I build a lot of Exchange environments – for customers, for testing, for training courses. My build process is fairly well refined, and avoids common issues like incorrect namespace configuration or invalid SSL certificates. But every now and then I’ll encounter an intermittent issue with users reporting unexpected Outlook authentication prompts. For a domain-joined computer running Outlook and connecting to Exchange, authentication prompts should be non-existent, assuming everything is configured correctly.

It’s difficult to write this article without going into a long list of possible causes of authentication prompts in Outlook, but in the cases I had looked at:

  • The namespace and SSL certificate configurations were correct
  • The virtual directory settings on servers had not been incorrectly modified
  • Sufficient time had passed for any Autodiscover caching on servers to have expired
  • Load balancers had been bypassed
  • Individual Exchange servers had been excluded from client connectivity
  • Kerberos authentication had been deployed/removed

And yet the random, unexpected authentication prompts continued.

After seeing these issues for some time, I recently learned that I was not alone. Several other MVPs had also seen the issues at their customers. But the intermittent nature meant that customers were often reluctant to continue to engage a consultant to troubleshoot the issue, or to open a case with Microsoft, and so visibility of the issues were lost.

After lengthy discussion and testing in various environments to try and reliable reproduce the issue, we began to narrow it down to a potential problem with MAPI-over-HTTP (or MAPIHttp). MAPIHttp is the protocol that replaces Outlook Anywhere (RPC-over-HTTP) for Exchange Online, and optionally for Exchange 2013 and 2016 on-premises environments. Unfortunately, what we discovered was that disabling MAPIHttp made the Outlook auth prompts go away completely.

It’s not ideal to be turning off MAPIHttp in production environments. RPC-over-HTTP has been deprecated, so we can expect it to go away at some stage in the future. MAPIHttp is the future, so it really needs to work. But all signs pointed to an issue with MAPIHttp.

However, after some persistent work by a few MVPs working with Microsoft support, it seems the cause of the unexpected Outlook authentication prompts has finally been identified as a bug with Outlook itself. I wasn’t involved in identifying the root cause of the bug other than sharing my own testing results with the group, but wanted to write up the outcome here for maximum visibility. MVP Ingo Gegenwarth has written a blog post explaining the technical details of the issue. He also shares the good news that Outlook 2016 received an update in September that fixes the bug, and that Outlook 2013 has a fix coming soon as well.

So if you’re experiencing unexpected Outlook authentication prompts in your on-premises environment, and you’re absolutely sure you’ve ruled out all other causes, try updating Outlook to one of the builds that has the bug fix included in it, or try disabling MAPIHttp for a few mailboxes to see if the problem goes away.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Jackie

    Are others still experiencing this issue? We use Outlook 2016 and Exchange 2019 CU6.

    1. Geoff E

      Yes, my company is experiencing this issue. Office 2016, Exchange 2016 CU17.

  2. Ivy

    Hi Rico, i know it’s a really long shot . But how did you manage to fix your issue?
    We are currently having that exact same issue right now, and can’t find any solutions.

    Regards,

  3. Phil

    Hi Paul
    We have this issue with our new Hybrid. It affects all on-premise users who connect to O365 shared box or calendar. Looking at your comments around namespaces, should autodiscover be pointing to the 2016 Hybrid Exchange Server, or the existing 2013 Exchange Server i.e. mail.domain.com, or hybrid.domain.com?

  4. Udeme Ibanga

    Just a quick update on this issue, disabled mapi over http and all is now well for almost a week now. We have been able to migrate more mailboxes and no user complaints again on the password prompts. I will revisit enabling the new protocol when we move our clients from Win7/Outlook2010 to Win10/Outlook2016.

    Many thanks Paul, your website is a priceless for knowledge.

  5. Udeme Ibanga

    Well, this took me weeks before I stumbled across this page. We have exchange 2010 and just introduced exchange 2016. The password prompts have been just over the place from inside to outside and has really hampered the project and user service perception.

    I think I will investigate disabling Mapi over http for now till we upgrade our clients from outlook 2010 to 2016 in the near future.

  6. Eugene Beran

    I think this problem is not fixed. I had this problem on Exchange 2013 CU16 and spent hours testing it at night with my account running on fully patched Outlook 2016.
    Now that I am on Exchange 2016, I’m trying it again and inside the office it seems fine, but once I put my computer on an external network, it wants a password. If I don’t put one in and hit cancel, email works just fine, but after a bit it asks for a password again.

