Unable to download address book from Office Communicator 2007 – prompting for credentials

After installing OCS, you find that you’re not able to download the Address Book.  Office Communicator will prompt for the entry of credentials over and over while trying to download the address book but credentials will not be accepted.  You’ll see the error on Communicator: “Your password is required to synchronize with the corporate address book”


Begin exploring the problem with Internet Explorer. When browsing in IE to the website the addressbook is on you also may be prompted for credentials and the credentials are rejected. After three rejections of your credentials, the browser will probably show either a 401.2 error from IIS or a 401.1 error from IIS. We’ll address the 401.2 first here and then the 401.1.

HTTP Error 401.2 – Unauthorized: Logon Failed due to server


 If you’re encountering the 401.2 response from IIS, you may need to set the url you’re browsing to into the Intranet Zone site list. The problem here is that IE is not presenting its representation of the credentials properly to IIS. When using integrated authentication we would expect the IIS logs to show a 401.2 (or 401 2 rather) for the initial client request. The client is going to attempt to authenticate anonymously at first. IIS will respond to the client saying something like, “Sorry but I’m not configured to allow anonymous requests. Try either NTLM or Kerberos next time.” The client tries again using NTLM or Kerberos (it’s the clients choice at this point) and if the 401.2 is still being issued, one piece of low hanging fruit to reach for involves not the server but the client.

First I’d focusing on which zone IE says the site is in–Internet zone? Local Intranet zone? Trusted sites? Presumably you’ll want an intranet site in the Local Intranet zone. But if there are “dots” in the address (example: <http://accounting.intranet.local/>) then perhaps you may see that IE is thinking it is part of the Intranet zone instead. Expand the Tools menu of IE, select Internet options, and settle on the Security tab. Highlight the icon for Local Intranet and click the Custom Level button. When the window entitled “Security Settings – Local Intranet Zone” opens, scroll to the bottom of the window and consider the four options for “Logon.” IS the bullet beside “Automatic logon only in Intranet Zone?” Perhaps it should be. Or is it beside “Automatic logon with current user name and password?” That should work well too. Either of the other two options may not be a good idea for an intranet site using integrated authentication. Adjust if desired. While the Local Intranet icon is still highlighted, click the Sites button. Click the Advanced button. Consider typing in the address of the intranet site into the field labeled “Add this website to the zone:” and click the Add button. If you’re

unable to do this, your workstation may have these settings dictated by group policy. When the website is added to the local intranet zone list and when the client is set to automatically provide credentials when browsing sites found in the local intranet list, the 401.2 often goes away. The client simply wasn’t set to present the credentials to IIS.

After the 401.2 is dealt with in this manner, you may still get prompted, rejected, and see the 401.1 error. The 401.1 error means that Integrated (Kerberos) authentication isn’t working properly.

HTTP Error 401.1 – Unauthorized: Access is denied due to invalid


The 401.1 is probably caused by the need for a new SPN to be registered. Since the OCS application pool uses the RTCComponentService account as its identity, you’ll need to register a new SPN for this account which also reflects the address you’re browsing to. 

You can download the SetSPN utility by finding and downloading the Support Tools from <http://microsoft.com/downloads>. Look for Windows Server 2003 Service Pack 2 32-bit Support Tools <https://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d96a35011-fd83-419d-939b-9a772ea2df90%26DisplayLang%3den> or Windows Server 2003 Service Pack 1 32-bit Support Tools <https://www.microsoft.com/downloads/info.aspx?na=22&p=3&SrcDisplayLang=en&SrcCatego

ryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d6ec50b78-8be1-4e81-b3be-4e7ac4f0912d%26DisplayLang%3den>. After the support tools are installed, open a command prompt, navigate to the support tools directory, and use the following pattern to register a new SPN: 


Setspn -A HTTP/{servername} {domainname}\RTCComponentService

Note: if you are browsing to an address that is not the servername, you’ll want to set an SPN for that address rather than the servername.

Example: Setspn -A HTTP/{address-without-the-https} {domainname}\RTCComponentService

After you register an SPN that connects the address you’re browsing to with the account the IIS application pool is using, IIS will be able to decrypt the Kerberos tickets and Kerberos authentication should begin working. Have the customer open a new instance of IE and browse to the address again. This time there should be no prompting for credentials.


Before you go through the above steps, ensure that Address book settings are fine as per below article:

Steps to check the Address book server settings

Related Link:


Common Address Book Issues



Comments (0)