Linked mailbox credential prompt.
We have setup a link mailbox between to different domain all is ok..
just want to clarify if it is normal that every time i open the outlook client of the linked mailbox it will prompt for its credetials? even if the domain account login is the link mailbox account also?
if it is not please let me know what authentication method i should change ot this is normal for a link mailbox??
thanks in advance!!
Hi,
To understand more about the issue, I’d like to confirm the following information:
1. Check the authentication method in the tab named Exchange proxy settings.
2. Is there firewall between the two domans?
3. Does the credential accept password of keep prompting?
4. Cancel the credential prompt and then run "Test Email AutoConfiguration" to see if there is any error return.
5. Does the credential appear if you run Outlook with online mode?
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support
Similar Messages
-
Outlook Password prompt for Linked Mailboxes from certain Domain
Hello,
As part of a migration project, I'm trying to connect Outlook with Linked Mailboxes from users in a trusted domain.
I'm able to create the linked mailbox on the Exchange 2013 (CU7) server without any issue, but when I try to configure Outlook for these mailboxes, it is prompting for credentials permanently and won't start. Log on to OWA with the same user from the trusted
domain is working fine.
I'm able to configure Linked mailboxes from another trusted domain without any problems.
I've already recreated the trust between these two domains (validation tells everything is ok)
DNS is configured with conditional forwarders in both domains and name resolution looks ok to me (ping and nslookup)
When I look at the LinkedMasterAccount of the mailboxes from this domain, I can see that there is only the SID (S-1-5-21-4033829......). The other linked mailboxes (from the other domain where it's working) are showing the Account name (domain\user)
Internal and External ClientAuthenticationMethod of OutlookAnywhere is set to NTLM
Infos:
DomainA: Domainlevel 2012 - Exchange 2013 - Forest trust to Domain B and C
DomainB: Domainlevel 2008 - Exchange 2010 - Forest trust to Domain A - Outlook for linked Mailboxes of DomainA works fine
DomainC: Domainlevel 2008 - Forest trust to Domain A --> can't connect Outlook to LinkedMailboxes of this domain.
Is there anything else I can check?Hi,
Please check whether the server is configured to only accept NTLM version 2 and reject NTLM and LM, and the Outlook client computer is not configured with the same LAN Mananger authentication level.
Check DC, Start -> Programs -> Administrative Tools -> Security Options -> Note the LAN Manager authentication level.
Check DC's policies, Start -> Programs -> Administrative Tools -> expand Security Settings\Local Policies -> Security Options -> Note the Lan Manager authentication level.
IMPORTANT: You may also have to check policies that are linked at the site/domain/organizational unit levels to determine where the LAN Manager authentication level must be configured. Configure the LAN Manager authentication level to "Send
NTLMv2 response only". If you want to implement NTLM version 2 in your network, make sure that all computers in the domain are set to use this authentication level.
Thanks
Mavis Huang
TechNet Community Support -
Hi,
I have two domains, domain a and domain b. In domain a I have an Exchange 2010 server and would like to setup mailboxes for some users who have active directory accounts in domain b. I created Link mailboxes in exchange and all worked fine for
a number of days. Came in today and the users are being prompted for passwords when they open outlook and their own domain b\ username and password are not working. They can however use outlook web access.
Any ideas?
CheersHi,
Did we change anything else?
Please run Outlook under safe mode to avoid some AVs, add-ins and firewall.
Please re-create a new profile to refresh the caches.
Please delete the credential, steps as below:
1. Control Panel-->User Accounts-->click Manage your credentials in the left pane
2. Click the vault that contains the credential that we want to remove.
3. Click the credential that we want to remove, and then click Remove from vault.
Please verify our Exchange Proxy Settings via Outlook.
Steps as below:
OutlookàToolsàAccount
SettingsàE-mailàclick
the Exchange accountàChangeàMore
SettingsàConnectionàExchange
Proxy Settings
Outlook Anywhere option
Description
On a fast network, connect using HTTP first, then connect using TCP/IP.
By default on a fast network, Outlook attempts to connect by using the LAN connection first. This option is cleared by default.
On a slow network, connect using HTTP first, then connect using TCP/IP.
By default, on a slow network, Outlook attempts to connect by using HTTP first. This option is set by default.
Password Authentication (NTLM).
The default authentication method. We recommend that you specify this option together with
Connect with SSL only and Mutually authenticate the session when connecting with SSL.
Basic Password Authentication.
