I build a lot of Exchange environments – for customers, for testing, for training courses. My build process is fairly well refined, and avoids common issues like incorrect namespace configuration or invalid SSL certificates. But every now and then I'll encounter an intermittent issue with users reporting unexpected Outlook authentication prompts. For a domain-joined computer running Outlook and connecting to Exchange, authentication prompts should be non-existent, assuming everything is configured correctly.
It's difficult to write this article without going into a long list of possible causes of authentication prompts in Outlook, but in the cases I had looked at:
- The namespace and SSL certificate configurations were correct
- The virtual directory settings on servers had not been incorrectly modified
- Sufficient time had passed for any Autodiscover caching on servers to have expired
- Load balancers had been bypassed
- Individual Exchange servers had been excluded from client connectivity
- Kerberos authentication had been deployed/removed
And yet the random, unexpected authentication prompts continued.
After seeing these issues for some time, I recently learned that I was not alone. Several other MVPs had also seen the issues at their customers. But the intermittent nature meant that customers were often reluctant to continue to engage a consultant to troubleshoot the issue, or to open a case with Microsoft, and so visibility of the issues were lost.
After lengthy discussion and testing in various environments to try and reliable reproduce the issue, we began to narrow it down to a potential problem with MAPI-over-HTTP (or MAPIHttp). MAPIHttp is the protocol that replaces Outlook Anywhere (RPC-over-HTTP) for Exchange Online, and optionally for Exchange 2013 and 2016 on-premises environments. Unfortunately, what we discovered was that disabling MAPIHttp made the Outlook auth prompts go away completely.
It's not ideal to be turning off MAPIHttp in production environments. RPC-over-HTTP has been deprecated, so we can expect it to go away at some stage in the future. MAPIHttp is the future, so it really needs to work. But all signs pointed to an issue with MAPIHttp.
However, after some persistent work by a few MVPs working with Microsoft support, it seems the cause of the unexpected Outlook authentication prompts has finally been identified as a bug with Outlook itself. I wasn't involved in identifying the root cause of the bug other than sharing my own testing results with the group, but wanted to write up the outcome here for maximum visibility. MVP Ingo Gegenwarth has written a blog post explaining the technical details of the issue. He also shares the good news that Outlook 2016 received an update in September that fixes the bug, and that Outlook 2013 has a fix coming soon as well.
So if you're experiencing unexpected Outlook authentication prompts in your on-premises environment, and you're absolutely sure you've ruled out all other causes, try updating Outlook to one of the builds that has the bug fix included in it, or try disabling MAPIHttp for a few mailboxes to see if the problem goes away.