I had a weird case of organization suffering from outlook that couldn’t connect to the exchange, the security window was popping all the time regardless the credential input . in order to check outlook connectivity i used Microsoft Connectivity analyzer : https://testconnectivity.microsoft.com/
The test pass without any hard issue, clients from outside the organization were connecting without any problem and fast ! But from the domain network itself workstation couldn’t connect with outlook , OWA was working fine any were , so I ran:
Get-ClientAccessServer | Test-OutlookWebServices -Identity your@email.com -MailboxCredential (Get-Credential) | fl
To check outlook and I got this weird error complaining about certificate missmatch issue :
Result : Failure
Latency : 1
Error : System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —>
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
There were no eventID in any log regarding any thing about certificate issue . At that point I figured that the authentication mechanism wasn’t working and it hand nothing to do with certificate or exchange server health . Now outlook can connect with NTLM or Kerberos to the exchange server, so I forced the workstation connecting with NTLM only -> that didn’t work ! but when I set the Kerberos as default the outlook connect in a flash, this are the registry setting for outlook 2016 :
- Kerberos/NTLM Password Authentication
Registry Hive HKEY_CURRENT_USER Registry Path software\policies\microsoft\office\16.0\outlook\security Value Name authenticationservice Value Type REG_DWORD Value 9 - Kerberos Password Authentication
Registry Hive HKEY_CURRENT_USER Registry Path software\policies\microsoft\office\16.0\outlook\security Value Name authenticationservice Value Type REG_DWORD Value 16 - NTLM Password Authentication
Registry Hive HKEY_CURRENT_USER Registry Path software\policies\microsoft\office\16.0\outlook\security Value Name authenticationservice Value Type REG_DWORD Value 10 - Insert a smart card
Registry Hive HKEY_CURRENT_USER Registry Path software\policies\microsoft\office\16.0\outlook\security Value Name authenticationservice Value Type REG_DWORD Value 2147545088
Now to find why NTLM didn’t work ??? Turn out there was a setting in the default domain policy (GPO) denying all NTLM connection on all the computers in the domain . and it was both on Domain default policy and in the local policy :
Once I set this options to ” allow all” every think start working again !
then run :
gpupdate /force
Sync it to all the DC’s
repadmin /syncall