Outlook 2007 Credential Prompts in Small Business Server 2008

[Today’s post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support, Chris Puckett from Product Quality, and Alex Shao from the Product Team]

You may receive multiple prompts for authentication from Outlook clients connected to an SBS 2008 Server at roughly 5 minute intervals.  Both local and Outlook Anywhere clients can encounter this issue. OWA clients are not affected. The behavior may be inconsistent for different users and is remedied temporarily by rebooting.  You may have noticed this behavior on existing installations after installing security updates or on new deployments if you installed the security updates during installation.

clip_image002

To resolve this issue, log on to the SBS 2008 Server and install Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later. Update Rollup 8 for Exchange Server 2007 SP1 was released on May 16, 2009. As of this writing Update Rollup 9 for Exchange Server 2007 Service Pack 1 is available and supersedes Update Rollup 8. To obtain Update Rollup 9 from the Microsoft Download Center, see Update Rollup 9 for Exchange Server 2007 Service Pack 1. It is also available from Microsoft Update and WSUS.

As another option, you may log on to the SBS 2008 Server and run the following command from an elevated command prompt (Note: the commands may wrap in this post, so you may need to combine the lines from copy and paste):

%windir%\System32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useKernelMode:false

More Information:

The update from KB 973917 enables authentication at the root level of IIS by adding the following to the C:\Windows\system32\inetsrv\config\applicationhost.config file at a global level:

<windowsAuthentication enabled="false" />

This exposes a behavior with IIS 7 where the mix of user and kernel mode authentication requests while servicing clients will not work.

Installing UR8 for Exchange 2007 SP1 or later resolves this issue by forcefully disabling kernel mode authentication at the global level thus preventing the situation where IIS 7 cannot service both types of authentication.

After installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later or running the appcmd specified above, the applicationhost.config is modified and the previously mentioned entry will look like this:

<windowsAuthentication enabled="false" useKernelMode="false">

Installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later prior to installing the KB 973917 security update should also prevent you from experiencing the symptoms described above.

There are many configuration issues that can cause Exchange clients to not be able to log on to the server.  This is only one possible cause.

If the steps above don’t resolve your connectivity issue, the next steps are:

1. Read this blog post on certificate mismatch warnings to see if it matches your symptoms

2. Run the Exchange BPA on the SBS 2008 server.

3. Run the Remote Connectivity Analyzer.