/busy!
Go figure. Any more help, I'll be digging for answers in the ether....
--
Brian Wing
Sr. Systems Administrator
Calix Networks
osoroshi
directories, though no need to restart IIS.
Khan@discussions.microsoft.com Anwar Khan
Unlimited -Jake@discussions.microsoft.com Networks Unlimited -Jake
-Jake
Cooper@discussions.microsoft.com Trey Cooper
Take Note: This also works with Exchange 2010.
Kristina Bisseker
> On Thursday, March 13, 2008 12:43 PM Phil Carter wrote:
> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
> into a couple of challenges. My DC is Windows 2008, almost default
> configuration. I then brought up a separate 2008 server, and loaded
> Exch07SP1 on it, default install options. I have another 2008 server acting
> as the client with Outlook 2007 installed on it.
>
> When I open Outlook 2007 for the first time after setting up the Exchange
> profile, it always prompts me for the username and password. I think this
> has something to do with the auto discovery service or OAB. If I cancel this
> prompt, I can use Outlook just fine. When I schedule a new calendar event, I
> can't see any free/busy data.
>
> Now, if instead of canceling that initial password prompt, I enter in my
> username/password, I can see the free/busy calendar data, however, I get a
> certificate warning.
>
> I'd like the new Outlook 2007 with Exchange 2007 to behave like
> Exchange/Outlook 2003 and stop prompting legitimate domain users for login
> credentials when Windows should be supplying them automatically. Is this a
> known bug with Exchange/Outlook 2007? This is as close to an out-of-the-box
> setup I could get. I've loaded up this lab several times, all with the same
> results. I've scoured around, however I can't find any concrete explanations
> of why this is happening, and/or how to solve it.
>
> Any help much appreciated,
> Phil
>> You're getting prompted by the Exchange Web Services which are part of the
>> CAS role and running in IIS on the server. IIS integrated authentication is
>> failing perhaps because the server isn't in your trusted sites list, or
>> perhaps because your desktop doesn't trust the self-issued certificated used
>> by the Exchange server.
>>
>>
>> news:%23XlIRlS...@TK2MSFTNGP03.phx.gbl...
>>> Ok, cool. It looks like Integrated Windows Authentication isn't working for:
>>> https://exchange.contoso.com/Autodiscover/Autodiscover.xml
>>>
>>> When I hit this URL from IE, it always prompts me for authentication instead
>>> of using integrated auth. (Maybe it thinks the server is in the INTERnet
>>> zone instead of the INTRAnet zone???) When I hit the root
>>> (https://exchange.contoso.com), I downloaded the cert and installed it in my
>>> trusted roots. Now Outlook doesn't throw a certificate error, but it still
>>> prompts for the password. Any idea how to get the Autodiscover Integrated
>>> Authentication working right? I feel that I'm so close to getting closure on
>>> this.
>>>
>>> Andy, Thanks for your help so far,
>>>
>>> "andy webb" <aw...@swinc.com.spamsucks.com> wrote in message
>>> news:464E1065-8620-4E70...@microsoft.com...
>>>> Try adding the Exchange server to the list of trusted sites in IE. I had
>>>> the same issue.
>>>>
>>>>> On Friday, March 14, 2008 9:48 AM Phil Carter wrote:
>>>>> I installed Certificate Authority on the DC, and issued the IIS default
>>>>> website a signed certificate. The EWS services are all using this new
>>>>> certificate, but Exchange 2007 is still getting prompted for authentication.
>>>>> Is there a setting I need to adjust to make integrated authentication work
>>>>> for EWS? From the IIS logs on the Exchange server, I see HTTPS posts failing
>>>>> (error 401) to /Autodiscover/Autodiscover.xml. Again, this is most likely
>>>>> failing because integrated auth isn't working... Any ideas how to fix this
>>>>> one?
>>>>>
>>>>> Thanks,
>>>>> Phil
>>>>>
>>>>> "andy webb" <aw...@swinc.com.spamsucks.com> wrote in message
>>>>> news:464E1065-8620-4E70...@microsoft.com...
>>>>>> Thanks for your suggestion Alan.
