Forum Discussion
outlook 2010 and 2013 continually asks for password in hybrid environment
pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..
harveer singh Good job!
pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.
My configuration is composed with exchange 2016 cu17 and a full hybrid has been configured via HCW.
Since at the end of the wizard the warning came out:
HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
I used the procedure described in the articlehttps://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help?redirectedfrom=MSDN and in my opinion it is this configuration that causes authentication problems with outlook 2010/2013.
Is there a procedure to delete that configuration?
I haven't done anything else.
I repeat in the test environment that I installed over the weekend I did not enable that feature and outlook 2010 and 2013 work.
I have already tried the proposed keys without success.
Thank you
Regards
pazzoide76 Well, as for Outlook 2010 you did see this?
- Modern Authentication is not supported.
- Users use Basic Authentication and may be prompted multiple times for credentials.
And have you also tried AlwaysUseMSOAuthForAutoDiscover? (Outlook 2013+).
I sure someone with more experience from migrations will reply at some point.
Good luck!
you're right but how can I change it?
pazzoide76 Please mark harveer singh reply as best response (not mine). Cheers!
Thanks for the clarification
Hey pazzoide76 Glad it worked out for you!
It all basically started last year when various security reports started pointing out weaknesses in office 365 security platform as it did not provide MFA enabled by default for admins/ critical accounts. Like this one: https://us-cert.cisa.gov/ncas/analysis-reports/AR19-133A
Office 365 did already provide base lines policies via conditional access to enforce MFA on admin accounts but the catch was it had to be enabled manually and most of the admins didn't. So Microsoft's answer to that was Security defaults launched this year:
My purpose of sharing the info with you; if you noticed the security report (first article), have pointed out that allowing legacy authentication protocols to connect to office 365 environment is also a possible threat. So your next task should be to look at conditional access policies to control from where you are allowing legacy applications to connect to office 365.
Thanks
I simply have Turn off Security defaults.
The absurd thing is that I opened a call to 0365 support for a week and they kept telling me that it was the fault of registry keys or the autodiscover even though I told them that those outlooks worked with other tenants and that therefore it was not a problem of outlook.
An hour after your reply support 0365 also told me about Turn off Security defaults but it took a week of useless testing.Thanks again
pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..
harveer singh Good job!
pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.
You are great.
The solution was Turn off Security defaults.
Now both the 2010 and 2013 outlooks go.
But is this feature enabled by default?Thank you
Hey pazzoide76 ,
If even a .onmicrosoft account is not working that would mean that there is some issue with office 365 Tenant itself. Though disabling modern authentication should take care of the following but still check the following:
1. Make sure MFA is not enabled for the account via conditional access or otherwise.
3. Ensure there is no MFA when you login via web browser.
4. This one should not be required but still disable ADAL on-premises using the same key for 2013 which you used earlier to enable it.
5. Use SARA to configure profile with .onmicrosoft account, see if it gives you any error :https://support.microsoft.com/en-gb/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f?ui=en-us&rs=en-gb&ad=gb
If all fails then i guess its time to bug Microsoft about it !
Thanks for your reply and clarifications.
However, more than 24 hours have passed and I tried again with an outlook 2013 client and I am prompted for the password.
I created a test user with dns suffix migexchange.onmicrosoft.com and outlook 2013 keeps asking for the password.
The same outlook 2013 client works in my test environment and on another o365 tenant of my customer (which I migrated to online exchange 1 month ago).Thanks
regards
Hello pazzoide76 ,
Long one!!
First off, Oauth is largely an authorization protocol and not an authentication one, which means you have to be authenticated against office 365 first in order to leverage the Oauth authorization piece which you setup with exchange on-premises. The article reads Oauth authentication because you are setting up an authentication flow between the servers i.e how they will be passing tokens amongst themselves for an authenticated user. Somewhat like signing in as a google account on a third party website.
That being said, in your case most probably even the authentication is not happening, so it is highly unlikely that Oauth is causing an issue. Also, if you have latest exchange 2016 CU and you are using latest HCW wizard setup, Oauth should have been configured automatically, if that did not happen for some reason and you followed the manual method to enable it and you would like to disable it anyhow, you won't find a definitive guide as such but you can pretty much retract all the manual steps you performed in the article to the same effect.
Remove added authservers, disable partner application, Delete Intraorganization connectors office 365 and on-prem, Remove added MSOLprinicipal entries you added manually. You can skip retracting the part where you imported the cert in Azure, Once you have done all that you would be good. But remember next time you run hybrid quite possibly it would be back!
So before beating the Oauth horse to death, which most probably would rise like phoenix anyhow. I would recommend exhausting all other options. Based on what you stated:
You already have run the command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $False ; against office 365, great, that's how it has to be if you are to use outlook 2010 in the environment.
I have seen it take even 24 hours at times to replicate!
Here is another thing you can try, Create an in-cloud user in office 365 with .onmicrosoft.com suffix, assign it an exchange license and then try to configure a profile with it in outlook 2013/2010. This should help isolate if it is the client or office 365 has still not disabled modern authentication despite running the command.
Thanks
At this moment modern authentication is disabled but neither outlook 2010 nor outlook 2013 works with the mailboxes migarted on exchange online.
However I made those registry changes in the 2013 outlook clients and they don't work.
I repeat in the test environment that I installed over the weekend, which is the same as the one that is giving problems, the only difference is that I have not enabled that feature (https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help?redirectedfrom=MSDN) and Outlook 2010 and 2013 are working.
