Outlook 2003 is prompting my Active Directory users for their logon credentials when opening their mailbox?

Question

I am running Exchange 2003 for a mail server, and Windows Server 2003 as my NOS.

When users attempt to open Outlook 2003 and gain access to their mailbox, the system is prompting them for a username/password. Even when the correct credentials are entered, the box just prompts them again, and again...

These users had un-prompted access to their accounts yesterday without any problems or prompts. Today I have the credential prompts.

For any user with Domain Admin, the system does NOT prompt them. They have access just like the did before today - just double-click on the Outlook icon, and the mailbox opens.

I can ping the server, ping by FQDN, and ping by short-DNS-name. I can browse sites and resolve DNS addresses outside of my domain, and those within.

I need to get my users access to their mailboxes without a prompt, and without granting additional privileges. Upgrading software or operating systems is not an option.

I have no clue where I should go from here... any help is greatly appreciated.

I have exactly the same problem, but I got it from the very beginning. — Daniel Rikowski, Jul 20 '09 at 11:24
Quick Update... My superiors have made one of the wildest decisions. We have added all users to the main admin group to get the network back up. Yes, I explained the huge risk, and they accepted the risk. *sigh* We are building new exchange servers on the domain, creating some test OU structures, and researching an interesting log entry about the event log being full. I will post here often, but if anyone has any ideas, I would love to hear them. — HeavyObjectLifter, Jul 20 '09 at 19:07

score 2 · Answer 1 · answered Jul 20 '09 at 11:32

Since your "Domain Admins" can access their mailboxes without problems this doesn't point to a database mounting problem. Has somebody been playing around with permissions in the Active Directory? Start by querying everybody who would have access to do such a thing (Enterprise Admins, Domain Admins).

Are you seeing anything amiss in the event logs on the Exchange Server computer? That is the absolute first place to look.

Perhaps an obvious question, since you say it was working y'day, but: The client computers are joined to the domain and the users are logging-on with domain accounts and not local accounts-- correct?

I'd examine the default permissions on the Exchange organization by turning on the "Security" tab in Exchange System Manager (create a REG_DWORD value called "ShowSecurityPage" in the key "HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin").

I'm having a really hard time finding a doc from Microsoft that describes the default top-of-the-organization permissions for Exchange 2003! It would probably be easiest if you dumped a copy of the ACL using the DSACLS command and added that as an edit to your question.

To formulate the command-line for the DSACLS command you're going to need to know the distinguished name of your Exchange organiation. The easiest way to do this is to install the "Windows Support Tools" from the W2K3 CD, in the "SUPPORT" folder. After you've got that installed, start "ADSIEDIT.MSC" from Start / Run.

Expand the "Configuration" container in the left pane, the "CN=Configuration,..." sub-node, the "CN=Services" container, and the "CN=Microsoft Exchange". In that "CN=Microsoft Exchange" container you'll find your Exchange organization as a "CN=Organization Name Here" node.

Bring up the properties for your organization, scroll down to the "distinguisedName" attribute, highlight it and click "Edit", and copy the contents of the "Value" text-box (making no changes!).

Close up ADSIEDIT. Click Start / Run and enter the following command, pasting in the "distinuguiedName" value you copied inside the double-quotation marks (leaving the double-quotation marks in the command):

CMD /C DSACLS "paste distinguishedName value here" > %TEMP%\ACL.TXT

A window will briefly appear and close. Click Start / Run and enter the command:

%TEMP%\ACL.TXT

This will bring up your top-level Exchange organiation permissions in a Notepad window.

Yes, all computers are added to my domain, and users are using their domain credentials. — HeavyObjectLifter, Jul 20 '09 at 11:46
Hi Evan. As I said, the network is not connected to any outside network, so I am unable to post it here. Is there anything particular that I should be looking for in that file? Thanks for taking to time to help. I appreciate it. — HeavyObjectLifter, Jul 20 '09 at 13:26
@Dodger: Here's a link to a dump of the ACL at the top of an Exchange 2003 organization. This one, like yours, has the explicit "Deny / Receive As" permissions removed for "Domain Admins", etc. http://mx02.wellbury.com/misc/20090720-Exchange_2003_Default_Organization_ACL.txt — Evan Anderson, Jul 20 '09 at 20:14

score 0 · Answer 2 · answered Jul 20 '09 at 11:10

0

Have any patches been installed?

WSUS Updates?

Check event logs on your DC and Exchange server.

When passwords expire this happens - it's unlikely if it's all of your users but ask a couple to reset them and see if it changes anything.

Not the best solution but have you tried bouncing the exchange server?

answered Jul 20 '09 at 11:10

Marko Carter

4,092
1
29
38

1. I have the servers and clients updated from windows update on the the 17th of June, same with VirusDefs. 2. Our WSUS server isn't online yet. This network is in its infancy, having only been stood up 10 days ago. Also this is a closed network, with no internet or external access. 3. What events should I be looking for? I have no abundance of failed logon attempts... 4. This happens even on brand new users and test accounts, but I will try. 5. Define bounce... I have rebooted once, but I do not want to again. – HeavyObjectLifter Jul 20 '09 at 11:24

score 0 · Answer 3 · answered Jul 20 '09 at 12:26

0

Also check for any cached credentials in Control Panel | User Accounts | Advanced | Manage Passwords.

answered Jul 20 '09 at 12:26

Maximus Minimus

8,937
1
22
36

nope, none. everything is going on in real-time. – HeavyObjectLifter Jul 20 '09 at 13:19

score 0 · Answer 4 · answered Jul 20 '09 at 12:49

any chance your users are being directed by dns to go back out to the web and back in through rpc over http through your gateway? i guess a way you can check is by doing userid@domain.local (or whatever your internal domain is) and the password being their AD password.

did you change any dns settings internal that would make this happen? any network infrastructure changes?

edit i just saw that you indicated in another comment that there is no external or internal network so comment above would probably not apply.

Hi Dasko. Yes, DNS is working just fine. I can resolve everywhere, ADUC works, and so do the Exchange tools over the network. — HeavyObjectLifter, Jul 20 '09 at 13:28

SpaceManSpiff · Answer 5 · 2009-07-21T11:22:46.217

0

I think by the sounds of it, the Self group is missing from the permission for each mailbox. I think it's self or the owner group.

I think maybe somehow something has happened to this permission on the exchange mail box OR maybe something has happened to that group that, that has nothing to do with the exchange server and it would be an AD issue.

edited Jul 21 '09 at 11:22

answered Jul 20 '09 at 14:30

SpaceManSpiff

2,547
18
19

Domain Admins have been explicity denied access to all user mailboxes since Exchange 2000 by default, actually. – Evan Anderson Jul 20 '09 at 19:51
Ok I stand corrected, but my advice to verify the permissions for the account account still stands. – SpaceManSpiff Jul 21 '09 at 11:22

Outlook 2003 is prompting my Active Directory users for their logon credentials when opening their mailbox?

5 Answers5