>>>>>>
>>>>>> I tried that to no avail. Outlook 2007 still prompts after adding every
>>>>>> possible URL in IE's trusted sites. It should be noted that the Exchange IIS
>>>>>> is using a cert from my domain trusted CA, so the clients trust the
>>>>>> certificates all the way up the chain. Just for testing, I enabled anonymous
>>>>>> access only for the Autodiscover virtual directory. Doing that made Exchange
>>>>>> 2007 not prompt for credentials.(!)
>>>>>>
>>>>>> What would cause the Autodiscover virtual directory to prompt Outlook
>>>>>> clients when:
>>>>>> 1) Windows Integrated Authentication is selected in IIS
>>>>>> 2) The proper URLs are being accessed by the client. Outlook's "Test E-mail
>>>>>> AutoConfiguration" comes back good.
>>>>>> 3) The EWS sites are using a certificate trusted all the way up
>>>>>>
>>>>>> Again, this is a "default" out-of-the-box Exchange 2007 SP1 installation on
>>>>>> Windows Server 2008 RTM. My client is (now) Vista SP1 with Outlook 2007.
>>>>>>
>>>>>> Thanks,
>>>>>> Phil
>>>>>>
>>>>>> "Alan J. English" <aeng...@schiffhardin.com> wrote in message
>>>>>> news:%23ezrsvd...@TK2MSFTNGP02.phx.gbl...
>>>>>>> Hi Phil,
>>>>>>>
>>>>>>> By default trusted sites are not trusted to use integrated auth.
>>>>>>> I suppose you should put it in your local intranet zone.
>>>>>>>
>>>>>>> --
>>>>>>> SvenC
>>>>>>>> Thanks for the suggestion Sven, but putting the URLs in IE's local Intranet
>>>>>>>> zone didn't do the trick either.
>>>>>>>>
>>>>>>>> There has to be SOME WAY to make Outlook 2007 NOT PROMPT the user for
>>>>>>>> authentication for
>>>>>>>> https://exchange.domain.com/autodiscover/autodiscover.xml. I have it working
>>>>>>>> properly in another lab using beta versions. I'm trying to figure out why
>>>>>>>> Outlook 2007 is getting hung up on this, and pretty much getting nowhere.
>>>>>>>> It's almost as if Outlook 2007 doesn't trust the IIS website, so it reverts
>>>>>>>> back to "basic" authentication instead of trying Windows Integrated Auth.
>>>>>>>>
>>>>>>>> on Windows 2008 with Vista/Outlook 2007 clients successfully?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Phil
>>>>>>>>
>>>>>>>>> On Friday, March 14, 2008 3:20 PM SvenC wrote:
>>>>>>>>> Hi Phil Carter,
>>>>>>>>>
>>>>>>>>> Does it work when you run Outlook 2007 on WinXP or Vista?
>>>>>>>>> Maybe there are some security policies with different defaults for
>>>>>>>>> client and server versions?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> SvenC
>>>>>>>>>> Ok, I've managed to solve the issue after a lot of fighting with it.
>>>>>>>>>>
>>>>>>>>>> Autodiscover web content folder on the Exchange server. For some weird
>>>>>>>>>> reason, it wouldn't work; it threw an error about not being able to resolve
>>>>>>>>>> the permissions. I took this to mean there was something wrong with the
>>>>>>>>>> domain, and reloaded the lab. In my original lab, I had 3 Windows 2008
>>>>>>>>>> servers running under vmware, all created from the same template. Perhaps
>>>>>>>>>> the Windows SIDs weren't properly regenerated by vmware which was causing
>>>>>>>>>> this hangup?
>>>>>>>>>>
>>>>>>>>>> the Exchange Server Windows Server 2008, and the client Vista. No issues at
>>>>>>>>>> all with this setup. This lab configuration more closely matched my
>>>>>>>>>> production environment, but I'd imagine that using 3 2008 servers would have
>>>>>>>>>> yielded positive results as well.
>>>>>>>>>>
>>>>>>>>>> Thanks to all who helped me troubleshoot this issue!
