Outlook 2007 Prompting for Password

I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
into a couple of challenges. My DC is Windows 2008, almost default
configuration. I then brought up a separate 2008 server, and loaded
Exch07SP1 on it, default install options. I have another 2008 server acting
as the client with Outlook 2007 installed on it.

When I open Outlook 2007 for the first time after setting up the Exchange
profile, it always prompts me for the username and password. I think this
has something to do with the auto discovery service or OAB. If I cancel this
prompt, I can use Outlook just fine. When I schedule a new calendar event, I
can't see any free/busy data.

Now, if instead of canceling that initial password prompt, I enter in my
username/password, I can see the free/busy calendar data, however, I get a
certificate warning.

I'd like the new Outlook 2007 with Exchange 2007 to behave like
Exchange/Outlook 2003 and stop prompting legitimate domain users for login
credentials when Windows should be supplying them automatically. Is this a
known bug with Exchange/Outlook 2007? This is as close to an out-of-the-box
setup I could get. I've loaded up this lab several times, all with the same
results. I've scoured around, however I can't find any concrete explanations
of why this is happening, and/or how to solve it.

Any help much appreciated,
Phil

Mierdaan
Thu Mar 13 13:04:21 CDT 2008

On Mar 13, 12:43 pm, "Phil Carter" <philcar...@DONOTSPAMspacemky.com>
wrote:
> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
> into a couple of challenges. My DC is Windows 2008, almost default
> configuration. I then brought up a separate 2008 server, and loaded
> Exch07SP1 on it, default install options. I have another 2008 server acting
> as the client with Outlook 2007 installed on it.
>
> When I open Outlook 2007 for the first time after setting up the Exchange
> profile, it always prompts me for the username and password. I think this
> has something to do with the auto discovery service or OAB. If I cancel this
> prompt, I can use Outlook just fine. When I schedule a new calendar event, I
> can't see any free/busy data.
>
> Now, if instead of canceling that initial password prompt, I enter in my
> username/password, I can see the free/busy calendar data, however, I get a
> certificate warning.
>
> I'd like the new Outlook 2007 with Exchange 2007 to behave like
> Exchange/Outlook 2003 and stop prompting legitimate domain users for login
> credentials when Windows should be supplying them automatically. Is this a
> known bug with Exchange/Outlook 2007? This is as close to an out-of-the-box
> setup I could get. I've loaded up this lab several times, all with the same
> results. I've scoured around, however I can't find any concrete explanations
> of why this is happening, and/or how to solve it.
>
> Any help much appreciated,
> Phil

Have you replaced the IIS certificate your exchange server is using
with one signed by your DC?

andy
Thu Mar 13 14:10:30 CDT 2008

You're getting prompted by the Exchange Web Services which are part of the
CAS role and running in IIS on the server. IIS integrated authentication is
failing perhaps because the server isn't in your trusted sites list, or
perhaps because your desktop doesn't trust the self-issued certificated used
by the Exchange server.


"Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
> into a couple of challenges. My DC is Windows 2008, almost default
> configuration. I then brought up a separate 2008 server, and loaded
> Exch07SP1 on it, default install options. I have another 2008 server
> acting as the client with Outlook 2007 installed on it.
>
> When I open Outlook 2007 for the first time after setting up the Exchange
> profile, it always prompts me for the username and password. I think this
> has something to do with the auto discovery service or OAB. If I cancel
> this prompt, I can use Outlook just fine. When I schedule a new calendar
> event, I can't see any free/busy data.
>
> Now, if instead of canceling that initial password prompt, I enter in my
> username/password, I can see the free/busy calendar data, however, I get a
> certificate warning.
>
> I'd like the new Outlook 2007 with Exchange 2007 to behave like
> Exchange/Outlook 2003 and stop prompting legitimate domain users for login
> credentials when Windows should be supplying them automatically. Is this a
> known bug with Exchange/Outlook 2007? This is as close to an
> out-of-the-box setup I could get. I've loaded up this lab several times,
> all with the same results. I've scoured around, however I can't find any
> concrete explanations of why this is happening, and/or how to solve it.
>
> Any help much appreciated,
> Phil

Phil
Thu Mar 13 15:44:41 CDT 2008

Ok, cool. It looks like Integrated Windows Authentication isn't working for:
https://exchange.contoso.com/Autodiscover/Autodiscover.xml

When I hit this URL from IE, it always prompts me for authentication instead
of using integrated auth. (Maybe it thinks the server is in the INTERnet
zone instead of the INTRAnet zone???) When I hit the root
(https://exchange.contoso.com), I downloaded the cert and installed it in my
trusted roots. Now Outlook doesn't throw a certificate error, but it still
prompts for the password. Any idea how to get the Autodiscover Integrated
Authentication working right? I feel that I'm so close to getting closure on
this.

