Outlook Anywhere, NTLM, TMG, password prompt but cancels works?
I've managed to get NTLM authentication working with TMG and Exchange 2010 (Make sure you switch your Application Pool for the RPC app over to a local system!). We also run Lync.
So here is the thing. I log into a domain laptop with cached credentials and then connect to a Verizon access point. Now Lync connects automatically no password needed. Then I open Outlook which connects no problem no password needed!
Awesome that is what I wanted. Then after about 30 seconds......password prompt. If I enter the password everything is good. If I click cancel the little need password icon is displayed down at the bottom of outlook. I click on that and outlook reconnects
without me ever having to enter a password.
I have been watching the log on the TMG server and I don't see anything odd going on other than and occasional Status 64 The specified network name is no longer available error which I understand from other posts is by design.
It's not a show stopper by any means but I just don't understand what is going on here. Anyone have any ideas?
Hello,
Firstly, please test Outlook Anywhere in an internal environment:
On a internal outlook client, check on “on fast networks, connect using http first, then connect using TCP/IP”.
If the issue does not work, the issue is related to the TMG, you may need to inquiry on the TMG forum for more accurate suggestions.
Thanks,
Simon Wu
Exchange Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Similar Messages
-
Exchange 2007 to 2013 Migration Outlook Anywhere keeps asking password
Hi all,
i'm migrating an Exchange 2007 Server with all roles installed on a Windows Server 2008 R2 to 2 Exchange 2013 SP1 Servers (1 Cas and 1 Mailbox) installed on Windows Server 2012 R2.
I installed Exchange 2007 SP3 RU13 for coexistance and everything was ok until i switched to the new 2013 CAS.
After that the client using Outlook Anywhere started asking for password.
I configured the Outlook Anywhere with these settings:
Exchange 2007:
OA Hostname mail.domain.com
Client Authentication NTLM
IISAuthenticathion Basic, NTLM
SSL Required True
Exchange 2013
OA Hostname mail.domain.com
Client Authentication NTLM (Both internal and external)
IISAuthentication Basic, NTLM
SSL Required True (both internal and external)
Before switching to 2013 Cas everything works smoothly and the Outlook clients receive NTLM as HTTP Proxy authentication.
After switching to 2013 Cas, test users migrated on 2013 Mailbox Server are ok, but Outlook users on Exchange 2007 Server get Basic as HTTP Proxy authentication and continue asking for credentials.
In the Exchange 2007 server i configured the host file to resolve servername and servername.domain.local with the ipv4 address to avoid issues regarding IPv6 with OA in Exchange 2007.
Using Microsoft Connectivity Test i receive the error "RPC Proxy can't be pinged - The remote server returned an error:
(500) Internal Server Error"
Any Ideas?
Thanks for your HelpRun this and post the result
https://testconnectivity.microsoft.com/
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Outlook Negotiate/NTLM authentication credential prompt
Hello everyone,
I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
connect via MAPI over HTTP. Everything working fine!
External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
(notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
So here is my progress on this:
I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
IISAuthenticationMethods : {Negotiate}
InternalUrl : https://mail.domain.com/mapi
InternalAuthenticationMethods : {Negotiate}
ExternalUrl : https://mail.domain.com/mapi
ExternalAuthenticationMethods : {Negotiate}
I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
"Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
apply.
Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
A great day to everyone!
VaskoI don't have a ton experiencing using something like ARR, but we should do some testing. The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally. This SHOULD let us know where the problem
lies. If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange. If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread -
Outlook 2010 users getting Password Prompt until shared mailboxes are removed
Hi,
some (around 20) of my 3000 outlook 2010 users are getting Password Promts while using outlook.
This started end of last week without any change to the environment.
The prompt goes away if we unmount and remount additional mailboxes they have mounted.
Any idea what could be causing this or where to start debugging?
Backend is Exchange 2013 and 2007 in migration.
Thanks for every ideaHi,
How did you mount additional mailboxes? Via File > Account Settings > Account Settings > Double-click the Exchange account > More Settings > Advanced tab > Add?
Are the additional mailboxes hosted on the same version of Exchange server with thoese mailboxes with the password prompting issue? If this is the case, this issue often happens if you have a hybrid deployment of Exchange Server. To resolve the issue,
please have a look at the following KB article and follow the instructions to fix it:
https://support.microsoft.com/kb/2834139?wa=wsignin1.0
Please let me know the result.
