Microsoft KB Archive/927612

From BetaArchive Wiki
Knowledge Base


You are repeatedly prompted to enter your credentials when you try to connect to an Exchange 2003 mailbox by using Outlook 2007

Article ID: 927612

Article Last Modified on 10/25/2007


APPLIES TO

  • Microsoft Office Outlook 2007, when used with:
    • Microsoft Exchange Server 2003 Enterprise Edition
    • Microsoft Exchange Server 2003 Standard Edition
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition


Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

SYMPTOMS

You have a mailbox that is hosted on a server that is running Microsoft Exchange Server 2003. When you start Microsoft Office Outlook 2007 to access this mailbox, you are repeatedly prompted to enter your credentials. If you click Cancel, you receive the following error message:

The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

In this situation, you cannot access your mailbox by using Outlook 2007.

If you use another program such as Microsoft Office Outlook 2003 to access the mailbox, you can successfully connect to Exchange.

CAUSE

This problem occurs if the following Service Principal Names are registered on the Exchange server and if the Exchange server is not a global catalog server:

  • exchangeAB/ExchangeServerName
  • exchangeAB/ExchangeServerName.example.com

A Service Principal Name (SPN) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without correctly configured SPNs.

RESOLUTION

To resolve this problem, correctly configure the exchangeAB resources in the Active Directory directory service. To do this, follow these steps:

  1. Determine which global catalog server Exchange uses. To do this, follow these steps:
    1. Start the Exchange System Manager program.
    2. Expand Administrative Groups, expand your administrative group, expand Servers, right-click the Exchange server that you want to examine, and then click Properties.
    3. In the ExchangeServerName Properties dialog box, click the Directory Access tab.
    4. In the Show list, click Global Catalog Servers.
    5. Note the name of the computer that appears in the Domain Controller column.
  2. Install the Setspn.exe tool if it is not already installed. The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Server 2003 Support Tools, double-click SUPPTOOLS.MSI in the Support\Tools folder on the Windows Server 2003 CD. Additionally, the Setspn.exe tool is included with the Microsoft Windows 2000 Resource Kit tools. To obtain this tool, visit the following Microsoft Web site:

    http://go.microsoft.com/fwlink/?LinkId=28103

  3. List the SPNs that are configured on the Exchange server. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type setspn -L ExchangeServerName, and then press ENTER. Results that resemble the following are returned: 
      Registered ServicePrincipalNames for CN=<ExchangeServerName>,CN=Computers,DC=example,DC=com:
   exchangeAB/<ExchangeServerName>
   exchangeAB/<ExchangeServerName>.example.com
   exchangeMDB/<ExchangeServerName>
   exchangeMDB/<ExchangeServerName>.example.com
   exchangeRFR/<ExchangeServerName>
   exchangeRFR/<ExchangeServerName>.example.com
   SMTPSVC/<ExchangeServerName>
   SMTPSVC/<ExchangeServerName>.example.com
   HOST/<ExchangeServerName>
   HOST/<ExchangeServerName>.example.com
      In this output, ExchangeServerName is the name of the Exchange server. Additionally, example.com is the name of the domain.
  4. Unregister the exchangeAB SPNs from the Exchange server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:

      setspn -D exchangeAB/ExchangeServerName ExchangeServerName

    2. At the command prompt, type the following command, and then press ENTER:

      setspn -D exchangeAB/ExchangeServerName.example.com ExchangeServerName

  5. Register the exchangeAB SPNs with the global catalog server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:

      setspn -A exchangeAB/GlobalCatalogServerName GlobalCatalogServerName

    2. At the command prompt, type the following command, and then press ENTER:

      setspn -A exchangeAB/GlobalCatalogServerName.example.com GlobalCatalogServerName


WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, configure Outlook 2007 to use Windows authentication (NTLM). To do this, follow these steps:

  1. Double-click the Mail Control Panel item, and then click Show Profiles.

    Note If no Outlook profiles are configured on the computer, the Mail dialog box appears. In this situation, you cannot click Show Profiles.
  2. Follow these steps:
    • If no Outlook profile is created, follow these steps:
      1. In the Mail dialog box, click Add.
      2. Type a name in the Profile Name box, and then click OK.
      3. In the Add New E-mail Account dialog box, click to select the Manually configure server settings or additional server types check box, and then click Next.
      4. Click Microsoft Exchange, and then click Next.
      5. In the Microsoft Exchange server box, type the fully qualified domain name of the Exchange server, type your alias in the User Name box, and then click More Settings.

        Note If you are prompted to enter your credentials, click Cancel. You may have to click Cancel more than one or two times.
      6. In the Microsoft Exchange dialog box, click the Security tab.
      7. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      8. Click Next, and then click Finish to create the Outlook profile.
    • If you have an Outlook profile, follow these steps:
      1. In the Mail dialog box, click your Outlook profile, and then click Properties.
      2. Click E-mail Accounts, and then click Change.
      3. In the Change E-mail Account dialog box, click More Settings.
      4. In the Microsoft Exchange dialog box, click the Security tab.
      5. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      6. Click Next, click Finish, and then click Close two times.
  3. Click OK to close the Mail dialog box.



Additional query words: OL2007 Outlook2007

Keywords: kbtshoot kbprb kbexpertisebeginner KB927612



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/927612&oldid=336565
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki