Outlook Presents Multiple Prompts for Authentication in EBS

  • Article

[Today's post come to us courtesy of Mark Stanfill]

You may receive multiple prompts for authentication from Outlook clients connected to an EBS Messaging Server at roughly 5 minute intervals.  Both local and Outlook Anywhere clients can encounter this issue, but it is usually more pronounced on OA clients. The behavior may be inconsistent for different users and is remedied temporarily by rebooting.

image

To resolve this issue, log on to the Messaging Server directly and run the following commands from an elevated command prompt (commands may wrap in this post, you may need to combine the lines from copy and paste):

%windir%\System32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication

%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/ews" -section:windowsAuthentication -useKernelMode:False /commit:apphost

%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/AutoDiscover" -section:windowsAuthentication -useKernelMode:False /commit:apphost

%windir%\System32\inetsrv\appcmd.exe set config "Default Web Site/OAB" -section:windowsAuthentication -useKernelMode:False /commit:apphost

image

If you prefer, you can also make the changes in the GUI.  Both methods accomplish the same thing; using the command line or GUI is a matter of personal preference.  To do this,  highlight the virtual directory, double-click on Authentication, click on Windows Authentication to highlight it, and then click on Advanced Settings.… Uncheck Enable Kernel-mode Authentication to remove the setting.  Click OK to save the setting. This needs to be done for the following 3 virtual directories on the Default Web Site on the Messaging Server:

  • AutoDiscover
  • EWS
  • OAB

 

image

Notes:

  • There are many configuration issues that can cause Exchange clients to not be able to log on to the server.  This is only one possible cause.
  • If the steps above don’t resolve your connectivity issue, running the Exchange BPA is a good next step.
  • Kernel-mode authentication is enabled on all Exchange Server 2007 Standard Edition installations.  SBS 2008 disables this setting by default.
  • A reboot is not required.  In some cases, you may have to run "iisreset /noforce” to get the settings to take effect.
  • Disabling Kernel-mode authentication on EBS is recommended as a general best practice.
  • There are no measurable performance gains to be made in environments of this size by leaving kernel-mode auth enabled.
  • OWA clients are not affected.

 

Special thanks to Oliver Sommer who first blogged this issue.