    On your hybrid page here: https://www.practical365.com/exchange-server/testing-new-exchange-hybrid-configuration-office-365/
    You mention:
    Note that the user will need to provide their credentials to authenticate to Exchange Online. Thanks to password synchronization they can use the same email address (which should match their UPN) and password as they use on-premises, and save the credentials to avoid being prompted every time

    Seems to me that this password prompt is due to EO using Mapi as well. And having the user save it just means that maybe they won’t see it again until their password changes.

    That would probably work in a local environment.
    I’ve seen many posts in forums about people just giving up and letting their users put them in and save them or going back to RPC. I’ve seen many posts claiming tickets were opened up with Microsoft to no resolution.

    1. Daniel

      Hi Eugene,

      do you have any resolution for this?

      I experience the exact same problem. I have a few users who are only working remotely. If they have established a VPN connection everything is fine. If they don’t, i. e. if they access their mailbox directly through the internet, they get a password prompt every now and then. No matter what they put in, the prompt will reappear after some time (can be minutes, can be hours). Interestingly if they just click cancel at the prompt Outlook says “Need password” and if they afterwards click on the “Need password” Outlook status goes back to connected without providing any password. I have already pulled my hair out to resolve this but cannot get a clue why this is happening. I am pretty sure all of the users having the problem are running Outlook 2016 on Windows 10. Our Exchange is also 2016.

      If anyone can help I’ll spend a German Weissbier! (Sorry, has to be picked up in Germany:-))

      Daniel

    2. Daniel

      I found at least a workaround: I have to admit I have never paid much attention to autodiscover because it was working years without. We do not have DNS records for autodiscover.domain.com. We have a SRV record internally but that’s it. I now figured out that when I add an entry for autodiscover.domain.com to the local hosts file on the clients the password prompts just disappear. They receive a certificate warning at the moment because the entry in the hosts file points to the owa.domain.com IP address but when they confirm the certificate the password prompt is gone until they start Outlook next time when the will be prompted once for their password, but not every few minutes anymore. I hope this helps someone.

  7. Rico Ebol

    Hi All,

    Today we have just experience the Outlook authentication prompt. I have only single Exchange Server 2016. The only thing I did today is replacing the SSL Certificate. That was in the morning, but then later in the afternoon, some users started getting prompt to enter their password. I noticed that it is mostly happening to users running Windows 10 w/Outlook 2016, Windows 7/8 w/Outlook 2016. But those running Windows 7 w/Outlook 2010 are not affected. The weird thing is it is happening only when connected on LAN, but if over the Internet, it works. I am really puzzled. I tried all possible solution available on the net including Paul’s suggestion, with no luck.

    I appreciate any suggestion/help.

    Thanks in advance!

    1. Allen Boutwell

      Do any of you have any updates on what was done to resolve your intermittent password prompts? I am currently working a ticket with Microsoft where a customer started receiving the prompts from Outlook 2013 clients connected to mailboxes on Exchange 2010.

      1. Antonio

        Hi Allen,

        Any updates on this from Microsoft, did you end up resolving your issue?

  8. Ricardo

    Paul, I have been having several cases opened with MS, but hasn’t been resolved. We are on a hybrid solution and it seems like some of our users starting getting the authentication prompt after we migrated them to O365. Lost connection to Public Folders. It was fixed temporarily after re-creating Outlook profile and deleting all the files under C:UsersusernameAppDataLocalMicrosoftOutlook. I will try to upgrade them to Outlook 2016 and see if that resolves the issue. Thanks

  9. Mike

    And here all this time I thought MS was just toying with our mailboxes like a dollar bill at the end of a fishing line. It’s nice to know that my pessimism was unfounded. Now I can let my users know that it wasn’t me toying with their Outlook mailboxes and perhaps dissuade their pessimism.

    As always, we enjoy the write-ups for all things Exchange. If it doesn’t make our lives easier, it at least helps us understand the enveloping chaos.

  10. Yves

    Great article..!!!

  11. RaMy

    Finally i see Explanation

  12. David

    You’re the king when it comes to Exchange builds, as always. Can’t tell you how many issues I solved / avoided after reading your articles. Thanks!

Leave a Reply