Andy, Thanks for your help so far,
Phil

"andy webb" <awebb@swinc.com.spamsucks.com> wrote in message
news:464E1065-8620-4E70-9CE1-F98F18B64495@microsoft.com...
> You're getting prompted by the Exchange Web Services which are part of the
> CAS role and running in IIS on the server. IIS integrated authentication
> is failing perhaps because the server isn't in your trusted sites list, or
> perhaps because your desktop doesn't trust the self-issued certificated
> used by the Exchange server.
>
>
> "Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
> news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
>> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
>> into a couple of challenges. My DC is Windows 2008, almost default
>> configuration. I then brought up a separate 2008 server, and loaded
>> Exch07SP1 on it, default install options. I have another 2008 server
>> acting as the client with Outlook 2007 installed on it.
>>
>> When I open Outlook 2007 for the first time after setting up the Exchange
>> profile, it always prompts me for the username and password. I think this
>> has something to do with the auto discovery service or OAB. If I cancel
>> this prompt, I can use Outlook just fine. When I schedule a new calendar
>> event, I can't see any free/busy data.
>>
>> Now, if instead of canceling that initial password prompt, I enter in my
>> username/password, I can see the free/busy calendar data, however, I get
>> a certificate warning.
>>
>> I'd like the new Outlook 2007 with Exchange 2007 to behave like
>> Exchange/Outlook 2003 and stop prompting legitimate domain users for
>> login credentials when Windows should be supplying them automatically. Is
>> this a known bug with Exchange/Outlook 2007? This is as close to an
>> out-of-the-box setup I could get. I've loaded up this lab several times,
>> all with the same results. I've scoured around, however I can't find any
>> concrete explanations of why this is happening, and/or how to solve it.
>>
>> Any help much appreciated,
>> Phil
>

Phil
Fri Mar 14 08:48:38 CDT 2008

I installed Certificate Authority on the DC, and issued the IIS default
website a signed certificate. The EWS services are all using this new
certificate, but Exchange 2007 is still getting prompted for authentication.
Is there a setting I need to adjust to make integrated authentication work
for EWS? From the IIS logs on the Exchange server, I see HTTPS posts failing
(error 401) to /Autodiscover/Autodiscover.xml. Again, this is most likely
failing because integrated auth isn't working... Any ideas how to fix this
one?

Thanks,
Phil

"andy webb" <awebb@swinc.com.spamsucks.com> wrote in message
news:464E1065-8620-4E70-9CE1-F98F18B64495@microsoft.com...
> You're getting prompted by the Exchange Web Services which are part of the
> CAS role and running in IIS on the server. IIS integrated authentication
> is failing perhaps because the server isn't in your trusted sites list, or
> perhaps because your desktop doesn't trust the self-issued certificated
> used by the Exchange server.
>
>
> "Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
> news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
>> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
>> into a couple of challenges. My DC is Windows 2008, almost default
>> configuration. I then brought up a separate 2008 server, and loaded
>> Exch07SP1 on it, default install options. I have another 2008 server
>> acting as the client with Outlook 2007 installed on it.
>>
>> When I open Outlook 2007 for the first time after setting up the Exchange
>> profile, it always prompts me for the username and password. I think this
>> has something to do with the auto discovery service or OAB. If I cancel
>> this prompt, I can use Outlook just fine. When I schedule a new calendar
>> event, I can't see any free/busy data.
>>
>> Now, if instead of canceling that initial password prompt, I enter in my
>> username/password, I can see the free/busy calendar data, however, I get
>> a certificate warning.
>>
>> I'd like the new Outlook 2007 with Exchange 2007 to behave like
>> Exchange/Outlook 2003 and stop prompting legitimate domain users for
>> login credentials when Windows should be supplying them automatically. Is
>> this a known bug with Exchange/Outlook 2007? This is as close to an
>> out-of-the-box setup I could get. I've loaded up this lab several times,
>> all with the same results. I've scoured around, however I can't find any
>> concrete explanations of why this is happening, and/or how to solve it.
>>
>> Any help much appreciated,
>> Phil
>

Alan
Thu Mar 13 18:23:15 CDT 2008

Try adding the Exchange server to the list of trusted sites in IE. I had
the same issue.

