Article ID: 927612
Article Last Modified on 10/25/2007
APPLIES TO
- Microsoft Office Outlook 2007, when used with:
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
- Microsoft Exchange Server 2007 Enterprise Edition
- Microsoft Exchange Server 2007 Standard Edition
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
SYMPTOMS
You have a mailbox that is hosted on a server that is running Microsoft Exchange Server 2003. When you start Microsoft Office Outlook 2007 to access this mailbox, you are repeatedly prompted to enter your credentials. If you click Cancel, you receive the following error message:
In this situation, you cannot access your mailbox by using Outlook 2007.
If you use another program such as Microsoft Office Outlook 2003 to access the mailbox, you can successfully connect to Exchange.
CAUSE
This problem occurs if the following Service Principal Names are registered on the Exchange server and if the Exchange server is not a global catalog server:
- exchangeAB/
ExchangeServerName
- exchangeAB/
ExchangeServerName
.example.com
A Service Principal Name (SPN) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without correctly configured SPNs.
RESOLUTION
To resolve this problem, correctly configure the exchangeAB resources in the Active Directory directory service. To do this, follow these steps:
- Determine which global catalog server Exchange uses. To do this, follow these steps:
- Start the Exchange System Manager program.
- Expand Administrative Groups, expand your administrative group, expand Servers, right-click the Exchange server that you want to examine, and then click Properties.
- In the
ExchangeServerName
Properties dialog box, click the Directory Access tab. - In the Show list, click Global Catalog Servers.
- Note the name of the computer that appears in the Domain Controller column.
- Install the Setspn.exe tool if it is not already installed. The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Server 2003 Support Tools, double-click SUPPTOOLS.MSI in the Support\Tools folder on the Windows Server 2003 CD. Additionally, the Setspn.exe tool is included with the Microsoft Windows 2000 Resource Kit tools. To obtain this tool, visit the following Microsoft Web site:
- List the SPNs that are configured on the Exchange server. To do this, follow these steps:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type setspn -L
ExchangeServerName
, and then press ENTER. Results that resemble the following are returned:Registered ServicePrincipalNames for CN=<ExchangeServerName>,CN=Computers,DC=example,DC=com: exchangeAB/<ExchangeServerName> exchangeAB/<ExchangeServerName>.example.com exchangeMDB/<ExchangeServerName> exchangeMDB/<ExchangeServerName>.example.com exchangeRFR/<ExchangeServerName> exchangeRFR/<ExchangeServerName>.example.com SMTPSVC/<ExchangeServerName> SMTPSVC/<ExchangeServerName>.example.com HOST/<ExchangeServerName> HOST/<ExchangeServerName>.example.com
ExchangeServerName
is the name of the Exchange server. Additionally,example.com
is the name of the domain.
- Unregister the exchangeAB SPNs from the Exchange server. To do this, follow these steps:
- At the command prompt, type the following command, and then press ENTER:
setspn -D exchangeAB/
ExchangeServerName ExchangeServerName
- At the command prompt, type the following command, and then press ENTER:
setspn -D exchangeAB/
ExchangeServerName
.example.comExchangeServerName
- At the command prompt, type the following command, and then press ENTER:
- Register the exchangeAB SPNs with the global catalog server. To do this, follow these steps:
- At the command prompt, type the following command, and then press ENTER:
setspn -A exchangeAB/
GlobalCatalogServerName GlobalCatalogServerName
- At the command prompt, type the following command, and then press ENTER:
setspn -A exchangeAB/
GlobalCatalogServerName
.example.comGlobalCatalogServerName
- At the command prompt, type the following command, and then press ENTER:
WORKAROUND
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
To work around this problem, configure Outlook 2007 to use Windows authentication (NTLM). To do this, follow these steps:
- Double-click the Mail Control Panel item, and then click Show Profiles.
Note If no Outlook profiles are configured on the computer, the Mail dialog box appears. In this situation, you cannot click Show Profiles. - Follow these steps:
- If no Outlook profile is created, follow these steps:
- In the Mail dialog box, click Add.
- Type a name in the Profile Name box, and then click OK.
- In the Add New E-mail Account dialog box, click to select the Manually configure server settings or additional server types check box, and then click Next.
- Click Microsoft Exchange, and then click Next.
- In the Microsoft Exchange server box, type the fully qualified domain name of the Exchange server, type your alias in the User Name box, and then click More Settings.
Note If you are prompted to enter your credentials, click Cancel. You may have to click Cancel more than one or two times. - In the Microsoft Exchange dialog box, click the Security tab.
- In the Logon network security list, click Password Authentication (NTLM), and then click OK.
- Click Next, and then click Finish to create the Outlook profile.
- If you have an Outlook profile, follow these steps:
- In the Mail dialog box, click your Outlook profile, and then click Properties.
- Click E-mail Accounts, and then click Change.
- In the Change E-mail Account dialog box, click More Settings.
- In the Microsoft Exchange dialog box, click the Security tab.
- In the Logon network security list, click Password Authentication (NTLM), and then click OK.
- Click Next, click Finish, and then click Close two times.
- If no Outlook profile is created, follow these steps:
- Click OK to close the Mail dialog box.
Additional query words: OL2007 Outlook2007
Keywords: kbtshoot kbprb kbexpertisebeginner KB927612