The official blog for Windows Server Essentials and Small Business Server support and product group communications.
[Today’s post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support, Chris Puckett from Product Quality, and Alex Shao from the Product Team]
You may receive multiple prompts for authentication from Outlook clients connected to an SBS 2008 Server at roughly 5 minute intervals. Both local and Outlook Anywhere clients can encounter this issue. OWA clients are not affected. The behavior may be inconsistent for different users and is remedied temporarily by rebooting. You may have noticed this behavior on existing installations after installing security updates or on new deployments if you installed the security updates during installation.
To resolve this issue, log on to the SBS 2008 Server and install Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later. Update Rollup 8 for Exchange Server 2007 SP1 was released on May 16, 2009. As of this writing Update Rollup 9 for Exchange Server 2007 Service Pack 1 is available and supersedes Update Rollup 8. To obtain Update Rollup 9 from the Microsoft Download Center, see Update Rollup 9 for Exchange Server 2007 Service Pack 1. It is also available from Microsoft Update and WSUS.
As another option, you may log on to the SBS 2008 Server and run the following command from an elevated command prompt (Note: the commands may wrap in this post, so you may need to combine the lines from copy and paste):
%windir%\System32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useKernelMode:false
The update from KB 973917 enables authentication at the root level of IIS by adding the following to the C:\Windows\system32\inetsrv\config\applicationhost.config file at a global level:
<windowsAuthentication enabled="false" />
This exposes a behavior with IIS 7 where the mix of user and kernel mode authentication requests while servicing clients will not work.
Installing UR8 for Exchange 2007 SP1 or later resolves this issue by forcefully disabling kernel mode authentication at the global level thus preventing the situation where IIS 7 cannot service both types of authentication.
After installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later or running the appcmd specified above, the applicationhost.config is modified and the previously mentioned entry will look like this:
<windowsAuthentication enabled="false" useKernelMode="false">
Installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later prior to installing the KB 973917 security update should also prevent you from experiencing the symptoms described above.
There are many configuration issues that can cause Exchange clients to not be able to log on to the server. This is only one possible cause.
If the steps above don’t resolve your connectivity issue, the next steps are:
1. Read this blog post on certificate mismatch warnings to see if it matches your symptoms
2. Run the Exchange BPA on the SBS 2008 server.
3. Run the Remote Connectivity Analyzer.
Exchange 2007 SP2, also has the desired effect.
Another thing to check if these steps don't fix it and you keep getting prompted is to check if the client has any SharePoint libraries linked to their Outlook account. I went through the steps necessary to fix this for Outlook / Exchange (update rollup 9) but my clients were still getting this login prompt.
It turned out to be a SharePoint issue, not Outlook / Exchange, since they had some SharePoint libraries linked inside Outlook. The account setup to run their SharePoint site services (another admin used his personal login acct for some reason) was having trouble using Kerberos authentication. I changed the SharePoint web app pool service back to the defaults to use Network Service account; then Kerberos started working again and these prompts went away.
Dave, while SP2 does resolve, please take the time to inform the readers that it requires a special installation tool on the SBS 2008 platform (and Exchange SP2 "should not" installed without)
Microsoft Exchange Server 2007 SP2 Installation Tool for Windows SBS 2008
Update Rollup 1 for Exchange Server 2007 Service Pack 2 (KB971534)
ALSO: in reference to update rollup 9 on SBS 2008, that update also resolves the issue but during install, it throws a "quite silly" error relating to a permissions in accessing the Release Notes. Steps to resolve are
To remedy the 11321 error ( which we’ve seen every time we’ve installed Update Rollup 9 on SBS 2008 ):
•Go to C:\Program Files\Microsoft\Exchange Server\RelNotes.htm
•Change the permissions on this file to allow the current Administrator FULL CONTROL
•Apply the changes
•Restart Update Rollup 9 using RunAs from the Command Line
we've blogged this at http://wintivity.wigital.net/sbs/exchange-2007-sp1-update-rollup-9-fix-outlook-pop-up-sbs-2008/
hope this helps,
Mark ( WIGITAL )
Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS):
On a computer that is running Windows Server 2008, this rerelease addresses an issue that could cause Extended Protection not to function correctly when IIS is configured to use kernel-mode Windows Authentication.
It appears they've now fixed it.
Actually, that KB article refers to a different issue. By default, extended protection for Windows Authentication is not enabled for IIS 7 on SBS 2008. Disabling kernel mode authentication at the global level still stands as the resolution and is accomplished by installing either 973917 or Exchange 2007 UR 8 and later.