Outlook not connecting to exchange server and password window keep popping

 

I had a weird case of organization suffering from outlook that couldn’t connect to the exchange, the security window was popping all the time regardless the credential input  . in order to check outlook connectivity i used Microsoft Connectivity analyzer : https://testconnectivity.microsoft.com/

The test pass without any hard issue, clients from outside the organization were connecting without any problem and fast ! But from the domain network itself workstation couldn’t connect with outlook , OWA was working fine any were , so I ran:

Get-ClientAccessServer | Test-OutlookWebServices -Identity your@email.com -MailboxCredential (Get-Credential) | fl

To check outlook and I got this weird error complaining about certificate missmatch issue :

Result : Failure
Latency : 1
Error : System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —>
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

There were no eventID in any log regarding any thing about certificate issue . At that point I figured that the authentication mechanism wasn’t working and it hand nothing to do with certificate or exchange server health . Now outlook can connect with NTLM or Kerberos to the exchange server, so I forced the workstation connecting with NTLM only -> that didn’t work ! but when I set the Kerberos as default the outlook connect in a flash, this are the registry setting for outlook 2016 :

  1. Kerberos/NTLM Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 9
  2. Kerberos Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 16
  3. NTLM Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 10
  4. Insert a smart card
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 2147545088

Now to find why NTLM didn’t work ??? Turn out there was a setting in the default domain policy (GPO) denying all NTLM connection on all the computers in the domain . and it was both on Domain default policy and in the local policy :

Once I set this options to ” allow all” every think start working again !

then run :

gpupdate /force

Sync it to all the DC’s

repadmin /syncall

 


Good Luck

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

You can’t access this shared folder because your organization’s security policies block unauthenticated guest accessYou can’t access this shared folder because your organization’s security policies block unauthenticated guest access

  When trying to access from new server to old shares you might get this error : ” You can’t access this shared folder because your organization’s security policies block