With this option, users are prompted for a password each time a connection is made to the Exchange server. In addition, if users are not using Secure Sockets
Layer (SSL), the password is sent in clear text. This can pose a security risk.
If we are in the "Basic Password Authentication", please change to the "NTLM" for testing.
If still not working unfortunately, please verify our SSL principal name. Steps as below:
1. Please determine the FQDN that the client uses to access the resource. Steps as below:
OutlookàToolsàAccount
SettingsàE-mailàclick
the Exchange accountàChangeàMore
SettingsàConnectionàExchange
Proxy Settingsànote the FQND that list in the
Only connect to proxy servers that have this principal name in their certificate box.
2. Please using EMS to determine the value for the CerPrincipalName attribute: Get-OutlookProvider
This command returns the result for the EXPR name.
3. Please re-setting the CertPrincipalName attribute to match the FQDN via following command:
Set-OutlookProvider EXPR –CertPrincipalName: “msstd:<FQDN the certificate
is issued to>”
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Converting User Mailboxes to Linked Mailboxes
We're going to be moving users to a new, trusted domain and want to keep our Exchange 2013 server in the old domain. It looks like the best strategy for us is to convert our user mailboxes to linked mailboxes for users who will log into the new domain.
There's quite a bit out on the web on doing this in Exchange 2010 but I don't see anything specific to Exchange 2013. Is the procedure basically the same? This is what users seem to be doing from PowerShell:
Set-User <userID> -LinkedMasterAccount AccountDomain\UserID -LinkedDomainController AccountDomainControllerFQDN
Orange County District AttorneyHi,
If you want to convert the existing mailbox to a linked mailbox, we can do the following steps:
1.To disconnect the mailbox object in the Exchange store from the user object in Active Directory, for example.
Disable-Mailbox -Identity User1
2.To create a credential object, run the following command.
$cred = Get-Credential
You will be prompted for credentials. Specify an account that has permissions to access the domain controller in the forest where the user account resides. Use the LinkedDomainController parameter to specify the domain controller. This domain
controller obtains security information for the account to which you are linking the mailbox object.
3.To reconnect the mailbox object in the Exchange store to an external user object, use this example.
Connect-Mailbox -Identity User1 -Database "Mailbox Database" -LinkedDomainController FabrikamDC01 -LinkedMasterAccount [email protected] -LinkedCredential $cred
For more information about converting linked mailbox, please refer to:
https://technet.microsoft.com/en-us/library/bb201694%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support -
Can't move Exchange 2003 mailbox to Exchange 2010 Resource forest (Linked Mailbox)
Problem Description:
Can’t move Exchange 2003 mailbox to Exchange 2010 resource forest
Error message:
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials.
Source Environment Configuration:
Active Directory
FQDN: umfolozi.local
Domain name (pre-Windows 2000): UMFOLOZI
Domain Function Level: Windows Server 2003
Domain Controllers:
Hostname
OS
Operation Master
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Schema Master, Domain Naming, RID, PDC
SRVUMVMDC01.umfolozi.local
Windows Server 2008 R2 Standard SP1
Infrastructure
Exchange
Version: Microsoft Exchange 2003 Standard SP2 Build 7638.2
Server Information:
Hostname
OS
TUSKUMFMAIL.umfolozi.local
Windows Server 2003 R2 SP2
DNS Zones
Zone Name
Zone Type
Domain Controllers
umfolozi.local
Active Directory-Integrated (Primary)
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
peermont.com
Secondary
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
Trusts
Domain Name
Trust Type
Transitive
Validated
peermont.com
Forest
Yes
Yes
Target Environment Configuration:
Active Directory
FQDN: peermont.com
Domain name (pre-Windows 2000): PG
Domain Functional Level: Windows Server 2008 R2
Domain Controllers:
Hostname
OS
Operation Master
SRVPGVMDC01.peermont.com
Windows Server 2008 R2 Std SP1
SRVPGVMDC02.peermont.com
Windows Server 2008 R2 Std SP1
Domain naming, RID, PDC, Infrastructure, Schema Master
Exchange
Resource Exchange Forest
Server Information:
Hostname
OS
Role
Version
Client Access Array
SRVPGVMEXCH01.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
SRVPGVMEXCH02.peermont.com
Windows Server 2012 Std
HUB, CAS
Version 14.3 (Build 123.4)
exchange.peermont.com
Hostname
OS
Role
Version
Database Availibility Group
SRVPGVMEXCH03.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
SRVPGVMEXCH04.peermont.com
Windows Server 2012 Std
