Outlook not connecting to exchange server and password window keep popping

 

I had a weird case of organization suffering from outlook that couldn’t connect to the exchange, the security window was popping all the time regardless the credential input  . in order to check outlook connectivity i used Microsoft Connectivity analyzer : https://testconnectivity.microsoft.com/

The test pass without any hard issue, clients from outside the organization were connecting without any problem and fast ! But from the domain network itself workstation couldn’t connect with outlook , OWA was working fine any were , so I ran:

Get-ClientAccessServer | Test-OutlookWebServices -Identity your@email.com -MailboxCredential (Get-Credential) | fl

To check outlook and I got this weird error complaining about certificate missmatch issue :

Result : Failure
Latency : 1
Error : System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —>
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

There were no eventID in any log regarding any thing about certificate issue . At that point I figured that the authentication mechanism wasn’t working and it hand nothing to do with certificate or exchange server health . Now outlook can connect with NTLM or Kerberos to the exchange server, so I forced the workstation connecting with NTLM only -> that didn’t work ! but when I set the Kerberos as default the outlook connect in a flash, this are the registry setting for outlook 2016 :

  1. Kerberos/NTLM Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 9
  2. Kerberos Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 16
  3. NTLM Password Authentication
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 10
  4. Insert a smart card
    Registry Hive HKEY_CURRENT_USER
    Registry Path software\policies\microsoft\office\16.0\outlook\security
    Value Name authenticationservice
    Value Type REG_DWORD
    Value 2147545088

Now to find why NTLM didn’t work ??? Turn out there was a setting in the default domain policy (GPO) denying all NTLM connection on all the computers in the domain . and it was both on Domain default policy and in the local policy :

Once I set this options to ” allow all” every think start working again !

then run :

gpupdate /force

Sync it to all the DC’s

repadmin /syncall

 


Good Luck

Leave a Reply

Your email address will not be published. Required fields are marked *