0

We use Exchange 2010 SP2 on a Windows Server 2008 R2 box. Constantly throughout the day people here/outside the office are asked to enter their usersnames/passwords. It syncs with the AD account info.

I know there's an issue when users are wireless and they unplug the physical LAN. even though the connection is maintained while it defaults to the physical LAN it kicks back the usersname/password prompt. (They all use Outlook 2010.)

Sometimes the phones (droid x/iphone ect) prompt as well.

Has anyone experienced this issue?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
lbakerit
  • 3
  • 1
  • 3
  • As a note I have changed the authentication (under the EMC Serverconfiguration> Client access> Server properties> Outlook anywhere) from basic to NTLM authentication and unchecked the "allow secure channel (ssl) offloading and it seemed to escalate the issue. We have a basic configuration (50 users) so we have our main firewall/router (cisco nsa series router) and managed switches. – lbakerit Aug 17 '12 at 14:11
  • How are these users connecting? from domain machines via outlook? Switching from LAN to WLAN shouldn't make a difference apart from a slight reconnecting phase. Although it will be syncing with the AD ... only time I can think of is when users aren't logging in from Domain computers? – Rhys Evans Aug 17 '12 at 15:25
  • Yeah its having issues flipping the authentication. It seems that not all people have this issue though so its been hard to track down. All systems that are using the email are using the domain accounts so its syncing with AD – lbakerit Aug 17 '12 at 17:51

2 Answers2

-1

Yes.

The issue is that the users are creating a new connection to the Exchange server when they switch from wireless to wired. New connection, new authentication challenge. It's probably the same issue with the smartphones - powering off the wireless to save battery, or moving between APs or towers, etc.

Personally, I'd set it up so that Outlook doesn't prompt, but uses the current user credentials automatically. Much less of a headache for everyone that way, IMO.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • If an Android device is prompting, it's because an authentication attempt failed. And there is no option in Outlook to disable prompting. There's only an option to not use the current user's credentials and prompt instead. – longneck Aug 17 '12 at 15:22
  • @longneck Well, that actually depends on how the Droid is accessing the Exchange server, doesn't it? As to the rest... how is that different from what I said? – HopelessN00b Aug 17 '12 at 15:26
  • It's different. Subtle, but different. The check box is called "Always prompt for logon credentials". Checked means prompt for a username and password all the time, even if a valid user is logged in. Unchecked means only ask if the current user's credentials didn't work. Unchecked DOES NOT mean never prompt for a username and password. Are you maybe talking about a different check box or setting? If so, please enlighten. – longneck Aug 17 '12 at 15:31
  • @longneck Next time you're going to get all pedantic, please at least be right about. I said nothing about ticking checkboxes. I advised that Outlook be set up so that it doesn't prompt, but instead uses the current user credentials automatically. Going through and ticking a box on every single Outlook client is one way to achieve that result. So is GPO. (Which I use.) So are software deployment settings. Etc. There are multiple ways to achieve the behavior described, the best of which don't even involve seeing that tickbox you speak of. :/ – HopelessN00b Aug 17 '12 at 15:36
  • You still haven't identified what setting you're talking about. Where is this setting? – longneck Aug 17 '12 at 15:37
  • You're the only one talking about a specific setting. I'm talking about changing an undesirable application behavior. – HopelessN00b Aug 17 '12 at 15:40
  • OK, please explain how to change that. – longneck Aug 17 '12 at 15:41
  • I'd say "Jason, your GPO's ****ed up again. Fix it before I come back from lunch." – HopelessN00b Aug 17 '12 at 15:50
-1

A few suggestions:

0) Check your network connectivity. Are your internal Outlook users having the problem? If so are they connecting through an RPC over HTTPS gateway? And is that the same box that you ActiveSync users are connecting through? If yes, then I would suspect this box.

1) Make sure you don't have a bad server in your CAS array. One way to test this would be to take each member of the CAS array out of the load balancer one at a time and see if the problem goes away.

2) Make sure your load balancer isn't unnecessarily moving your clients around. If the load balancer moves the client from one CAS server to another, this can cause an authentication prompt while Outlook tries to re-establish its connection to the CAS server.

3) Turn on Kerberos authentication on the CAS array. This solved a very similar issue for us, See http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/enabling-kerberos-authentication-mapi-clients-connecting-exchange-2010-sp1.html

longneck
  • 22,793
  • 4
  • 50
  • 84
  • Hey Longneck, Thanks for the response! Right now this is our only exchange server so no load balancing ect (yet. about 6 months out). The phones and IPADs normally work and its the outlook 2010 that is normally having the issue. On and off the internal network. – lbakerit Aug 17 '12 at 17:50