Alan

"Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
> into a couple of challenges. My DC is Windows 2008, almost default
> configuration. I then brought up a separate 2008 server, and loaded
> Exch07SP1 on it, default install options. I have another 2008 server
> acting as the client with Outlook 2007 installed on it.
>
> When I open Outlook 2007 for the first time after setting up the Exchange
> profile, it always prompts me for the username and password. I think this
> has something to do with the auto discovery service or OAB. If I cancel
> this prompt, I can use Outlook just fine. When I schedule a new calendar
> event, I can't see any free/busy data.
>
> Now, if instead of canceling that initial password prompt, I enter in my
> username/password, I can see the free/busy calendar data, however, I get a
> certificate warning.
>
> I'd like the new Outlook 2007 with Exchange 2007 to behave like
> Exchange/Outlook 2003 and stop prompting legitimate domain users for login
> credentials when Windows should be supplying them automatically. Is this a
> known bug with Exchange/Outlook 2007? This is as close to an
> out-of-the-box setup I could get. I've loaded up this lab several times,
> all with the same results. I've scoured around, however I can't find any
> concrete explanations of why this is happening, and/or how to solve it.
>
> Any help much appreciated,
> Phil

Phil
Fri Mar 14 10:12:24 CDT 2008

Thanks for your suggestion Alan.

I tried that to no avail. Outlook 2007 still prompts after adding every
possible URL in IE's trusted sites. It should be noted that the Exchange IIS
is using a cert from my domain trusted CA, so the clients trust the
certificates all the way up the chain. Just for testing, I enabled anonymous
access only for the Autodiscover virtual directory. Doing that made Exchange
2007 not prompt for credentials.(!)

What would cause the Autodiscover virtual directory to prompt Outlook
clients when:
1) Windows Integrated Authentication is selected in IIS
2) The proper URLs are being accessed by the client. Outlook's "Test E-mail
AutoConfiguration" comes back good.
3) The EWS sites are using a certificate trusted all the way up

Again, this is a "default" out-of-the-box Exchange 2007 SP1 installation on
Windows Server 2008 RTM. My client is (now) Vista SP1 with Outlook 2007.

Thanks,
Phil

"Alan J. English" <aenglish@schiffhardin.com> wrote in message
news:%23ezrsvdhIHA.2084@TK2MSFTNGP02.phx.gbl...
> Try adding the Exchange server to the list of trusted sites in IE. I had
> the same issue.
>
> Alan
>
> "Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
> news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
>> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
>> into a couple of challenges. My DC is Windows 2008, almost default
>> configuration. I then brought up a separate 2008 server, and loaded
>> Exch07SP1 on it, default install options. I have another 2008 server
>> acting as the client with Outlook 2007 installed on it.
>>
>> When I open Outlook 2007 for the first time after setting up the Exchange
>> profile, it always prompts me for the username and password. I think this
>> has something to do with the auto discovery service or OAB. If I cancel
>> this prompt, I can use Outlook just fine. When I schedule a new calendar
>> event, I can't see any free/busy data.
>>
>> Now, if instead of canceling that initial password prompt, I enter in my
>> username/password, I can see the free/busy calendar data, however, I get
>> a certificate warning.
>>
>> I'd like the new Outlook 2007 with Exchange 2007 to behave like
>> Exchange/Outlook 2003 and stop prompting legitimate domain users for
>> login credentials when Windows should be supplying them automatically. Is
>> this a known bug with Exchange/Outlook 2007? This is as close to an
>> out-of-the-box setup I could get. I've loaded up this lab several times,
>> all with the same results. I've scoured around, however I can't find any
>> concrete explanations of why this is happening, and/or how to solve it.
>>
>> Any help much appreciated,
>> Phil
>
>

SvenC
Fri Mar 14 12:42:32 CDT 2008

Hi Phil,

> Try adding the Exchange server to the list of trusted sites in IE. I
> had the same issue.

By default trusted sites are not trusted to use integrated auth.
I suppose you should put it in your local intranet zone.

--
SvenC

Phil
Fri Mar 14 13:40:21 CDT 2008

Thanks for the suggestion Sven, but putting the URLs in IE's local Intranet
zone didn't do the trick either.

There has to be SOME WAY to make Outlook 2007 NOT PROMPT the user for
authentication for
https://exchange.domain.com/autodiscover/autodiscover.xml. I have it working
properly in another lab using beta versions. I'm trying to figure out why
Outlook 2007 is getting hung up on this, and pretty much getting nowhere.
It's almost as if Outlook 2007 doesn't trust the IIS website, so it reverts
back to "basic" authentication instead of trying Windows Integrated Auth.

