Authentication prompts in Outlook is one of the worst to troubleshoot in a Messaging Environment. But if your clear about your Architecture and the connectivity flow it could be much easier for you to isolate the issue. I have listed the most common scenarios . Lets see one by one.
- Microsoft Office Patches
- Understanding Outlook Behaviour and Credential Manager`with HTTP MAPI
- Proxy Exclusions
- Hardware Load Balancers
- Custom Outlook Add-ins
- Conflicting Outlook Anywhere Settings in Co-existence Environment.
- Public Folders Co-existence not configured Properly.
- Additional Mailboxes
- SSL misconfiguration
- Customized Virtual directory authentication settings
- Autodiscover Request failure
- Offline Address Books
- Outlook Integration like Instant Messaging
- Active Directory Replication
- Primary Email Address and User Principal Name Mismatch in Office 365 Hybrid
Microsoft Office Patches –
I know Microsoft patches are crazy sometimes . But i strongly recommend to upgrade the Microsoft Office to the latest version to stay secured also so that you don’t work on a issue which is already fixed. There are many feature optimizations and Protocol enhancements made over these months . So before even start troubleshooting make sure you have the latest version of Office running . So that it helps you to isolate the issue faster and quicker.
Understanding Outlook Behaviour and Credential Manager`with HTTP MAPI –
when we are using RPC HTTP it wasn’t mandatory to store credentials on the local machine. But here comes the HTTP MAPI where it makes it mandatory for users to store the password in the credential manager when the users leave the domain network.
As of today when a domain joined machine leaves the domain / corporate / internal network and goes external. Outlook Prompts for credential to enter it once to store in the credential manager. So that it won’t ask you again. Until the password expires on it. This wasn’t the case or behaviour with RPC HTTP.
Seeing Connection Status in Outlook shows you. The Outlook is using RPC HTTP or HTTP MAPI.
Note : Office 365 / Exchange Server 2016 uses HTTP MAPI as default
when the user stores the credential . You can see them as
MicrosoftOffice16_DataSSPI:email@example.com in the Windows Credential Manager
If user checks : Remember Password It shows as Enterprise. It means its going to ask again until the password expires from the External Network
If user doesn’t check Remember Password it will show as Logon Session . It means when user logs of and logs in . Credential are stored only for the logon session and it will prompt the user when the user is on the external network
Seeing in the Control Panel Credential Manager – Remembering Credentials
Seeing in the Control Panel _ Credential Manager without remembering the credentials
this behavior is by design when user is on the External Network for Exchange Server 2016 .
Proxy Exclusions –
Proxy Exclusions play a major role when it comes to credential prompts . Lets see the most seen issue is using a PAC file
if your using a pac file , Outlook may fail with Authn “Error” in connection status
Sample Proxy Settings on Pac File – http://pac.zscloud.net/azure365pro.pac
If your using On Premises you make it to bypass the traffic and go direct. So that when they are in Domain it goes to the Exchange Server Directly.
if you using Exchange Online – Its preferred to go via proxy and you will not set direct settings on pac file. Make sure all Office 365 Urls are excluded from the proxy. For Example zscaler gives One Click Configuration for Office 365
Hardware Load Balancers –
ByPassing Hardware load balancers is more important as Outlook loses session persistence , Load balancer may give out the request to a different exchange server every time it connects. So most of the time it could be a configuration issue. As we cannot go into details of those issues . As its wide scope. Just to make sure its not a load balancer issue. Make a host file pointing to the Exchange Server see if you are experiencing the same issue which can answer you many things
I have documented the steps on F5 if you use one https://www.azure365pro.com/configure-f5-ltm-exchange-server-2016/
Custom Outlook Add-ins –
There are many Add-ins for Outlook . Which may cause credential prompts. Outlook Safe mode can answer you those. Safe mode removes all the Addins on start up temporarily for you to test the behaviour of Outlook to isolate the same issue.
Conflicting Outlook Anywhere Settings in Co-existence Environment –
Credential prompts may be a reason when they are not able to proxy into the destination server. Where Outlook anywhere wasn’t mandatory in environments . When it comes to Exchange Server 2016 . Outlook anywhere has to be enabled on all Exchange 2010 servers for example . when you want to start with an co-existence. Outlook anywhere settings has to match between the legacy servers and the new exchange servers when you setup a coexistence . In order to have smooth client connectivity.
In my case . In my recent migrations – Exchange Server 2010 was set to use NTLM . so made the same configuration on Exchange 2016 then the co-existence connectivity was successful.
Once the Co-existence period is over . we have put back recommended settings on Exchange Server 2016 having them to use negotiate
Basic authentication: If you select this authentication type, Outlook will prompt for username and password while attempting a connection with Exchange.
NTLM authentication: If you select this authentication type, exchange does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.
Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.
As explained these Outlook anywhere settings are not matching between the legacy servers and the new prompts . There are more chances of getting Intermittent Outlook prompts
Public Folders Co-existence not configured Properly –
If you have Exchange 2016 and Exchange 2010 in your environment. Outlook may prompt or slow it down to connect when its not able to reach the public folders of Exchange 2010 via Exchange 2016.
In our case we have decided to remove Default Public Folder Database as we are not planning to migrate it to the new system.
Cleared using msExchHomePublicMDB attribute on Exchange 2010 Database
Start – run – adsiedit.msc – Configuration partition
CN=Services -> CN=Microsoft Exchange -> CN=(your organization name) -> CN=Administrative Groups -> CN=Exchange Administrative Group (FYDIBOHF23SPDLT) -> CN=Databases.
Now make sure Outlook is not trying to reach Exchange 2010 or legacy server public folders , You can always see the Outlook Connection status to check the same.
or you can try to setup co-existence https://technet.microsoft.com/en-us/library/dn690134(v=exchg.150).aspx
Additional Mailboxes –
Make sure Outlook is not configured with additional mailboxes . As sometime the primary mailbox may be on the new version and the additional mailbox is still on the legacy servers or vice versa which may cause prompts. You can always remove them and check it ,
SSL misconfiguration –
SSL misconfigurations like
- Wrong Entries on Get-OutlookProvider
- Unsupported wild card certs.
Customized Virtual directory authentication settings –
There could be change in Authentication settings. Listed Exchange 2016 default authentication settings on virtual directories from a healthy environment.
Backend Site bindings –
MAPI _ Backend
EWS _ Backend
OAB _ Backend
Autodiscover Request failure –
Hold Ctrl key and right click on outlook icon on the task bar. test email configuration run autodiscover. verify its returning right urls in a timely manner.
Offline Address Books –
Make sure Offline Address Book assigned properly on Databases.
Make sure Outlook can download Offline Address books properly from the client side.
Instant Messaging Integration –
This prompt is one of the finest example where Cisco Jabber trying to get request data from Outlook before Outlook Connects to Exchange server. you can isolate the issue by simply removing such products from startup
Primary Email Address and User Principal Name Mismatch in Office 365 Hybrid
When your email and User Principal Name is not matching in Active Directory. You can see repeated Outlook authentication Prompts
Happy Authentication Prompts .
Thank you for an informative article and for sharing your experience !
Only have one question regarding the logon prompt from external domain joined machines.
(when using MAPI-HTTP)
Have you got this confirmed by Microsoft, that this behavior is “by design”
Are MS going to fix it ?
Its by Design. I don’t think MS has any plans for it.(Assuming)