MBX
Version 14.3 (Build 123.4)
PeermontDAG
DNS Zones
Zone Name
Zone Type
Domain Controllers
peermont.com
Active Directory-Integrated (Primary)
SRVPGVMDC01.peermont.com
SRVPGVMDC02.peermont.com
umfolozi.local
Secondary
SRVUMVMDC01.umfolozi.local
SRVUMVMDC01.umfolozi.local
Trusts
Domain Name
Trust Type
Transitive
Validated
umfolozi.local
Forest
Yes
Yes
Migration Process
Task
Description
Successful/Error
1
SYNC AD Domain account from source forest (umfolozi.local) to target forest (peermont.com) using BinaryTree SMART Directory Sync (ADMT can be used as alternative)
Successful
2
Create mailed enabled user
Successful
3
Run Prepare-MoveRepuest with –OverWriteLocalObject
Command Example:
.\Prepare-MoveRequest.ps1 -Identity [email protected] -RemoteForestDomainController SRVUMVMDC01.umfolozi.local
-RemoteForestCredential $RemoteCredentials -UseLocalObject -LocalForestDomainController SRVPGVMDC01.peermont.com -LocalForestCredential $LocalCredentials -OverWriteLocalObject
Successful
4
Submit mailbox request
Command Example:
New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeliveryDomain
"internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Credential "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True
Error
All the standard migration task works as expected until the mailbox migration move request is submitted. See move request verbose detail below:
[PS] C:\Windows\system32>New-MoveRequest -Identity "0fa7d17e-3637-4708-a51b-f14eaae17968" -BadItemLimit "50" -TargetDeli
veryDomain "internal.peermont.com" -TargetDatabase "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" -RemoteCredential (Get-Crede
ntial "umfolozi\svcmigration") -RemoteGlobalCatalog "SRVUMVMDC02.umfolozi.local" -RemoteLegacy:$True -Verbose
VERBOSE: [11:34:27.346 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire
Forest: 'False', Default Scope: 'peermont.com', Configuration Domain Controller: 'SRVPGVMDC02.peermont.com', Preferred
Global Catalog: 'SRVPGVMDC02.peermont.com', Preferred Domain Controllers: '{ SRVPGVMDC02.peermont.com }'
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Runspace context: Executing user: peermont.com/Admin/Users/Admin
Accounts/Information Technology/SoarSoft/Johann Van Schalkwyk, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin
Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such
items to the destination mailbox. At move completion, these corrupted items won't be available in the destination
mailbox.
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Searching objects "{c5d6ea95-07b3-4a52-9868-e41e808a76fe}" of type
"MailboxDatabase" under the root "$null".
VERBOSE: [11:34:27.362 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s):
{}, Exclusive Configuration Scope(s): {} }
VERBOSE: [11:34:27.393 GMT] New-MoveRequest : Searching objects "0fa7d17e-3637-4708-a51b-f14eaae17968" of type "ADUser"
under the root "$null".
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Previous operation run on domain controller 'SRVPGVMDC02.peermont.com'.
VERBOSE: [11:34:27.471 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] No RequestJob messages found.
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MDB c5d6ea95-07b3-4a52-9868-e41e808a76fe found to belong to Site:
peermont.com/Configuration/Sites/Peermont
VERBOSE: [11:34:27.487 GMT] New-MoveRequest : [DEBUG] MRSClient: attempting to connect to 'SRVPGVMEXCH02.peermont.com'
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] MRSClient: connected to 'SRVPGVMEXCH02.peermont.com', version
14.3.178.0 caps:07
VERBOSE: [11:34:27.627 GMT] New-MoveRequest : [DEBUG] Loading source mailbox info
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Failed to reconnect to Active Directory server
SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that you have used the correct credentials. --> A
local error occurred.
VERBOSE: [11:34:28.844 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Failed to reconnect to Active Directory server SRVUMVMDC02.umfolozi.local. Make sure the server is available, and that
you have used the correct credentials.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : F48FD74B,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
+ PSComputerName : srvpgvmexch02.peermont.com
VERBOSE: [11:34:28.859 GMT] New-MoveRequest : Ending processing &
Troubleshooting Performed
1. When submitting mailbox move request tried the following credential inputs:
1.1. DOMAIN\Username
1.2. FQDN\Username
1.3. userPrincipalName
2. Confirmed domain trust between source and target domain is in place and validated.
3. Confirmed name resolution in source and target domain is functioning as expected.
4. Confirmed network connectivity between source and target domain controllers as well as source and target exchange servers.