Any more suggestions from the experts? Has anyone deployed Exchange 2007 SP1
on Windows 2008 with Vista/Outlook 2007 clients successfully?

Thanks!
Phil

"SvenC" <SvenC@community.nospam> wrote in message
news:582DB2DE-A749-42F6-B45E-3A1A4DF997A4@microsoft.com...
> Hi Phil,
>
>> Try adding the Exchange server to the list of trusted sites in IE. I
>> had the same issue.
>
> By default trusted sites are not trusted to use integrated auth.
> I suppose you should put it in your local intranet zone.
>
> --
> SvenC

SvenC
Fri Mar 14 14:20:51 CDT 2008

Hi Phil Carter,

> Thanks for the suggestion Sven, but putting the URLs in IE's local
> Intranet zone didn't do the trick either.
>
> There has to be SOME WAY to make Outlook 2007 NOT PROMPT the user for
> authentication for
> https://exchange.domain.com/autodiscover/autodiscover.xml. I have it
> working properly in another lab using beta versions. I'm trying to
> figure out why Outlook 2007 is getting hung up on this, and pretty
> much getting nowhere. It's almost as if Outlook 2007 doesn't trust
> the IIS website, so it reverts back to "basic" authentication instead
> of trying Windows Integrated Auth.

Does it work when you run Outlook 2007 on WinXP or Vista?
Maybe there are some security policies with different defaults for
client and server versions?

--
SvenC

Phil
Mon Mar 17 13:44:36 CDT 2008

Ok, I've managed to solve the issue after a lot of fighting with it.

I tested the NTFS "Effective Permissions" for my user account to the
Autodiscover web content folder on the Exchange server. For some weird
reason, it wouldn't work; it threw an error about not being able to resolve
the permissions. I took this to mean there was something wrong with the
domain, and reloaded the lab. In my original lab, I had 3 Windows 2008
servers running under vmware, all created from the same template. Perhaps
the Windows SIDs weren't properly regenerated by vmware which was causing
this hangup?

When I reloaded the lab, I made my domain controller Windows Server 2003,
the Exchange Server Windows Server 2008, and the client Vista. No issues at
all with this setup. This lab configuration more closely matched my
production environment, but I'd imagine that using 3 2008 servers would have
yielded positive results as well.

Thanks to all who helped me troubleshoot this issue!
Phil Carter

"Phil Carter" <philcarter@DONOTSPAMspacemky.com> wrote in message
news:%23XlIRlShIHA.4880@TK2MSFTNGP03.phx.gbl...
> I'm setting up a Windows Server 2008 / Exchange 2007 SP1 lab, and running
> into a couple of challenges. My DC is Windows 2008, almost default
> configuration. I then brought up a separate 2008 server, and loaded
> Exch07SP1 on it, default install options. I have another 2008 server
> acting as the client with Outlook 2007 installed on it.
>
> When I open Outlook 2007 for the first time after setting up the Exchange
> profile, it always prompts me for the username and password. I think this
> has something to do with the auto discovery service or OAB. If I cancel
> this prompt, I can use Outlook just fine. When I schedule a new calendar
> event, I can't see any free/busy data.
>
> Now, if instead of canceling that initial password prompt, I enter in my
> username/password, I can see the free/busy calendar data, however, I get a
> certificate warning.
>
> I'd like the new Outlook 2007 with Exchange 2007 to behave like
> Exchange/Outlook 2003 and stop prompting legitimate domain users for login
> credentials when Windows should be supplying them automatically. Is this a
> known bug with Exchange/Outlook 2007? This is as close to an
> out-of-the-box setup I could get. I've loaded up this lab several times,
> all with the same results. I've scoured around, however I can't find any
> concrete explanations of why this is happening, and/or how to solve it.
>
> Any help much appreciated,
> Phil

SvenC
Mon Mar 17 13:55:10 CDT 2008

Hi Phil,

> I tested the NTFS "Effective Permissions" for my user account to the
> Autodiscover web content folder on the Exchange server. For some weird
> reason, it wouldn't work; it threw an error about not being able to
> resolve the permissions. I took this to mean there was something wrong
> with the domain, and reloaded the lab. In my original lab, I had 3 Windows
> 2008 servers running under vmware, all created from the same template.
> Perhaps the Windows SIDs weren't properly regenerated by vmware which was
> causing this hangup?

Does vmware autogenerate new sids? I always use newsid from sysinternals
to create new SIDs for cloned machines.

