Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere

This blog has moved to its permanent URL –

To view this post, please visit –


About ilantz

I am a technology enthusiastic, I've been working as an IT consultant since late 2007, I attained extensive experience with Microsoft's Exchange Server, Active Directory, Forefront products and the Windows server platform. I love designing solutions, handling security measures, architecture and advanced troubleshooting.
This entry was posted in Exchange 2007, Exchange 2010, Outlook / MAPI. Bookmark the permalink.

14 Responses to Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere

  1. chenyitai2005 says:


  2. Dominic says:

    Gave this a try the other day.
    First tried Set-OutlookProvider EXPR -CertPrincipalName
    Seemed to have worked for the first day, but everything fell over the day after. XP computers still prompting for username / passwords.
    So then I Tried: Set-OutlookProvider EXPR -CertPrincipalName none
    Seemes to have fixed the issues on most computers. However; some windows 7 computers complain about the name on the certificate not being the same as the name of the proxy server.
    and some windows xp computers keep prompting for username and password.
    LM Compatibility level is set to 3 for all computers. and all are set to negotiate authentication in outlook.
    I have noticed though if i set the authentication type in outlook to NTLM and the back again to negotiate it works :S

    Not sure if theres something wrong in my exchange autodiscover / outlook anywhere config?

    Any tips / suggestions are much appreciated.

    • ilantz says:

      Hi Dominic,
      Thanks for following my post.
      – Do you have proxy enabled for your client computers ? if so make sure, that all the http/https traffic to the exchange CAS servers is totally excluded. you must bypass proxy to the CAS servers.
      – In addition, please verify the parameter AutoDiscoverServiceInternalUri when running the Get-ClientAccessServer | FL , the value must match the certificate name.

      Please update me with the outcome..

      • Rajashekhar says:

        Could you please elaborate as to why we should have the http/https traffic to bypass the proxy? I would like to know if there is anything else that could be causing the popups.

      • ilantz says:

        Well, direct connection will most likely solve any “authentication” related issues, that is proxy that do not forward authentication properly to the servers.

        As far as my experience proxy servers within the network are always set to allow direct connection to the servers within the company (trough FW or not..)

        hopes this answers your question,

  3. Pingback: Outlook Anywhere AuthPackage

  4. Aaron says:

    Holy crap ilantz, you saved my ass…. Many thanks!!!

  5. LM says:

    We have been trying to months to resolve the Outlook prompting issue. We are using Basic Authentication. The advice you give about verifying the AutoDiscoverServiceInternalUri parameter, do you mean they must match exactly? Here is what we have:


    SSL Certificate Subject Alternative Names (there are several, including the following):

    Outlook Anywhere Settings:
    External Host Name:

    • ilantz says:

      “the value must match the certificate name” means that the URI value must match at least one SAN or the subject name of the certificate presented by the CAS server, in our case it seems it does.

      Another good tip is to make sure you exclude traffic to the Exchange web services from clients using Proxy, make sure they all are connecting directly to the server.


  6. Lars says:

    Thank for the tip to solve the issue getting Outlook Anywhere running with NTLM through an TMG server. By changing the Web publishing rule as in “Solution 3” did the trick 🙂

    • ilantz says:

      I’m glad you found this post useful Lars !
      Drop by more often for some more 🙂

      ** I’ve noticed I didn’t include the link for the NTLM whitepaper, post is updated.

  7. User says:

    Good to know if you have more than one AD site and subdomains:

    • ilantz says:

      Yes, the first example in that article points out clearly that one should not modify the EXPR setting if more then a single CAS is published and the external URL’s are different. Thanks for the comment !

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s