5. Tried to create new Linked Mailbox to account in source forest, can’t select Global Catologue via the wizard;
Tried to specify the credentials for the account forest and got the following error when tried to select Global Catalog from wizard:The error talk about the credential. Did you check the credential
Did you tried this command?
New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "Target
domain name"
http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Beware of Linked Mailbox status - Moving Unity_server mailboxes to Exchange 2010
Hi all -
Here is a problem I encountered that I want to pass along to you:
When partnering Unity to Exchange 2010, the Unity_servername, USBMS_servername, EAdmin, and unitymsgstoresvc inboxes are moved from the old Exchange to the new 2010 server. Using the Exchange Management Console, the users should show up as User Mailboxes, not Linked Mailbox. A Linked mailbox in Exchange 2010 is an external account, i.e. an account in another forest. If this occurs for the Unity_servername mailbox, external caller voice messages remain in UMR (UnityMTA) and you will see many application event log errors. In EMC you will observe the account mailboxes show in Disconnected status.
If this happens to you, here is the fix:
Disable the Account from EMC in Exchange 2010. Note you will get a prompt that the Exchange properties are being removed but the email inbox is NOT deleted.
Re-enable the account from ADUC.
In EMC, go to Disconnected Mailboxes, select the Unity mailbox and select Connect. In the Connect wizard, re-associate with the existing account. Re-enter the user alias and complete the wizard.
Restart AvUMRSynchSvr service on Unity.
Hope this helps someone in the future!
Sincerely, GingerThanks Brad :-) I forgot to mention I discovered a number of Internet hits that say this can happen with Move Mailbox. Here's the link I used to begin researching the problem (hint: go all the way to the bottom of the web page - http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26308671.html). Got to give kudo's to this most excellent Exchange resource - has helped me a bunch over the years!
-
Exchange 2010 SP3 outlook prompot password for linked mailbox
Hi All,
I have forest A and forest B, there is an Exchange 2010 SP3 server in forest A, linked mailboxes are created for user inside forest B. Trust relationship can be verified , in place and active. Suddenly , some linked mailbox user got outlook password prompt
repeatedly but OWA and Active Sync is still working fine.
I have reset Exchange Web Services Virtual Directory. but the issue still persists. Please advise
Regards,
Zaw
ZAWStep 1: Close Outlook program and create backup of PST file
Step 2: Now run SCANPST.EXE on copy of your PST and repair
SCANPST.EXE is found in these locations according to different Outlook versions:
In MS Outlook 2002/XP: C:\Program Files\Common Files\System\MAPI\ \scanpst.exe
In MS Outlook 2000:C:\Program Files\Common Files\System\MAPI\ \NT\scanpst.exe
In MS Outlook 97/98:C:\Program Files\Common Files\Windows Messaging\scanpst.exe
Note: Do not use backup option in SCANPST.EXE as you working with a duplicate copy of PST
file.
Step 3: Then open the command prompt by clicking Start >> Run
Step 4: Paste or type the file path to PST19UP and your PST name: PSTUPG19.EXE-filename.pst
and press Enter.
Step 5: The command line will resemble: “C:\My Documents\pst19upg.exe”- Outlook.pst.
Step 6: A new copy of the PST file will be created, which is called “filename.psx”.
Step 7: Once you have completed, rename the original PST file.
Step 8: Now at the Command Prompt, type “pst19upg.exe- filename.psx” and press Enter
Step 9: A new password-free PST file will be created from PSX file.
Step 10: Now open your MS Outlook program and open the PST file. -
Cannot link mailbox to user in accounts forest
original forest is a single domain configuration named mydomain.com. A new accounts forest was created named ad.mydomain.com. This domain is *not* a subdomain of the original domain, but a separate domain in a separate forest. This forest
also uses a single domain design. (It's a long story) All mailboxes reside in a single mailbox database on an Exchange 2010 server running on Windows Server 2008 R2. I've used the ADMT to migrate some test accounts to the accounts forest.
The migration works and the account appears functional, i.e., SID history migrated and the account can still get to shares and files on machines located in the resource forest.