--
SvenC

Phil
Mon Mar 17 15:01:40 CDT 2008

Thanks Sven,
I guess we could rename this thread:

"What happens when you deploy Exchange Server 2007 using duplicate SIDs". :)
VMWare generates a new UUID for each virtual machine, but not the SID. I
should've suspected this from the start, and used sysprep or NewSID. -PC

"SvenC" <SvenC@community.nospam> wrote in message
news:958D8F3B-606A-4071-936C-6A5359E6600C@microsoft.com...
> Hi Phil,
>
>> I tested the NTFS "Effective Permissions" for my user account to the
>> Autodiscover web content folder on the Exchange server. For some weird
>> reason, it wouldn't work; it threw an error about not being able to
>> resolve the permissions. I took this to mean there was something wrong
>> with the domain, and reloaded the lab. In my original lab, I had 3
>> Windows 2008 servers running under vmware, all created from the same
>> template. Perhaps the Windows SIDs weren't properly regenerated by vmware
>> which was causing this hangup?
>
> Does vmware autogenerate new sids? I always use newsid from sysinternals
> to create new SIDs for cloned machines.
>
> --
> SvenC

Christoph
Mon Mar 17 16:48:29 CDT 2008

On Mon, 17 Mar 2008 16:01:40 -0400, Phil Carter wrote:

> Thanks Sven,
> I guess we could rename this thread:
>
> "What happens when you deploy Exchange Server 2007 using duplicate SIDs". :)
> VMWare generates a new UUID for each virtual machine, but not the SID. I
> should've suspected this from the start, and used sysprep or NewSID. -PC
>
> "SvenC" <SvenC@community.nospam> wrote in message
> news:958D8F3B-606A-4071-936C-6A5359E6600C@microsoft.com...
>> Hi Phil,
>>
>>> I tested the NTFS "Effective Permissions" for my user account to the
>>> Autodiscover web content folder on the Exchange server. For some weird
>>> reason, it wouldn't work; it threw an error about not being able to
>>> resolve the permissions. I took this to mean there was something wrong
>>> with the domain, and reloaded the lab. In my original lab, I had 3
>>> Windows 2008 servers running under vmware, all created from the same
>>> template. Perhaps the Windows SIDs weren't properly regenerated by vmware
>>> which was causing this hangup?
>>
>> Does vmware autogenerate new sids? I always use newsid from sysinternals
>> to create new SIDs for cloned machines.
>>
>> --
>> SvenC

VMware does only generate new SIDs if you use Virtual Center with
customization Wizard - which currently does not support Win2k8 (afair) just
Win2k3. Workstation or VMware Server does not regnerate SIDs at all...

BG Christoph
--
If you dont want the milk to get sour...keep it in the cow

wcodycombs
Fri Apr 18 10:43:48 CDT 2008

I had an issue similar to this. Win2k3 Ex07. All of my Outlook 2007
users were getting prompted over and over for the username and
password. It wasn't checking the certificate that they had installed
via internet explorer. To fix the problem, I opened IIS on the
Exchange server and checked the following directories under the
default website (the root site(default web site), oab, autodiscover).
Under the directory security tab, click Edit in the Secure
Communications section. I had the require SSL checked and the 128bit
encryption, but under Client Certificates, it was set to ignore. Once
I changed that to Accept for each of the folders, stopped and started
IIS, I stopped being prompted all the time for credentials. Hopefully
this will help someone in the future.

roach
Sun Apr 20 16:42:00 CDT 2008

You have made me the happiest man in the world right now. I am so happy I
could kiss you. I have been trying to figure this out for two weeks now and
my users are starting to get fed up with the "hassle" of the prompt. I have
tried the SAN certificates, putting the sites in the trusted and local
intranet zones, etc. and that stupid prompt kept coming up. Until now. It
was such an issue that I came in on the weekend to work.

Words cannot describe the gratitude I have, but I will give it a try...

Thank you very much.

How in the hell did you find this solution?

-Matthew

"wcodycombs@gmail.com" wrote:

> I had an issue similar to this. Win2k3 Ex07. All of my Outlook 2007
> users were getting prompted over and over for the username and
> password. It wasn't checking the certificate that they had installed
> via internet explorer. To fix the problem, I opened IIS on the
> Exchange server and checked the following directories under the
> default website (the root site(default web site), oab, autodiscover).
> Under the directory security tab, click Edit in the Secure
> Communications section. I had the require SSL checked and the 128bit
> encryption, but under Client Certificates, it was set to ignore. Once
> I changed that to Accept for each of the folders, stopped and started
> IIS, I stopped being prompted all the time for credentials. Hopefully
> this will help someone in the future.
>