>>>>>>>>>> Phil Carter
>>>>>>>>>>
>>>>>>>>>> "Phil Carter" <philc...@DONOTSPAMspacemky.com> wrote in message
>>>>>>>>>> news:%23XlIRlS...@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> Hi Phil,
>>>>>>>>>>>
>>>>>>>>>>> Does vmware autogenerate new sids? I always use newsid from sysinternals
>>>>>>>>>>> to create new SIDs for cloned machines.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> SvenC
>>>>>>>>>>>> Thanks Sven,
>>>>>>>>>>>> I guess we could rename this thread:
>>>>>>>>>>>>
>>>>>>>>>>>> "What happens when you deploy Exchange Server 2007 using duplicate SIDs". :)
>>>>>>>>>>>> VMWare generates a new UUID for each virtual machine, but not the SID. I
>>>>>>>>>>>> should've suspected this from the start, and used sysprep or NewSID. -PC
>>>>>>>>>>>>
>>>>>>>>>>>> "SvenC" <Sv...@community.nospam> wrote in message
>>>>>>>>>>>> news:958D8F3B-606A-4071...@microsoft.com...
>>>>>>>>>>>>>> I had an issue similar to this. Win2k3 Ex07. All of my Outlook 2007
>>>>>>>>>>>>>> users were getting prompted over and over for the username and
>>>>>>>>>>>>>> password. It wasn't checking the certificate that they had installed
>>>>>>>>>>>>>> via internet explorer. To fix the problem, I opened IIS on the
>>>>>>>>>>>>>> Exchange server and checked the following directories under the
>>>>>>>>>>>>>> default website (the root site(default web site), oab, autodiscover).
>>>>>>>>>>>>>> Under the directory security tab, click Edit in the Secure
>>>>>>>>>>>>>> Communications section. I had the require SSL checked and the 128bit
>>>>>>>>>>>>>> encryption, but under Client Certificates, it was set to ignore. Once
>>>>>>>>>>>>>> I changed that to Accept for each of the folders, stopped and started
>>>>>>>>>>>>>> IIS, I stopped being prompted all the time for credentials. Hopefully
>>>>>>>>>>>>>> this will help someone in the future.
>>>>>>>>>>>>>>> You have made me the happiest man in the world right now. I am so happy I
>>>>>>>>>>>>>>> could kiss you. I have been trying to figure this out for two weeks now and
>>>>>>>>>>>>>>> my users are starting to get fed up with the "hassle" of the prompt. I have
>>>>>>>>>>>>>>> tried the SAN certificates, putting the sites in the trusted and local
>>>>>>>>>>>>>>> intranet zones, etc. and that stupid prompt kept coming up. Until now. It
>>>>>>>>>>>>>>> was such an issue that I came in on the weekend to work.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Words cannot describe the gratitude I have, but I will give it a try...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thank you very much.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How in the hell did you find this solution?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -Matthew
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "wcody...@gmail.com" wrote:
>>>>>>>>>>>>>>>> So I'm still experiencing login prompts when accessing free/busy.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I've implemented all of the recommendations from this post as well as those
>>>>>>>>>>>>>>>> listed in
>>>>>>>>>>>>>>>> http://forums.microsoft.com/technet/showpost.aspx?pageindex=1&siteid=17&postid=2302713&sb=0&d=1&at=7&ft=11&tf=0&pageid=0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Has anyone else had luck and/or have any other thoughts?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> One thing I think I have discovered (and frankly not sure why it would even
>>>>>>>>>>>>>>>> attempt to look this info up) is that when I open a meeting request in my
>>>>>>>>>>>>>>>> calendar with domain users only, I am not prompted, however when the meeting
>>>>>>>>>>>>>>>> request has non-domain users (meetings sent by external folks i.e. vendors) I
>>>>>>>>>>>>>>>> am prompted, funny thing is I'm the only internal user and I'm prompted for
>>>>>>>>>>>>>>>> login to access my own free/busy!
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Go figure. Any more help, I'll be digging for answers in the ether....
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Brian Wing
>>>>>>>>>>>>>>>> Sr. Systems Administrator
>>>>>>>>>>>>>>>> Calix Networks
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "wcody...@gmail.com" wrote:
>>>>>>>>>>>>>>>>> This has worked for me also especially re: oab & autodiscover virtual
>>>>>>>>>>>>>>>>> directories, though no need to restart IIS.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Matthew Roach" wrote:
>>>>>>>>>>>>>>>>>> Hello I cannot find autodiscover in oab
>>>>>>>>>>>>>>>>>>> Amazing work. Thanks So much!
>>>>>>>>>>>>>>>>>>> -Jake