I then use the disable-mailbox and connect-mailbox commands to setup the linked mailbox. My test account is user Joe Doakes (as listed in Get-MailboxStatistics), username is jdoakes, mailnickname is jdoakes and SMTP address is [email protected]
Here is the exact command I am using:
Connect-Mailbox -Identity "Joe Doakes" -Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com
-LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential $cred
to which the command shell replies-
Confirm
Do you want to connect this mailbox to user "mydomain.com/Testing/Joe Doakes" with the alias "JoeDoakes"?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):
I've re-entered the credentials for the accounts forest twice. The canonical name above is the name of the now disabled account in the resource forest. If I select Y here, it reconnects to the old account and changes the alias from jdoakes
to JoeDoakes. This behavior is very strange. I have confirmed the distinguished name used is correct. Can anyone point out what I am doing wrong?
TIA
TomI wanted to update this post in case anyone else runs into this problem. I wound up opening
a support ticket and spent a day and a half on the phone with Microsoft.
This issue was the result of several chance problems and my misinterpretation
of the command's results. To start off, when the command comes back to
say that it wants to connect the mailbox to "mydomain.com/Testing/Joe Doakes", it
really means that it is the disabled account in the Exchange (source) forest to which the
mailbox will be connected. It will be "linked" to the account in the accounts forest, but the command does not say that. This behavior is by design. We also found that I have to specify the alias in the command or a new alias is created that
concatenates the target account's first
and last names. Last, we found that running a number of
clean-mailboxdatabase commands was the trick that finally made things
work. To recap, the procedure that worked for me was:
1. Disable-mailbox to disconnect the user in the source forest
2. Verify the mailbox is actually disconnected. If it does not show up in the
Disconnected Mailbox node in the EMC, run the clean-mailboxdatabase "<database
name>" command
3. Disable the source forest user account.
4. Enter the account forest credential ($cred = get-credential)
5. Connect the mailbox to the linked account. This is the command that worked for me:
Connect-Mailbox -Identity "Joe Doakes" -Alias jdoakes
-Database "Mailbox Database 0448361937" -LinkedDomainController MEDTMPDC01.ad.mydomain.com -LinkedMasterAccount "CN=Joe Doakes,OU=Testing,OU=Accounts,DC=ad,DC=mydomain,DC=com" -LinkedCredential
$cred
6. The new account may not be able to get to the mailbox without running another clean-mailboxdatabase.
I hope this saves someone else a call to Microsoft. -
Crystal Report Viewer Credential Prompt for Report with Dynamic Parameters
The .NET Crystal Report Viewer is prompting for database credentials when launching a report containing dynamic parameters. This only occurs for reports created with SAP Crystal Reports 2011 designer. Reports created with Crystal Reports XI designer (where dynamic parameters were first introduced) work correctly.
The credential prompt window contains the following fields:
- Server Name: <server name> (disabled)
- Database Name: <database name> (disabled)
- User Name: <empty> (enabled)
- Password: <empty> (enabled)
- Use Single Signon Key: false (disabled)
The values in the prompt window which are disabled are the database connection values used during the design of the report in the SAP Crystal Reports 2011 designer.
Expected Result:
- No prompt for database credentials.
- Values read from the database should be populated in a drop down for the dynamic parameters.
Environment:
- Visual Studio 2010 (C#)
- Windows 7 Enterprise
- SAP Crystal Reports runtime engine for .NET Framework 4
- SAP Crystal Reports, version for Visual Studio 2010
- SAP Crystal Reports 2011
The database connection is being set to use a DSN. It must be a DSN as the calling application is only aware of the DSN/Username/Password values. These values are being passed to the Crystal Report Viewer contained in a Windows form.
The database connection for the report is being set as follows:
foreach (InternalConnectionInfo internalConnectionInfo in this.report.DataSourceConnections)
// Must set the UseDSNProperties flag to True before setting the database connection otherwise the connection does not work
if (internalConnectionInfo.LogonProperties.ContainsKey("UseDSNProperties"))
internalConnectionInfo.LogonProperties.Set("UseDSNProperties", true);
// Supposed to set the database connection for all objects in the report (ie. main report, tables, sub reports)
internalConnectionInfo.SetConnection(this.DSN, string.Empty, this.LoginName, this.Password);
The SetConnection method's signature is as follows:
SetConnection(string server, string database, string name, string password)
As you can see from the code snippet above I am setting the DSN name as the server parameter, blank for the database parameter (a database connection using DSN should only require DSN name/Username/Password) and the database username and password respectively.
Is this a SAP bug?
Is this the correct way of setting the database connection to use a DSN?
Is there some other properties that need to be set somewhere else in the report through code?