Reagrds,
Steve Fan
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
Outlook client can't connect in but OWA works
You need to make sure your OutlookAnywhere and AutoDiscover settings are setup properly along with Split-DNS. OutlookAnywhere and Split-DNS are vital for future-proofing your Exchange configuration and making it work properly now, regardless if you use Exchange 2007, 2010, or 2013. For Exchange 2013, OutlookAnywhere is a requirement and Split-DNS is Best Practice. If you are on Exchange 2007 or 2010, and you do not have OutlookAnywhere enabled, enable OutlookAnywhere and follow this guide.You should always use NTLM over Basic authentication, as Basic sends the username and password in the clear, and NTLM is Windows Authentication. On Exchange 2013, you also have a new option called Negotiate, which is recommended. As you follow this guide, you will set the ClientAuthenticationMethod (Internal and External if on Exchange 2013) to NTLM...
Outlook client can't connect in configured outlook on workstation but OWA works.
This topic first appeared in the Spiceworks Community -
User name password prompt is not working
Hi Experts,
I have a screen in a BSP application in which , I have two links.
These two links are the links to the screens of a different BSP application for which default username password is not set.
But when I clicked the first link its prompting for the user name and password but its not happening for the second link.
Its also vice versa.
I checked the below link which explains about the way password details are prompt but I am not sure of how to handle this and have the prompt for username and password for both the links.
http://help.sap.com/SAPHELP_470/Helpdata/EN/5a/f8b53a364e0e5fe10000000a11405a/frameset.htm
Your inputs will be helpful.
Regards,
GopalHi,
this sounds a case for Single Sign On, especially if you´re calling your 3 applications from the Enterprise Portal. You have to talked to your administrators for EP and SAP, since it is a complicated task.
Try this link for more about the user and this link for SSO.
after entering username and password for the first time, somehow the information remains alive event when you close your BSP application and call another one. This is a very bad security case if you´re moving your applications into production. -
Can it be possible to disable outlook anywhere for some few users who are working from home ?
One of my customer wants to disable outlook anywhere for some of the users who are working from home.They have exchange server 2013 in their premises and also have outlook 2010/2013 on their clients machine.Please advice?
Hi,
In Exchange 2013, all Outlook connectivity (Internal and External) are using Outlook Anywhere anyways. It is not recommended to use the following command to disable Outlook Anywhere for a specific user:
Set-CASMailbox UserA -MAPIBlockOutlookRpcHttp $True
If you disable it, the UserA would not be able to access the mailbox from both Internal Outlook client (Office) and external Outlook client (Home).
For your requirement about disable Outlook anywhere for some few users instead of all external users, there seems to be no method to achieve it directly in Exchange server. Sorry for any inconvenience.
Regards,
Winnie Liang
TechNet Community Support -
Outlook anywhere can RPC from external but cannot authenticate with AD
HI all,
Recently, I have this weird problem surfacing and it has been bugging me ever since. Let me start of of our current setup: we have 2 CAS/HUB running on NLB and 2 MB on CCR. All 4 are installed with E2007 Sp2. We have users accessing their mailbox internally
and externally. We used self-signed certificate for all users so that they can use Outlook when they are not in the office. All was working fine for a few years when one day, one user bought a new notebook for us to configure. Following the procedure
like we had done numerous times, then, it prompt Outlook has to be online error
while using the external network. After checking all the Outlook over RPC settings and everything, all are configured as according to the plan and nothing has been changed. Internal network (ie using the company network ) all is ok.
Firewall has not been meddled with so I am not too sure it could be the problem. ( because other external users on their existing system are ok ).
Can anyone kindly advice?
Thanks
EricDoes the new computer trust the self-signed certificate?
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Publish Exchange 2013 OWA + Active Sync + Outlook Anywhere using TMG 2010
We plan to publish our new Exchange 2013 SP1 servers (3 in DAG) outside corporate network using TMG 2010. I am looking for some guide how to do it in the proper way. What I found is little old and does not take into consideration Exchange 2013
SP1
http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
Any advice how to publish Exchange 2013 OWA using form-based authentication and how to use Kerberos Constrained Delegation?Hi,
The blog below describes some scenarios about publishing Exchange. You could have a look the Scenario 2.
Exchange publishing after TMG/UAG
http://dizdarevic.ba/ddamirblog/?p=168
Note: Microsoft provides third-party contact information to help you find technical support. This contact
information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I have got a Macbook pro retina.
I have done 2 partitions on the SSD drive. 1 for the OS and 1 for the user (with a kind of ln -s /Home/myself /Volume/Part2/myself
I was watching a movie (with VLC) in full screen for a while and I wanted to escape. Impossible, and impossible to reboot.
When I start, I have a directory with a question mark.
I have a Open firmware passwords set (that I remember).
I cannot reset PRAM. (I can not change the RAM amount inside the commuter as this is a retina model)
I cannot start in verbose mode.
I can choose a disk to boot. I see only the OS drive and not the user partition, and no 'recovery partition'. It seems that i need to do a fsck -yff on the user partition but how ?
