July 17, 2015

Outlook Credential Prompt When Opening Exchange 2013 Public Folder

After completing an Exchange 2007 > 2013 migration recently, I was left with one issue that was preventing us from stamping the project as a roaring success and moving on:

Outlook 2013 users were sometimes receiving a single pop-up prompt for credentials whenever they opened the Public Folder (we have only one). One. Single. Prompt.

Google was frustratingly unhelpful because searching for "outlook prompts for username and password when opening public folders" or something similar just resulted in a lot of folks who were always getting a pop-up that wouldn't go away. It was usually caused by an authentication failure of some sort.

However, we were in a different boat - Users got the prompt once when they first launched Outlook and opened their public folders, but after entering it they could continue - authentication worked. Next time they logged in to their PC, it would happen again. Not a show stopper, but it definitely generated its share of support calls.


After I finally stopped "troubleblasting" to think about it a bit more critically, the key pieces of this fell in to place:
  1. A credential prompt means that either NTLM failed and/or Basic Authentication is being used (and your password hasn't been previously saved, or isn't permitted to be).
  2. Outlook (and Office in general) were not 100% up-to-date with the latest non-critical/non-security patches due incompatibilities with the "old" environment.
  3. We use a non-persistent desktop image in our VDI environment - Credential Manager doesn't preserve saved passwords between sessions.
A closer inspection of the Outlook Connection Status (available from a Ctrl+Right-Click menu on the Outlook tray icon) showed that we were indeed hitting the Public Folders with basic authentication instead of NTLM:




Because this was all internal communication, Outlook should have respected our selected internal authentication method for Outlook Anywhere: NTLM. It seemed to be ignoring it, but in actuality, it was incorrectly looking at our external authentication method: Basic.

Note: Running Get-OutlookAnywhere | fl server,*external*,*internal* should show your internal and external settings for all servers - essentially "NTLM" means integrated Windows authentication on a domain-joined PC, "Basic" means we just prompt the user with a standard pop-up for their password.

Apparently this is (or was) a bug in Outlook 2007, 2010, and 2013 (See KB2839517) where the client would correctly look at the first EXHTTP block during the autodiscover response (the internal setting) when connecting to a primary mailbox, but would then arbitrarily skip to the second EXHTTP block (the external setting) for any alternate mailboxes. Since we had migrated our public folder to Exchange 2013, it was now technically a shared (alternate) mailbox. Since we hadn't patched Outlook, the bug impacted us and thus basic authentication was used!

The final slice of the mystery (and the reason most environments would never be bothered by this) was that our desktop images in the VDI environment did not persist between login sessions - as soon as a user logs off, the machine is shut down and the image is reprovisioned during the next boot-up. User data is preserved (Documents, desktop items, etc) but not the Credential Manager store, which is where your basic authentication username/password is kept when you hit the "Remember password" option. For a normal environment, the user would have just clicked that button and never seen the prompt again, but our users were prompted every day after initial log in.

There were three possible fixes:
  1. Patch Outlook to ensure it is correctly looking at the internal setting.
  2. Configure our gold desktop image to preserve the credential store between sessions
  3. Adjust the external authentication method to NTLM or Negotiate
Although all three would eventually happen, I went with the third option initially since it was the easiest to accomplish and didn't require an update to our desktop image. A single line of Powershell got us up and running:

Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalClientAuthenticationMethod Negotiate

I could have also set it all to NTLM, but I wanted to ensure the highest compatibility with non-domain joined external computers running Outlook. An 'iisreset' later and we were in business - no more prompt and the Outlook Connection Status dialog showed NTLM across the board.

Incidentally, this also solved a problem with Lync 2013 throwing a credential prompt during login as well - I suspect the issue was similar and directly related, but I'm not completely sure why Lync was suffering the same problem.

Something else blew up before I could think on it more.

16 comments:

  1. Thank you so much for taking the time to this write up! This is exactly what the problem was in my organization.

    ReplyDelete
  2. I think this advice will be very helpful for many users, maybe even for me! In return I would like to share with you this amazing app https://yepdownload.com/promt-standard that always helps me a lot when I need it a most.

    ReplyDelete
  3. Dear Paul,

    thanks for your post. If I configure as recommended, there is an error message that negotiate authentication is not supported on Exchange 2010...

    If I run "Get-OutlookAnywhere -Server $SRV |fl Identity, *Hostname, *auth*" there is an error "ClientAuthenticationMethod : Misconfigured"

    Do you have an idea?

    Regards
    Andreas

    ReplyDelete
  4. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. Folder Locking mechanism Download For PC Desktop computer - Don't Spend Period Searching, Go through Details On Cell Desktops Inside this article how to password protect usb drive

    ReplyDelete
  5. i really like this article please keep it up. hotmail create account

    ReplyDelete
  6. Thank you for the explanation! I had another issue. Due to some reasons I needed to transfer several years worth of emails and personal information stored in eml files into Outlook. The task appeared straightforward from the first glance, but in reality, data conversion was a lot more sophisticated than that because Outlook worked only with the proprietary PST format. Luckily, a friend of mine recommended me a program that helped me to open eml file in outlook source. It did everything for me with my minimal involvement. I’ve never thought it could be so easy. Highly recommend for those who need to convert or import emails into Outlook. BTW, it keeps all the folder structure and no any single message is lost.

    ReplyDelete
  7. Saved as a favorite, I love your blog! You could check here: How To Lock Files The Marine Way.

    ReplyDelete
  8. always i used to read smaller articles which as well clear their motive,
    and that is also happening with this post which I am reading now

    ReplyDelete
  9. MSN Hotmail Can nicely write on similar topics! Welcome to      here you'll find out how it should look.

    ReplyDelete
  10. Your work is very good and I appreciate you and hopping for some more informative posts. Thank you for sharing great information to us. https://zetamatic.com/downloads/woocommerce-mailchimp-newsletter-discount/

    ReplyDelete
  11. This is a great inspiring article.I am pretty much pleased with your good work.it really a very helpful information.Kinemaster Gold

    ReplyDelete
  12. I appreciate you sharing this blog article. Really thank you! Really Great.
    send big file

    ReplyDelete
  13. Really appreciate you sharing this blog post. Thanks Again. Fantastic. best portfolio folder

    ReplyDelete
  14. I value the post. Really thank you! Keep writing. get portfolio folder

    ReplyDelete
  15. At the point when you create new, elegantly composed content that places your clients' needs and needs above all the other things, you will find that not exclusively will your internet based standing improve, your deals and benefits will as well.
    ChatGPT Prompts

    ReplyDelete

Red Flags and the Value of Experience

One of the things I hear often said, and something I subscribe to as well, is the idea that a lot of technical knowledge in the world of IT ...