Any help would be greatly appreciated.Thanks for the pointer to the database connection code generator. After taking a look at the output from the tool I was able to finally get the dynamic parameters to load and populate properly without prompting for credentials. I needed to tweak the outputted code a bit to match my requirements of using a DSN only connection.
Instead of updating the database connection properties contained within the Report.Database.Tables collection from the CrystalReports.Engine namespace, I changed it to replace the database connection properties in the Report.ReportClientDocument.DatabaseController.Database.Tables collection from the CrystalDecisions.ReportAppServer.DataDefModel namespace. For one reason or another, using the RAS namespace solved the problem.
Below is the updated code with the change made:
using RAPTable = CrystalDecisions.ReportAppServer.DataDefModel.Table;
foreach (InternalConnectionInfo internalConnectionInfo in this.report.DataSourceConnections)
// Must set the UseDSNProperties flag to True before setting the database connection
if (internalConnectionInfo.LogonProperties.ContainsKey("UseDSNProperties"))
internalConnectionInfo.LogonProperties.Set("UseDSNProperties", true);
// Sets the database connection for all objects in the report (ie. main report, tables, sub reports)
internalConnectionInfo.SetConnection(this.DSN, string.Empty, this.LoginName, this.Password);
// The attributes for the QE_LogonProperties which is part of the main property bag
PropertyBag innerPropertyBag = new PropertyBag();
innerPropertyBag.Add("DSN", this.DSN);
innerPropertyBag.Add("UserID", this.LoginName);
innerPropertyBag.Add("Password", this.Password);
innerPropertyBag.Add("UseDSNProperties", "true");
// The attributes collection of the tables ConnectionInfo object
PropertyBag mainPropertyBag = new PropertyBag();
mainPropertyBag.Add("Database DLL", "crdb_ado.dll");
mainPropertyBag.Add("QE_DatabaseType", "OLE DB (ADO)");
mainPropertyBag.Add("QE_LogonProperties", innerPropertyBag);
// Pass the database properties to a connection info object
ConnectionInfo connectionInfo = new ConnectionInfo();
connectionInfo.Attributes = mainPropertyBag;
connectionInfo.Kind = CrConnectionInfoKindEnum.crConnectionInfoKindCRQE;
connectionInfo.UserName = this.LoginName;
connectionInfo.Password = this.Password;
// Replace the database connection properties of each table in the report
foreach (RAPTable oldTable in this.report.ReportClientDocument.DatabaseController.Database.Tables)
RAPTable table = new RAPTable();
table.ConnectionInfo = connectionInfo;
table.Name = oldTable.Name;
table.QualifiedName = oldTable.QualifiedName;
table.Alias = oldTable.Alias;
this.report.ReportClientDocument.DatabaseController.SetTableLocation(oldTable, table);
this.report.VerifyDatabase();
Thanks again Ludek for the help. -
Need help on Cross Forest Exchange 2007 - 2013 with Linked Mailboxes
Hey all,
So I'm in a bit of a pickle with my Exchange design and am trying to figure out if there's a way to migrate mailboxes across forests where Linked mailboxes are being used. I've done a bit of reading and have noted stuff like preparing the move request in
AD, etc. But I'm wondering if someone can break it down for me.
http://1drv.ms/1lWjLqG
The above is a OneNote diagram of how we have moved over time. Please forgive my sloppy handwriting but I hope it gets the point across. I will text it out here as well:
Original Design
The original design of the domains when I joined the company were fabrikam and contoso. Contoso is a domain that sits entirely in the "DMZ". Fabrikam was the internal AD forest where most services and users authenticated to. In Contoso, there
are 2 domain controllers, the "Front End" Exchange Server (Edge Transport), and the "Back End" server, which is CAS/Mailbox.
There is a forest trust between contoso and fabrikam where "Linked Mailboxes" are created in Contoso, and then the LinkedMasterAccount is set to Fabrikam.
Migration/Hybrid Design
Due to the fact that these two domains were configured massively inappropriately, riddled with security holes as well as strange permissions configurations, the decision was made to create a new internal AD domain. In my OneNote, I've labeled this 'specialbank.com'.
A long while ago we migrated users from Fabrikam to SpecialBank via trusts. To facilitate access to Exchange, a new trust was created between Contoso and SpecialBank to allow us to update the LinkedMasterAccount parameter to the new Specialbank domain.
We have most of our users authenticating to their mailboxes via SpecialBank, while the mailboxes still reside in Contoso.
