Friday, July 1, 2011

Outlook authentication popup when database move or failover

Have you noticed that when you run Exchange 2010 DAG and move the active database to another node, outlook throw an authentication prompt.

The behavior according to many sources including Microsoft is that a move or failover should go almost unnoticed by the end user. Well it does sometime, but many times outlook popups the authentication prompt.

Messed around in my lab with all kind of configurations and discovered that the prompt is to the outlook anywhere URL. This makes sense because the database goes offline and then another database goes online. This takes a short moment but the only component that should see this is CAS and outlook should still have connection to your Hardware Load Balancer or CAS if you don’t have a HLB. So if outlook is aware of a database goes offline then this is kind of valid.

To try things a little bit more I configured the system not to resolve the Outlook anywhere URL when connected to the internal network and then I did a move of active database again and I was very surprised that outlook still did popup for the outlook anywhere URL without actually being able to resolve it in DNS or even less actually connecting to it.

I figured there must be some caching going on here and to be safe I simply reboot everything. But outlook behaved the same, prompting me for credentials for an URL that could not be reached.

Finally I poked around in the configuration and decided to change the authentication scheme for outlook anywhere to Windows Integrated. I did not have a TMG or UAG in the system so I did not need to configure Kerberos Constrained Delegation (that’s another story).

Placed an outlook on the outside of the network and things went smooth; NTLM let me in directly with my cached domain credentials.

Moved outlook to the internal network and still everything worked as it should. Finally did move of the active database to another server. Outlook did not even blink, well almost, it just said it’s not connected and then a couple of seconds later it said connected again.

Well this must be one of the rare occasions when everything worked as it should according to various sources. Did about 20 more move of the active mailbox database and not a single time did outlook give me authentication prompt.

Well, I reconfigured outlook anywhere to use basic clear text authentication again and moved the database back and forth and about half the times outlook gave me the annoying authentication prompt.

Did some more testing with various setup and different version of outlook but the behavior is the same. When outlook anywhere is configured with basic clear text I get authentication prompts and when configured with Windows Integrated everything work without a hiccup.

Do we have any drawbacks by configure windows integrated authentication on outlook anywhere? Yes there is. Depending on if you have ISA/TMG/UAG doing Kerberos Constrained Delegation against your CAS, everything must belong to the same windows domain. Well, not exactly everything but all accounts used in the process, that is computer and user accounts.
This means if you have multiple forests or multiple domains and publishing Outlook Anywhere with pre-authentication on TMG/UAG, you’re almost forced to use Basic Authentication.

More information about Kerberos Constrained Delegation will be posted in a later post.

14 comments:

  1. Thanks Lasse,

    You just saved all of us a lot of testing. Now we at least have some answers to the irritated customers.

    Have a great summer vacation!

    ReplyDelete
  2. Other reason for authentication popups are proxy servers, bad configuration of autodiscover together with internal and external URL's on Exchange services running in IIS, or even Load Balancers. It all comes down to configuration of each individual component and how they interact with each other.

    ReplyDelete
  3. Thanks alot
    Highly appreciated

    ReplyDelete
  4. Hi What site on the cas server does Outlook anywhere connect to? I mean where would I find the setting that will be set to basic auth?

    ReplyDelete
  5. Outlook anywhere connect to the /rpc/ virtual directory in IIS.
    But don't change setting directly in IIS, use the Set-OutlookAnywhere cmdlet to change settings http://technet.microsoft.com/en-us/library/bb123545.aspx

    ReplyDelete
  6. Yeah just tried that still will not fail over unless I use unpatched Outlook Client

    ReplyDelete
  7. is the UPN for users equal to smtp address? some version of outlook have a bad behavior using the UPN instead of SMTP address when doing autodiscover.

    ReplyDelete
  8. We get this popup for users that have multiple mailboxes open, and one ore more of these are not on databases that are in the CAS-Array. The reason why they are not is because we still have some mailboxes on our 2007 environment. This was bugging me for a long time because none of my test-users, nor myself had more than my/their own mailbox opened, and i never saw this behavior in any kind of tests. Anyway, this may apply to some others, so i just wanted to share it. We still use basic auth.

    ReplyDelete
  9. In my case i do not have Outlook Anywhere enabled but i do get the authentication prompts for internal users with Outlook 2007 SP2 + patching against E2010 Sp2 Ru4-v2. How to fix those then? Enable OA?.....

    ReplyDelete
  10. We get this popup for about half the users during site-internal failover. The weird thing is... NTLM is already enabled on OA (and verified in IIS \Rpc vdir). Very annoying because thats another system that has to be updated on the weekend now (yay salary). Anyone run into this by chance?

    ReplyDelete
  11. I would look at your LoadBalancer configuration and also enable kerberos auth http://technet.microsoft.com/en-us/library/ff808312(v=exchg.141).aspx

    ReplyDelete
  12. How do you enable this setting?

    ReplyDelete
  13. Enable kerboros for MAPI? It is done with a powerhsll script RollAlternateServiceAccountPassword.ps1.
    http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
    and
    http://technet.microsoft.com/en-us/library/ff808313(v=exchg.141).aspx

    ReplyDelete
  14. I am really inspired with your writing abilities as neatly as with the structure to
    your blog. Is this a paid theme or did you modify it your self?

    Either way stay up the nice quality writing, it is rare to look a nice weblog like this one today.

    .

    Feel free to visit my webpage :: Solve Captchas

    ReplyDelete