I can start the OS partition, and i can choose 'guess' or 'myself'. If i choose myself, I have an error message :'there is a error, the session can not start'. If I start with the guess account, I restart, and then I can browse the internet with safari (this is how I am writing this text!)
=> How can i repair the partition ? (open a terminal, boot in single user mode ...?)
best regards.Actually, the recovery partition was there, but was not shown as my user partition. I have seen that reseting the PRAM and changing the ram could remove the open firemware password. So i have turn the computer on until the battery was empty. Then I boot about 20 times, and unplug the power supply after few seconds at different step of the booting pricess. At last, the screen default resolution when booting changed, I undertood that i succeeded, and I was able to enter.
Then I boot in single user mode, removed the open firmware password, activated the root user, and everything was fine now ! -
Restore from backup asks for password
Did you have an exchange account on your phone? If so, try that password.
Passwords don't set themselves. Again, if you can't remember the password then there's nothing to be done. The data can't magically re-encrypt. -
Outlook Anywhere Password Prompts - Only on certain external networks
I am running a standalone Exchange 2007 SP3 server on Windows Server 2008. I have published Outlook Anywhere via ISA 2006. Outlook Anywhere is configured for Basic Authentication. All clients are using Windows 7 with Outlook 2007 with latest
service pack. This is not a new configuration, I have been running this for quite some time.
I have a strange issue going on. The issue is that Outlook Anywhere users receive a prompt for their username and password ONLY when they are connected to certain external networks. Users began reporting this several months back. It happens on
all mobile users that I have tested with.
Basically, what happens is a user takes their domain joined laptop out to another work site. This site is not connected to our network. The IT department of the site connects my users laptop to there network. User then starts Outlook, Outlook
connects via HTTPS as it should, down in the bottom of Outlook it shows that it is connected to Exchange. However, within usually about 30 seconds the password prompt comes up. User puts password in and clicks remember and OK, but
the password box comes right back up. Sometimes it will except the password and run for a little while but then prompt again.
If I check Outlook Connection Status it displays that connections are established via HTTPS as they should be. Latency isn't too high averaging about 150 - 300ms.
If the user clicks Cancel instead of entering their password, Outlook will continue to run and it can send and receive email. Connection status still will show connected. However, if the user opens the address book and tries to access one of our
Address lists other than the GAL, then Outlook displays a message stating the user doesn't have permission. If the user clicks need password at the bottom and then enters their password at the prompt the address book will work.
This happens at several work sites, each different networks. My first thought is some sort of firewall issue at the sites but the IT at the sites say there should be no firewall blocking going on.
I have tested probably 5-6 other wifi networks, both public and private and Outlook Anywhere works perfectly on everything but these few work sites.
I have used testexchangeconnectivity.com at the sites at it tests fine. I have cleared the cached credentials from "Manage Windows Credentials".
Any assistance is appreciated.I am running a standalone Exchange 2007 SP3 server on Windows Server 2008. I have published Outlook Anywhere via ISA 2006. Outlook Anywhere is configured for Basic Authentication. All clients are using Windows 7 with Outlook 2007 with latest
service pack. This is not a new configuration, I have been running this for quite some time.
I have a strange issue going on. The issue is that Outlook Anywhere users receive a prompt for their username and password ONLY when they are connected to certain external networks. Users began reporting this several months back. It happens on all
mobile users that I have tested with.
Basically, what happens is a user takes their domain joined laptop out to another work site. This site is not connected to our network. The IT department of the site connects my users laptop to there network. User then starts Outlook, Outlook
connects via HTTPS as it should, down in the bottom of Outlook it shows that it is connected to Exchange. However, within usually about 30 seconds the password prompt comes up. User puts password in and clicks remember and OK, but
the password box comes right back up. Sometimes it will except the password and run for a little while but then prompt again.
If I check Outlook Connection Status it displays that connections are established via HTTPS as they should be. Latency isn't too high averaging about 150 - 300ms.
If the user clicks Cancel instead of entering their password, Outlook will continue to run and it can send and receive email. Connection status still will show connected. However, if the user opens the address book and tries to access one of our
Address lists other than the GAL, then Outlook displays a message stating the user doesn't have permission. If the user clicks need password at the bottom and then enters their password at the prompt the address book will work.
This happens at several work sites, each different networks. My first thought is some sort of firewall issue at the sites but the IT at the sites say there should be no firewall blocking going on.
I have tested probably 5-6 other wifi networks, both public and private and Outlook Anywhere works perfectly on everything but these few work sites.
I have used testexchangeconnectivity.com at the sites at it tests fine. I have cleared the cached credentials from "Manage Windows Credentials".
Any assistance is appreciated. -
Audit failures on Exchange 2010 and password prompts in outlook
Starting last Thursday after I patched my domain controllers and other Windows systems and rebooted my Outlook users are being prompted for username/password continuously and my Exchange security logs reflect audit failures for NTLM which I think is triggering
the prompt. The same users also have an audit success via Kerberos.