Migration from Exchange 2007 to Exchange 2013
I am attempting to now figure out the best way to migrate the mailboxes from Contoso to a new set of Mailbox servers in SpecialBank. This will also be an upgrade from Exchange 2007 (Current) to an Exchange 2013 installation.
The latest Service Packs and CUs are installed in both.
What would be the best procedure to move these mailboxes? To my knowledge, the current best practice/recommended way is to perform a user/SID migration from Contoso to SpecialBank. But I already have accounts in
SpecialBank that users are actively using.
I'm not opposed to doing a simple PST export from Contoso to SpecialBank, but we're looking at around 120 mailboxes. So I'm trying to make my life a little easier instead of spending a weekend here.
If I try to do it in batches, I need to figure out how to handle autodiscover and CAS. Since I'm creating an entirely new Exchange environment, I'm trying to limit what I place in the existing configuration. But I'm not opposed to setting up something temporarily
if I need to in order to make the migration transparent to users.
Can anyone help?Hi ,
From you description i came to know contoso is the resource forest and special bank is the account forest .
You just wanted to migrate the linked mailboxes from resource forest to account forest and also you would want the migrated mailboxes to get merged to the respective user accounts in the account forest to become as a normal user mailbox.Am i right ?
Please correct me if i am wrong . I have found some blogs in internet please have a look in to that especially the first one.
http://www.outlookforums.com/threads/60210-cross-forest-mailbox-move-and-linked-mailbox/
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27974905.html
Regards
S.Nithyanandham
Thanks S.Nithyanandham -
Outlook Negotiate/NTLM authentication credential prompt
Hello everyone,
I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
connect via MAPI over HTTP. Everything working fine!
External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
(notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
So here is my progress on this:
I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
IISAuthenticationMethods : {Negotiate}
InternalUrl : https://mail.domain.com/mapi
InternalAuthenticationMethods : {Negotiate}
ExternalUrl : https://mail.domain.com/mapi
ExternalAuthenticationMethods : {Negotiate}
I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
"Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
apply.
Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
A great day to everyone!
VaskoI don't have a ton experiencing using something like ARR, but we should do some testing. The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally. This SHOULD let us know where the problem
lies. If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange. If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread -
Preserve mailbox permissions after converting to linked mailboxes
Hello,
I am converting normal user mailboxes to linked mailboxes in Exchange 2007 SP3. After a pilot, we found that the linked accounts no longer had access to shared mailboxes (the share mailboxes will NOT be converted into linked accounts). The Full Access
ACL references the OLDOMIAN\username AD account. Manually adding NEWDOMAIN\username to the ACL fixes things. Is there an easy way to export the Full Access and Send As permissions for the shared mailboxes and switch them to NEWDOMAIN\username with
PowerShell? I have a feeling this will involve a lot data manipulation with Excel. Too bad there is no ADMT style security translation tool for Exchange mailboxes!It's definetly possible to do this entire task via powershell script but need to spend some time to write it... ;)
But well, here is another quick way I can suggest it's two step process...
1. Export Full Access and Send-As to csv files seperately by following this Exchange Powershell Tip #09
2. Now you have two files, replace the domain name in exported csv files.
3. Import the permission back using this...
$FullAccess = import-csv mailboxaccess.csv
$FullAccess | %{Add-MailboxPermission -Identity $_.Identity -User $_.user -AccessRights $_."Access Rights"}
$SendAs = import-csv sendas.csv
$SendAs | %{Add-ADPermission -Identity $_.identity -User $_.user -AccessRights Extended -ExtendedRights $_."Access Rights"}
Blog |
Get Your Exchange Powershell Tip of the Day from here -
I am administering Exchange 2013 in organization where we have two separate forests witch two separate Exchange 2013 servers. There is AD trust between forests. Each user has two mailboxes connected in Outlook, one from forest A and one from forest B. Let's
say [email protected] and [email protected] There is a plan that users from forest A will use and have only one mailbox connected in Outlook and get all emails data on Exchange server within forest A. What is a best approach
to do it smoothly? We do not want to remove the email addresses from forest B because a lot of people outside the company know only this email address as a contact point.
I am thinking about creating linked mailboxes. Any other ideas or advice's?Hi ,
just remove the email address (i.e
[email protected])
from the mailbox in forest B and add it as an secondary smtp address on the mailbox residing on the mailbox in forest A.
