1

We recently pushed out a password policy in our domain so the users now get prompted at log on to choose a new password however once this has been done it seems that Outlook also prompts for them to input the new password.

Is there any way to get this integrated, so Outlook just uses the new password that the user has chosen automatically?

Jack
  • 41
  • 1
  • 4
  • 1
    I'm pretty sure the other answers are wrong and Outlook can absolutely use Windows authentication. I agree with your experience that this isn't normal behaviour – Dan Jun 22 '17 at 09:16

2 Answers2

1

Outlook with Basic Authentication

Outlook stores the password itself when you choose the Remember my credentials option. It uses the saved information as long as it doesn't work anymore. This is authentication method is unable to use Windows credentials, so every users needs manually update the passwords.

Kerberos Authentication

The Microsoft Exchange Team Recommendation: Enabling Kerberos Authentication for MAPI Clients by Ross Smith IV explains Kerberos authentication and tells how it has changed in Exchange 2010. This may be the cause the authentication was working as you remembered but doesn't do so now:

Typically, domain-joined clients/applications either leverage NTLM or Kerberos for authentication. The actual authentication mechanism used depends on the configuration of both the client and the server and they negotiate the authentication to be used during the establishment of the connection. MAPI supports Kerberos authentication and the default setting in Outlook 2007 and later is to negotiate the strongest authentication available when not running in Outlook Anywhere mode.

In Exchange 2010, MAPI clients connect to load-balanced array of servers, and not an individual server with its own unique network identity. This change in the messaging architecture presents a challenge, however. In previous Exchange versions, clients connected directly to the Mailbox server which was a single identity on the network. This meant that the client, if capable, could utilize Kerberos authentication for establishing the session with the Mailbox server.

The recommendation is to deploy alternate service account (ASA) credential mechanism to enable Kerberos authentication for MAPI clients. See the article for detailed information.

The steps to deploy the ASA credential are as follows:

  1. Create an account to be used as the ASA credential.
  2. Deploy the ASA credential to the CAS members.
  3. Convert the OAB virtual directory to an application.
  4. Assign the SPNs to the ASA credential computer account.

Office 365 Modern Authentication

Just for completeness, Kerberos authentication is only possible with on-premises Exchange Server. However, Office 2013 (and later) and Office 365 supports Active Directory Authentication Library (ADAL) sign-in. See Using Office 365 modern authentication with Office clients.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Is there no option to get the authentication integrated? Yes it seems this slipped my mind whilst pushing out the password policy and notes to users. However I remember at school there was a strict password policy but Outlook never prompted for the new password (definitely), weird? – Jack Jun 22 '17 at 08:57
  • I was wrong. The answer is now updated with a possible cause for this. – Esa Jokinen Jun 22 '17 at 10:57
1

No, here's what's happening:

Outlook caches the users credentials in Credential Manager and fires them off every time it needs to grab something from 365/Exchange. When the user changes their domain password that get's replicated to 365/Exchange, however, Outlooks credentials remain out of date. The the user attempts to connect, they get an unauthorized response, and then prompted to update their credentials in Outlook.

This, I'm afraid, is unavoidable.

As an aside, there is a bug with Outlook 2010/13 where it won't remember the credentials at all after they've been reentered, and thus prompt every time Outlook opens, there's also a fix for that.

Joe Brailsford
  • 1,091
  • 8
  • 10