Announcement

Collapse
No announcement yet.

Exchange password needed constantly

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange password needed constantly

    Good day everyone

    Thanks for having a read.

    We're running Exchange 2007 on SBS 2008, and recently I installed a new SSL certificate for our OWA in IIS7, and also applied the certificate in Exchange.

    A few days after installing the cert in IIS, users on the LAN (domain authenticated users) were being prompted for their password to connect to the Exchange server time and time again in Outlook 2007.

    When opening Outlook, it asks for the password, the password is entered, the box closes, and reopens about 2 seconds later again, prompting for the same.

    Outlook shows it's connected to the server, and mails come in and go out, but this authentication is very annoyoing.

    It doesn't happen for users connecting from outside the organisation via RPC over HTTPS though, they enter the password once and it's fine.

    Any help would be greatly appreciated.

    Regards,
    Gustav

  • #2
    Re: Exchange password needed constantly

    I have been reading up online, and could it be because of autodiscover settings?

    Comment


    • #3
      Re: Exchange password needed constantly

      How are they authenticating? Basic or NTLM
      I have seen similar behaviour with basic authentication enabled
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Exchange password needed constantly

        Originally posted by gustavbat View Post
        I have been reading up online, and could it be because of autodiscover settings?
        Autodiscover settings should be checked for the behaviour you have mentioned below.

        please confirm the below:#

        Authentication methods in IIS 7 should be:

        For Autodiscover vdir = BASIC + WINDOWS INTEGRATED authentication

        For EWS : WINDOWS INTEGRATED authentication

        For OAB: WINDOWS INTEGRATED authentication

        If all is correct then do Test-Emailautoconfiguration and give us the result + make sure you have followed KB http://support.microsoft.com/kb/940726 to the internal and external URLs

        Question: Is the certificate a 3rd party cert like from GoDaddy or Verisign??

        Kind Regards
        Anish
        Last edited by jedi001; 20th January 2010, 23:27. Reason: wrong word
        Technical Director
        www.tecguruz.com
        Ex-Microsoft (Exchange Client & Server Infrastructure Team), MCSA, MCSE, MCITP, MCTS & ITIL Foundation certified

        Comment


        • #5
          Re: Exchange password needed constantly

          Wow guys, thanks so much for all the advice. It's greatly appreciated.

          OK here goes:

          Ossian: Yes, in the Outlook clients, it's set to use basic authentication.

          Jedi: I have changed the auth methods in IIS to reflect what you said. The Autodiscover vdir was correct, but the EWS and OAB had both basic and windows authentication enabled, so I disabled basic authentication (will this conflict with Outlook's basic authentication setting?).

          Then I followed the KB you mentioned, and it modified the Autodiscover URL in the Service Connection Point correctly, but when modifying the InternalURL for OAB, EWS, and UM, after I run the command, it doesn't kick me back to the command line, I get the following: ">>" and it stays there. Does this mean it was successful?

          As a side note, in the commands to change the internalurls, I see that it specified the default web site. These directories are sitting under SBS Web Applications in IIS, so I amended the commands accordingly. Is this correct?

          Then I ran the Test E-mail Autoconfiguration, and here is the result:

          Autoconfiguration has started, this may take up to a minute
          Autoconfiguration found the following settings:

          Display Name: Gustav Battenhaussen

          Protocol:Exchange RPC
          Server:OBELIX.harveyjones.local
          Login Name:gustavb
          Availability Service URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
          OOF URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
          OAB URL:https://mail.harveyjones.co.za/OAB/c...-c1c07da8044a/
          Unified Message Service URL:https://mail.harveyjones.co.za/Unifi...g/Service.asmx
          Auth Package:Unspecified

          Protocol:Exchange HTTP
          Server:mail.harveyjones.co.za
          Login Name:gustavb
          SSL:Yes
          Mutual Authentication:Yes
          Availability Service URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
          OOF URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
          OAB URL:https://mail.harveyjones.co.za/OAB/c...-c1c07da8044a/
          Unified Message Service URL:https://mail.harveyjones.co.za/Unifi...g/Service.asmx
          Auth package:Basic
          Certificate Principal Name:msstd:mail.harveyjones.co.za


          The certificate we bought is from a 3rd party, yes.

          Regards,
          Gustav

          Comment


          • #6
            Re: Exchange password needed constantly

            Wow guys, thanks so much for all the advice. It's greatly appreciated.

            OK here goes:

            Ossian: Yes, in the Outlook clients, it's set to use basic authentication.

            Jedi: I have changed the auth methods in IIS to reflect what you said. The Autodiscover vdir was correct, but the EWS and OAB had both basic and windows authentication enabled, so I disabled basic authentication (will this conflict with Outlook's basic authentication setting?).

