Nov 052017
 

 

Update – January 8th 2018: After upgrading from Exchange 2016 CU7 to Exchange 2016 CU8 and restarting the server, the password prompt was occurring again on internal/external domain joined computers. Stay posted for more information.

Update – January 13th 2018: If you upgrade to any new CU versions (CU8 or higher), I would recommend resetting all your virtual directories to REVERSE the configuration advised below. On CU8, new issues arose and were resolved by fully resetting (restoring to default) the virtualdirectory configuration, and then re configuring them with the appropriate URL values. The fix below was NOT applied and is NOT needed on CU8 or later.

Update – January 14th 2018: If you still receive password prompts, you Outlook 2016 client may be trying to autoconfigure with Office365 instead of your on-premise Exchange deployment. This is due to the autodiscover order being skewed on a new Outlook 2016 update. Please see https://www.stephenwagner.com/2018/01/14/cannot-create-exchange-2016-account-office-2016-due-repeated-password-prompts/ for more information and a fix for this.

 

Original Article:

Today I came across an issue that I experienced with Microsoft Exchange 2013, and Microsoft Exchange 2016. The issue relates to using MAPI over HTTP with Microsoft Outlook 2016 (however I’m sure this affects earlier versions) clients.

MAPI over HTTP is used standard on Exchange 2016, or can be enabled manually on Exchange 2013 via running the command:

Set-OrganizationConfig -MapiHttpEnabled $true

 

You’ll notice that when domain joined computers are internal to the LAN, they will work fine and there will not be any password prompts coming from Microsoft Outlook. However, when a domain joined user leaves the LAN and is external to the network, they will start to receive password prompts like below:

Outlook Password Prompt

 

After spending hours, I found this fix resolves the situation and applies to both Exchange 2013, and Exchange 2016:

 

Open up Exchange PowerShell and change the authentication methods on the MAPI virtual directory. We will be removing the negotiate authentication mechanism. Use the command below:

Set-MapiVirtualDirectory -Identity “YOURSERVERNAME\mapi (Default Web Site)” -ExternalURL https://YOURSERVERNAME.YOURDOMAIN.com/mapi -IISAuthenticationMethods NTLM,OAuth

We now need to modify the Authentication settings inside of IIS to remove Negotiate from both the mapi and EWS directories. The command above may have removed it from mapi, but it’s still good to confirm and we still need to change it for EWS. Open IIS Manager, Expand “Default Web Site”. Select “EWS” on the left hand side, and then select “Authentication” on the Right side as shown below:

IIS Manager Left Pane

Select Windows Authentication and then click “Providers” on the right Action Pane. Now remove “Neogiate” from the list so that only NTLM remains, as shown below:

IIS Manager Authentication Providers

Repeat for the mapi on the left as well (Select “Default Web Site”, select “mapi” on the left hand side, and then select “Authentication” on the right side), and confirm that only NTLM is in the list of providers.

Open up command prompt and type “IISRESET” to reload IIS, or restart your Exchange Server!

  18 Responses to “MAPI over HTTP – Outlook Password Prompt on Domain joined External Users”

  1. Any update on this issue? We have reset everything based on your findings and implemented the registry key. External user still receive the password prompt. Even my laptop works fine on the domain, off network, I get password prompts. Maybe a bug in CU8?

  2. Hi Josh,

    If you’re experiencing the exact issue specified in this document, it should be fully resolved if you took all the steps specified in this document, as well as any of the updated links inside of this post.

    Please note, you could be experiencing another different issue, as all sorts of problems, issues, and misconfigurations can cause password prompts.

    If the solution I proposed isn’t working for you, I’d recommend doing some additional troubleshooting. These issues could be caused by incorrectly configured virtual directories, incorrectly configured SSL settings, as well as settings on the Exchange server, incorrectly configured autodiscovery, as well as an issue where usernames don’t match UPNs.

    Please take a look at this blog post and let me know if it applies to your scenario: https://www.stephenwagner.com/2016/09/23/outlook-2016-exchange-2013-password-prompts-upn-and-samaccountname-troubles/

    Thanks,
    Stephen

  3. Hello Stephen, thanks for this great article. i was experiencing this in my staging exchange environment. I am testing have Outlook use MAPI over HTTP via NTLM, instead of RPC over HTTP via NTLM. when i made the change in staging exchange, the outlooks were able to connect when on vpn connection. but if they were not connected to vpn, their outlook would prompt for credentials when opening it each time.

    after making the changes you recommended above, it has seems to improve. Outlook without VPN connection connects successfully with out cred prompts when user opens outlook, HOWEVER, after a few seconds, they start receiving pass prompts again. also, if you just hit cancel, and update the folder in Outlook, it connects again by itself. but cred prompt appear again. Any idea what could be pushing this? Please let me know.

  4. also, FYI, my staging exchange 2013 is on CU18. but using the steps above in your article does seem to have improved it. However, Outlook still prompts for creds after a few seconds, but now we can simply update the folder and it will reconnect itself. Outlook was not able to do this before implementing this change. it was using MAPI over HTTP via nego*, and would demand a password be entered in cred prompt, otherwise Outlook would not connect. I would like to find out why after applying these steps, Outlook still promps for creds after a few seconds.

  5. Hi Mohsan,

    When you press+hold Ctrl and right click on the Outlook icon, and select “Connection Status”, is there anything showing a failed or connecting attempt in the General Tab? Is anything pending in the “Local Mailbox” tab?

    I can’t comment too much on Exchange 2013, as this article was for Exchange 2016, but I’m wondering if there’s an mis-configuration for authentication settings for a Global Address List (we need to confirm if it’s having trouble syncing this, and that’s what’s causing the password prompt).