In case if you don want the mailbox for user 1 in forest B you can simply delete it instead of removing the email address.
Note : Simply you cannot remove the email address (i.e
[email protected])
from the Mailbox of the user 1 in forest B is set as primary smtp address. So on such case just make some dummy email address as primary smtp address and simply remove
the address [email protected]
and add as an secondary smtp address on user 1 mailbox in forest A .
Please feel free to reply me if you have any queries.
Thanks & Regards S.Nithyanandham -
Hi all,
I've got a Windows 7 Pro SP1 64Bit machine, connected to a SBS2008 domain, which is exhibiting a strange issue.
In the last month or so, one user has complained about being prompted for credentials when opening documents from a mapped drive. Even if he enters the correct credentials, it keeps on prompting, almost like the incorrect credentials have been entered.
The strange thing is, this only happens when Outlook 2010 is open. With Outlook closed, the user can open the documents without any issues, and no credential prompts.
The user can log in to the machine, browse the shares and open documents, providing Outlook is not open.
I've recreated his Windows profile, and the issue appeared to have gone away, but now, two weeks later the issues has reoccurred.
I've tried opening a Word document, and am being prompted for credentials. If I cancel the request, I get a pop-up error saying - "The Internet address 'http://servername/share/docname' is not valid."
As mentioned, I've recreated the user profile, Outlook profile, opened Outlook in safe mode, and disabled all the add-ins, but still have this issue when Outlook is open.
Any help would be greatly appreciated.
CheersJéanIt sounds like the user is changing passwords after having had Windows store them for him. Windows will keep trying to connect with the old password, then fail and prompt for the new one. Try clearing out the stored passwords:
In Control Panel click Credential Manager, find the appropriate credentials (Outlook, Windows, possibly others), click the dropdown arrow and then click Remove from Vault.
Good luck! -
Outlook 2013 Auto Account Setup for Linked Mailbox Not working
We've created a linked mailbox, in Exchange 2013 (in domain1), for a user in another AD forest, domain2. We have the AutoDiscover service configured in the other AD forest as well. Our only issue now is trying to find a way to get the Outlook Auto Account
Setup to automagically configure a user's profile the first time Outlook 2013 is started. If we type in the user's email address and name and click Next, the profile is created successfully.
I spoke to Microsoft support who helped me confirm that AutoDiscovery was configured correctly in the other forest. Reading this information (
https://technet.microsoft.com/en-us/library/bb124251.aspx ) on AutoDiscover, I found what may be the issue. It notes that
"If the Outlook client is joined to a domain, the user's domain account is used."
Since the linked mailbox is associated with domain1, Outlook looks like it cannot use the domain account from domain2. I wonder if there might be a registry hack to bypass this and force Outlook clients in domain2 to look at email addresses in domain1?
Orange County District AttorneyHi,
According to your description, I noticed that “If we type in the user's email address and name and click Next, the profile is created successfully”. Do you mean the linked mailbox can be setup automatically when you fill in the Name and E-mail Address in
the Auto Account Setup page? For example:
If that is the case, the autodiscover service in Exchange side should be configured correctly and it is working for Outlook client automatically account setup.
If the account can’t be setup automatically when using autodiscover service, please
verify that the Master Account (Domain2\User1) has full access to the Linked Mailbox ([email protected]) as well as the smtp address using the cmdlets Get-Mailbox and Get-MailboxPermission in Exchange server:
Get-Mailbox [email protected] | fl PrimarySmtpAddress,*Type*,*Link*
Get-MailboxPermission [email protected] | fl
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support
Maybe you are looking for
-
External system commands in java application
I'm trying to run a molscript command in Unix, in a java application. I want to view a molscript graphic via the application. I have been using the following command Process p = Runtime.getRuntime().exec("molscript -opengl < " + file); Is this possib
-
Hi, I like to use Functional Area in FI to get some Functional Report from SAP. Can anybody let me know whether I can config and use Functional Area with SAP 6.00. If it is not obsolete then how the Functional can be activated for FI Posting. Regards
-
sponsership with apple for my youtube channel
-
Content sort on merged folders
Hello experts, in the content administration I have defined three roles with following structure RoleA Reports - folder entry point -Projects - folder --ReportA1 --ReportA2 RoleB Reports - folder entry point -Projects - folder --ReportB1 --ReportB2 -
-
I had paid for service to sign pdf, write text on pdfs and convert to word and back etc. Its now asking me to pay for a new service to be able to convert pdf to word, what is going on here?