# Assistance with Password Prompt For Exch2013/Outlook Users



## MasterNe0 (Jun 24, 2003)

We have a exchange 2013 server that started to suddenly password prompt users when they are setup to the exchange server internally.

So here what is going on:

- We updated our SSL certificate + internal name to external name by redoing the autodiscovery to point to mail.domain.com instead of mail.domain.local so that we can renew our server SSL before the Nov 1 2015 dateline. That went fine and we didn't seem to have any issues for the past month.

- Yesterday the onsite firewall died. We swapped it out. After that happened, clients started to get outlook password prompts every second as soon as Outlook launches. We checked the firewall and compared it to another FW at another client site, same rules (HTTPS + SMTP forwarded to the mail server).

- I tried a few things including trying to add "authenticated users" with read access to the OAB directory + also trying enabling kernel-mode authentication for IIS for several items: autodiscover, rpc, ews, oab.

Currently the internalauthmode is set to "NTLM", external is set to "nego" and IISAuthMode is set to all 3 "Nego, NTLM, BASIC" after checking outlookanywhere. the addresses are all pointed to "www.domain.com" for anywhere autodiscovery.

Right now we are using a workaround which is to turn off caching for the mail server outlook settings but this isn't a great solution for us as they will still get password prompts when they lose even a second of connection or other network problems like slowness or overload.

My boss thinks it might be a SSL certificate, I am willing to work someone to look at if I did it all correctly but I honestly not sure where to go from here with this problem. i have the instructions or steps i use to update everything for the SSL certificate so if anyone needs to look over what I have done, I more then willing to share to deal with this password prompt problem.


----------



## rikai (Jul 30, 2011)

To verify, the only settings that were changed were the DNS names to provide for an external connection. Then after that, your firewall died and was replaced by an identical one with a known-working configuration, correct?


----------



## peterh40 (Apr 15, 2007)

When replacing a SSL certificate, make sure:
1. All the root certificates are installed ok on all the front end CAS servers.
2.
2. That the new certificate includes all the appropiate SAN names. Then name of the OWA service, e.g. mail.mycompany,com, autodiscover.mycompany.com. The certificate is completed ok, ie that it has a valid private key.
3. The certificate is enabled for the IIS service on the CAS servers. Eg.
Get-ExchangeCertificate | FL
Enable-ExchangeCertificate -Thumb <string> -Services IIS
4. Check IIS Console, and the Enable SSL is enabled only for the appropiate virtual directories: OWA, ECP, Exchange, ADmin etc


----------