            Then I followed the KB you mentioned, and it modified the Autodiscover URL in the Service Connection Point correctly, but when modifying the InternalURL for OAB, EWS, and UM, after I run the command, it doesn't kick me back to the command line, I get the following: ">>" and it stays there. Does this mean it was successful?

            As a side note, in the commands to change the internalurls, I see that it specified the default web site. These directories are sitting under SBS Web Applications in IIS, so I amended the commands accordingly. Is this correct?

            Then I ran the Test E-mail Autoconfiguration, and here is the result:

            Autoconfiguration has started, this may take up to a minute
            Autoconfiguration found the following settings:

            Display Name: Gustav Battenhaussen

            Protocol:Exchange RPC
            Server:OBELIX.harveyjones.local
            Login Name:gustavb
            Availability Service URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
            OOF URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
            OAB URL:https://mail.harveyjones.co.za/OAB/c...-c1c07da8044a/
            Unified Message Service URL:https://mail.harveyjones.co.za/Unifi...g/Service.asmx
            Auth Package:Unspecified

            Protocol:Exchange HTTP
            Server:mail.harveyjones.co.za
            Login Name:gustavb
            SSL:Yes
            Mutual Authentication:Yes
            Availability Service URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
            OOF URL:https://mail.harveyjones.co.za/EWS/Exchange.asmx
            OAB URL:https://mail.harveyjones.co.za/OAB/c...-c1c07da8044a/
            Unified Message Service URL:https://mail.harveyjones.co.za/Unifi...g/Service.asmx
            Auth package:Basic
            Certificate Principal Name:msstd:mail.harveyjones.co.za


            The certificate we bought is from a 3rd party, yes.

            Regards,
            Gustav

            Comment


            • #7
              Re: Exchange password needed constantly

              Apologies for the double posting.

              The users on the LAN seem to be connecting great now without being prompted for passwords (the domain authenticated users of course)

              But now the Outlook Anywhere isn't working. I tried running outlook.exe /rpcdiag, but there's nothing really helpful in there, it just shows "connecting", while Outlook doesn''t connect.

              Is it possible that something we changed in the autodiscover settings might have made this happen?

              Comment


              • #8
                Re: Exchange password needed constantly

                It appears you are not using a UC (Unified Communication) certificate, which is needed to get autodiscover working correctly. The certificate should have a number of entries including

                server.example.com
                autodiscover.example.com
                server.autodiscover.local
                server

                Can you check https://testexchangeconnectivity.com and see what this reveals.

                Shaun

                Comment


                • #9
                  Re: Exchange password needed constantly

                  Hi Shaun

                  Yes I've seen this site. It seems pretty helpful. When I do the RPC over HTTP test, I get the following result:

                  Testing RPC/HTTP connectivity RPC/HTTP test failed Test Steps

                  Attempting to resolve the host name mail.harveyjones.co.za in DNS. Host successfully resolved Additional Details IP(s) returned: 196.211.153.106 Testing TCP Port 443 on host mail.harveyjones.co.za to ensure it is listening and open. The port was opened successfully.

                  Testing SSL Certificate for validity. The certificate passed all validation requirements. Test Steps
                  Validating certificate name Successfully validated the certificate name Additional Details Found hostname mail.harveyjones.co.za in Certificate Subject Common name

                  Validating certificate trust The test passed with some warnings encountered. Please expand additional details. Additional Details Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.

                  Testing certificate date to ensure validity Date Validation passed. The certificate is not expired. Additional Details Certificate is valid: NotBefore = 1/8/2010 2:10:12 PM, NotAfter = 1/8/2011 2:10:12 PM"

                  Testing Http Authentication Methods for URL https://mail.harveyjones.co.za/rpc/rpcproxy.dll Http Authentication Test failed Additional Details An HTTP 500 response was returned from Unknown

                  It seems like the certificate trust is an issue, but I'm not too sure what is meant by the whole certificate chain. I was under the impression that the new 3rd party cert would have been enough.

                  Regards,
                  Gustav

                  Comment


                  • #10
                    Re: Exchange password needed constantly

                    Have you installed Rollup 9 for Exchange 2007 SP1? It isn't installed automatically - you need to go in to the Updates part of the Management Console for SBS and approve it. The lack of that update is the primary reason for repeating prompts for passwords with SBS 2008 systems.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: Exchange password needed constantly

                      Hi Simon

                      Thanks for the reply.

                      I installed the update rollup that you suggested, rebooted the server, and all is well again.

                      I can't thank you enough.

                      The same goes for the rest of the guys. You've been great.

                      Regards,
                      Gustav

                      Comment

                      Working...
                      X