    Just out of curiosity. Do you user UPN’s match their e-mail addresses? This could be a number of different issues.

    Cheers,
    Stephen

  6. Hello Stephen, thanks for the quick reply. there was nothing showing as failed or connecting. What I did to resolve the issue was, I also had to remove ‘negotiate’ from the providers for Windows authentication, in IIS authentication for the Autodiscover virtual directory. So i made this change in Autodiscover virtual directory, EWS virtual directory, and MAPI virtual directory, then all Outlook clients are able to successfully connect via MAPI over HTTP with NTLM auth without a prompt for credentials? is making all these changes normal for implementing MAPI?

    I did this in my staging env, and due to removing negotiate as a provider of windows authentication in IIS authentication for the EWS virtual directory…this resulted in O365 no longer being able to communicate with our MRS Proxy (CAS server), so cannot perform any migrations. I did some troubleshooting, and it seems that on the EWS virtual directory, Basic authentication, and Windows authentication need to be enabled, so O365 can connect to the MRS proxy, and due migrations.

    I wanted to get your feedback regarding this. It seems if i re-add negotiate to EWS windows authentication provider, then O365 migrations work, but external Outlook user is prompted for credentials each time they open their Outlook, otherwise, won’t be able to do any migrations.

    I’m also wondering if Microsoft has released any hotfix for this?, as i am on CU18, but still facing issue that was raised by the community on CU14.

    Look forward to hearing back you. Thank you in advance.

  7. this is my output when i run command: get-webservicesvirtualdirectory with a few paramaters:
    InternalURI: https://address/ews/exchange.asmx
    externalURI: https://address/ews/exchange.asmx
    MRSProxyEnabled : True
    WSSecurityAuthentication : True
    BasicAuthentication : True
    DigestAuthentication : False
    WindowsAuthentication : False
    OAuthAuthentication : True
    ExternalAuthenticationMethods : {Basic, WSSecurity, OAuth}
    Server : server name

    if i re-add negotiate to windows authentication in IIS authentication for EWS virtual directoy, then the output for parameter ‘ExternalAuthenticationMethods’ becomes: {Basic, NTLM, WindowsIntegrated, WSSecurity, OAuth}
    then O365 is able to communicate with my MRSProxy server. but then that effects external Outlook connections as mentioned in above post.

  8. Hi Mohsan,

    This problem is more complicated than the authentication mechanism’s I believe.

    I’m just curious, do users UPNs match their e-mail addresses? Are all Outlook clients externally getting prompted, or just a specific version of Outlook that is prompting?

    This problem in your environment is more complex, and needs to be properly troubleshooted. It’s difficult to troubleshoot just from comments left on this post.

    Without having more information, all I can recommend at this point is to upgrade to CU20 to see if the issues are resolved, reverting the virtual directories to their default configuration, and finally re configuring the virtual directories from scratch.

    Is anything else in the Exchange environment not working or having issues?

    Stephen

  9. Hello Stephen,

    the users attribute for servicePrincipleName is not set. all outlook clients externally getting prompted each time they open their Outlook. only the clients that are enabled for MAPIHttpEnabled. the accounts that are not enabled for MAPIHTTP are connecting via RPC over HTTP with NTLM auth without any prompt for credentials, weather internally or externally.
    I have raised a ticket with Microsoft regarding this. will let you know of the results.
    and no, no other issues have been brought up, or that we’ve noticed. all seems to be working perfectly fine.

  10. Hi Mohsan,

    My apologies, I meant to say UPN (I incorrectly typed SPN). Does the UPN match the user’s email address?

    Also, I would recommend upgrading to the latest CU available if possible.

    Cheers,
    Stephen

  11. Hi,
    Have the same problem on several Exchange 2013/2016 installations.
    The problem wth this solution is that kerberos authentication would not be available
    for internal clients and is not a viable workaround.

    Mohsan,
    Hope you can post what MS says/find out about your case.

    Roy

  12. Please confirm that this is the problem. Password prompts can occur for a number of reasons.

    In my situation, this was finally resolved by installed the latest Exchange 2016 CU version.

    Cheers

  13. Hi,
    Have the latest Exchange 2016 CU 9 and latest Windows patches.

    Problem is as above:
    When using Oulook Anywhere all is working without auth.prompt internal and external.
    With MAPI HTTP internal is ok but with external (domain joined machines) you get
    auth prompt.

    Using only NTLM for both internal and external is not an option.

    Is this a bug or is it “by design”

    Interesting to se what MS answhere to Mohsan will bee !

    Roy

  14. Hi,

    Any update on this problem ?

    Mohsan,
    Have you received any answhere form Microsoft ?

    Roy

  15. Hi Roy,

    Have you checked to make sure the user UPNs match their email address, and have you checked this article? https://www.stephenwagner.com/2018/01/14/cannot-create-exchange-2016-account-office-2016-due-repeated-password-prompts/ not only does the issue in that link cover account creation, but also when users change from internal to external and vice versa…

    This issue was corrected, so I think it’s something else that’s causing the password prompts. There’s a million things that can cause this if misconfigueation is the issue.

    Stephen

  16. Hi Stephen,

    Yes, UPN=Primary mail address.

    With NTLM only it is working in my config to.

    I will post the answhere here if I ever find the solution 🙂

    Roy

  17. Hi all,
    I recommend that you proof the ASA account. If not set create an ASA Account and Outlook stop prompting the cred.

    Karsten L.

  18. I recommend that you proof the ASA account. If not set create an ASA Account and Outlook stop prompting the cred.
    Could you explain what really does it mean? “proof the ASA account” ? What does it mean?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)