If the password prompt it cancelled Outlook can send and receive email just fine but the box continues to pop up occasionally.
I've worked on this for several days now and can't figure it out. The audit logs on the DC's are clean with no audit failures.
The issue is also affecting Visual Studio users who log into a Team Foundation Server, they are continually prompted for credentials and can't get in and the audit logs show the same thing.
I don't think this is an Exchange specific issue but more of a broader authentication problem.
Can anyone shed any light on this?
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: mart.marc
Account Domain: AOF
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: AOG-LP047
Source Network Address: 10.10.1.159
Source Port: 50075
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0Hi,
It is a known issue if you install the following security updates on March 10, 2015:
http://support.microsoft.com/en-us/kb/3002657
The user would be prompted with credentials when NTLM is used to authenticate these Active Directory domain users and services.
We can remove this patch from all the DCs manually and check whether the issue persists.
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support -
Outlook Anywhere Continues to Prompt for User Credentials
Hi,
Our Outlook AnyWhere clients continually get prompted to enter their user credentials while in Outlook. We've tested connecting to Outlook AnyWhere from the Internet and from our internal network. We're using Exchange 2007 SP3.Hi,
Please run the following command to check the Authentication configuration for your Outlook Anywhere in Exchange 2007:
Get-OutlookAnywhere | FL
If the configuration is not correct, please run:
Set-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" -IISAuthenticationMethods Basic,Ntlm
In Outlook client, please configure to use Ntlm Authentication in the Connetions tab of Account Settings.
Regards,
Winnie Liang
TechNet Community Support -
Exchange 2013 external outlook autodisover password prompt
I've set up a new infrastructure for our network with a 2k12 DC and a 2k12 member running Exchange 2013. The internal domain is set up like ad.domainname.com and I've configured mailflow for domain.com on Exchange which works perfectly. Internal autodiscover
works like a charm and with https://testconnectivity.microsoft.com/ I get green results for the autodiscover.domain.com on activesync, autosetup and outlook connectivity. I've used a comodo wildcard ssl
certificate for the domain.
However when I try to use autosetup on outlook it gives a password prompt on both the 2nd and 3rd step which I have to enter like domainname\username to get past them. After that it works fine but I want it to configure automatically without the extra password
prompt.
On mobile devices it searches for the settings and then asks for the servername and domain credentials. I would like this to be auto configured as well but I can't find the reason why it prompts for this.I've set up a new infrastructure for our network with a 2k12 DC and a 2k12 member running Exchange 2013. The internal domain is set up like ad.domainname.com and I've configured mailflow for domain.com on Exchange which works perfectly. Internal autodiscover
works like a charm and with https://testconnectivity.microsoft.com/ I get green results for the autodiscover.domain.com on activesync, autosetup and outlook connectivity. I've used a comodo wildcard ssl
certificate for the domain.
However when I try to use autosetup on outlook it gives a password prompt on both the 2nd and 3rd step which I have to enter like domainname\username to get past them. After that it works fine but I want it to configure automatically without the extra password
prompt.
On mobile devices it searches for the settings and then asks for the servername and domain credentials. I would like this to be auto configured as well but I can't find the reason why it prompts for this.
For the Outlook setup are you using a Domain joined computer or a nondomain joined computer? For NonDomain joined computer you will always get prompted for a password because there is no AD Security token to send to Exchange to verify. Same thing
with ActiveSync. Your phone isn't joined to the domain, so it has to ask for a password to verify your identity.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
Maybe you are looking for
-
Where can I buy a 2010 model white macbook?
I'm trying to see if anyone might be able to help me locate a place where I can buy a white 2010 model macbook. I'm okay with refurbished or even used as long as nothing is wrong with it. I've seen all kinds of web sites, but I don't really trust buy
-
List of older apps that will/won't run in OSX?
Hello all, Is there a list of OS9 apps that will or won't run trouble-free in classic mode in OSX? For example, i would like to run Nanosaur on my new iMac. many thanks
-
How to create user privileges in java
Hello, I need help! I'm now creating a system based in Java which I need to create a user privilege for security purposes. I need to create 3 kinds of users, 1st is the administrator and the 2nd is a viewer access which can only view the software but
-
Posting a confirmed delivery date to web
Dear All. We'd like to be able to promise a customer confirmed delivery date to the web based on SAP ATP. This should take in to account current ATP, and the customer's delivery service. We've been reviewing bapi_material_availability. This seems
-
Can't send email on iPhone 4s IOS 6.x
I can recieve emails on all my email accounts that were synced on my iPhone but cannot send. The exception is Gmail. I can send and receive. I even copied the mailbox setting by hand from my mac and I still can't send. My carrier is Verizon. What do