0

I can't handle the incessant password prompting anymore..

Our Outlook installations prompt for a password after the comps wake from sleep and/or when changing between wired/wireless. Outlook DOES NOT prompt for a password when launching initially..AND, funny thing is, when it does prompt for credentials, users can simply dismiss the credential box, and then click on 'need password' in the bottom right corner of outlook, and connectivity is restored. How asinine is that? This behavior has me convinced that the credential prompt for RPC over HTTP DOES NOT HAVE TO BE DEFAULT BEHAVIOR Note, this works on all devices when they are connected to the LAN.. and when they DO NOT have any credentials saved in credential manager.

I have found many discussions claiming that if basic auth is used for RPC/HTTPS proxy, then password prompts are inevitable, but I can't believe MS would allow this behavior since they are now recommending RPC/HTTPS and deprecating NTLM, and based on the behavior described above, its clear that there is a method to pass the currently-logged-on credentials through basic auth.

Another reason i don't believe this is desired behavior is because MS released a KB to combat this issue (for 2007): https://support.microsoft.com/en-us/kb/956531

Here is another older KB https://support.microsoft.com/en-us/kb/820281, (unfortunately for 2003), that specifically says basic auth will always require a password, but this must be false (for 2007/13 combo at least) based on the behavior described above.

Here is an experts-exchange thread where I commented, but did not receive a response: http://www.experts-exchange.com/questions/27778514/Outlook-Disconnected-after-resume-from-sleep-mode.html

Can anyone help/comment on this behavior please? I am convinced that something is just misconfigured somewhere..

We have Exchange 2007 with Outlook 2013 clients. Corp IT decided NOT to use NTLM after the migration from 2003-07 because Microsoft advised that it is insecure and recommends NOT using it anymore.

Our setting are auto-discovered/configured so any changes I make to test get reverted. I have not tried to disable the auto-discover yet.

See screenshots below.

Security Tab Connection Tab Proxy Settings

goofology
  • 382
  • 2
  • 14

1 Answers1

0

Going to be blunt, but the reasoning behind the decisions is deeply flawed. A decision has been made to disable some functionality of a product that it was designed to use 10 YEARS ago, because of a future de-emphasis. That doesn't make sense. If you want to be more secure then migrate to Exchange 2013 or 2016.

Although can you get a source for the recommendation to stop using NTLM authentication from Microsoft, because it is the first I have heard of it. You shouldn't use it over the internet without SSL, but that is to expected. However it is normally wrapped in HTTPS, which removes a lot of the problems with it.

If you are using basic authentication with Exchange 2007 then you will always get prompts when using Outlook Anywhere. Of course internally you shouldn't be using Outlook Anywhere.

If you want the authentication prompts to stop, switch to NTLM authentication. End of story. That needs to be configured on the server so it is pushed to the clients via Autodiscover.

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • Thank you for your comments. For now, I would like the discussion to continue regarding the credential-passthrough behavior I have found using RPC/HTTPS/Basic Auth. Convincing Corp to revert to NTLM against our consultant's advice will be extremely hard. I will try to find the source I read where Microsoft advised against using NTLM in favor of RPC/HTTP. Regarding your comment 'shouldn't be using Outlook Anywhere'.. can you elaborate? I was under the impression that Outlook anywhere should be the new default.. And if we have NTLM disabled, how can we NOT use Outlook Anywhere? – goofology Jan 04 '16 at 22:07
  • Exchange 2013 is on the first version of Exchange where RPC over HTTPS / Outlook Anywhere is the default connection method. On older versions the usual method - RPC over TCP should be used internally, with Outlook Anywhere used for external access only. While it is possible to use Outlook Anywhere internally with the older versions, Exchange isn't really designed for that. With regards to your authentication question, there isn't much to discuss. If you enable basic authentication then you will get password prompts. – Sembee Jan 05 '16 at 22:28
  • There are various hacks to work around the password prompts, using Windows to cache the information, however that presents a further problem of users getting locked out of their email and/or AD account when their password is changed. My previous point still stands - you are trying to apply a recent policy decision by Microsoft to a product that is close to 10 years old. If you want to work to modern standards then you will have to use a modern product. – Sembee Jan 05 '16 at 22:30
  • Specific to your statement 'if you enable basic auth then you will get password prompts'.. then in our case I need to understand how outlook bypasses those password prompts (WITHOUT any cached credentials) on launch and by simply dismissing the prompt and then clicking 'need password' at the bottom of outlook window. Clearly the currently logged-on user credentials CAN and DO get automatically passed through basic auth.. So why do we get the password prompts then? And how does one configure outlook to use different auth methods for internal vs external? Fast vs slow connection checkboxes? – goofology Jan 07 '16 at 02:57
  • On Exchange 2007 there is no mechanism to have different authentication methods for Outlook Anywhere for internal and external. That was first introduced with Exchange 2013, which moved to Outlook Anywhere as the client connection method. Going by the screenshot above, I don't think you are actually using Outlook Anywhere internally. You can verify that by starting Outlook, waiting for it to connect, then right click on the Outlook icon in the system tray while holding down CTRL. Choose Connection status. If it says TCP under protocol (rather than HTTPS) you are not using Outlook Anywhere. – Sembee Jan 07 '16 at 09:42
  • Therefore the password prompt is coming from elsewhere. Outlook throws password prompts for other reasons, the most common being an SSL error during the Autodiscover process which runs everytime Outlook starts. If the SSL certificate is issued to host.example.com, but the internal Autodiscover URL is the default of say server.example.local, then that can generate password prompts - basically Outlook failing to cope with the SSL prompt. Cancel it and you get connected. – Sembee Jan 07 '16 at 09:45