SOLVED

Outlook constantly reverts to "Need Password"

%3CLINGO-SUB%20id%3D%22lingo-sub-1398963%22%20slang%3D%22en-US%22%3EOutlook%20constantly%20reverts%20to%20%22Need%20Password%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398963%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20Exchange%20(2016%20CU%2016)%20Hybrid%20set%20up%2C%20with%20all%20mailboxes%20stored%20On-Prem.%26nbsp%3B%20I%20use%20MFA%2FADFS%20for%20Authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20number%20of%20my%20users%20are%20getting%20%22Need%20Password%22%20a%20few%20minutes%20after%20starting%20Outlook.%26nbsp%3B%20You%20can%20double%20click%20on%20this%20(no%20prompt%20for%20password)%20and%20it%20connects%20to%20exchange%2C%20downloads%20the%20latest%20messages%20and%20then%20reverts%20back%20to%20%22Need%20Password%22.%26nbsp%3B%20Creating%20a%20new%20profile%20resolves%20the%20issue%20for%20a%20little%20while%2C%20but%20then%20reverts%20back%20to%20the%20same%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20long%20term%20fix%20I%20have%20found%20is%20to%20disable%20ADAL%20%3A%3C%2FP%3E%3CPRE%3E%5BHKCU%5CSOFTWARE%5CMicrosoft%5COffice%5C16.0%5CCommon%5CIdentity%5D%0A%22EnableADAL%22%3Ddword%3A00000000%3C%2FPRE%3E%3CP%3E%26nbsp%3BI%20was%20under%20the%20impression%20that%20ADAL%20is%20more%20secure%2C%20and%20hence%20I%20don't%20particularly%20want%20to%20disable%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20enlighten%20me%20as%20to%20why%20I%20need%20to%20disable%20ADAL%20to%20get%20Outlook%20to%20work%3F%26nbsp%3B%20What%20implications%20does%20it%20have%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1398963%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1399394%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20constantly%20reverts%20to%20%22Need%20Password%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399394%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370869%22%20target%3D%22_blank%22%3E%40BrentStobbs%3C%2FA%3E%26nbsp%3BHello%20Brent%2C%20I%20certainly%20agree%20that%20you%20should%20enable%20and%20use%20ADAL.%20ADAL%2FWAM%20issues%20can%20be%20a%20real%20pain%2C%20especially%20in%20some%20environments.%20I've%20heard%20from%20some%20organizations%20that%20they%20have%20solved%20similar%20issues%20either%20by%20using%20the%20registry%20key%20'ExcludeExplicitO365Endpoint'%20or%20reestablishing%20the%20Microsoft.AAD.BrokerPlugin%20at%20the%20affected%20machines%20(which%20I%20believe%20could%20be%20the%20case%20here).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20attaching%20a%20couple%20of%20links%20to%20guide%20you%20in%20the%20right%20direction%20and%20for%20reference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fsolving-modern-authentication-issues-office-365-chris-leet%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fsolving-modern-authentication-issues-office-365-chris-leet%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fauthentication%2Fautomatic-authentication-fails%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Ftroubleshoot%2Fauthentication%2Fautomatic-authentication-fails%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3211279%2Foutlook-2016-implementation-of-autodiscover%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3211279%2Foutlook-2016-implementation-of-autodiscover%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1399656%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20constantly%20reverts%20to%20%22Need%20Password%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399656%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3BThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20I%20have%20resolved%20this%20issue.%26nbsp%3B%20After%20researching%20the%20issue%20and%20coming%20across%20the%20suggestion%20to%20delete%20the%20registry%20key%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C16.0%5CCommon%5CIdentity%5CIdentities%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20this%20didn't%20resolve%20the%20issue%2C%20it%20pointed%20me%20to%20the%26nbsp%3Berror%20%3A%26nbsp%3B%3CSPAN%3EAADSTS500011%3A%20The%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eresource%20principal%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bnamed%20%3CAUTODISCOVER%20url%3D%22%22%3E%20was%26nbsp%3B%3C%2FAUTODISCOVER%3E%3C%2FSPAN%3E%3CSTRONG%3Enot%20found%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bin%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Etenant%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bnamed%20%26lt%3B%3C%2FSPAN%3E%3CSTRONG%3Etenant%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3BID%26gt%3B.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20checking%20the%20Service%20Principal%20URLs%20I%20found%20that%20the%20Autodiscover%20URL%20was%20not%20added.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20running%20the%20following%20commands%20(As%20per%20%3CA%20href%3D%22https%3A%2F%2Fblog.markdepalma.com%2F%3Fp%3D490%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.markdepalma.com%2F%3Fp%3D490%3C%2FA%3E%3A(%3C%2Fimg%3E%3C%2FP%3E%3CPRE%3E%24x%20%3D%20Get-MsolServicePrincipal%20-AppPrincipalId%2000000002-0000-0ff1-ce00-000000000000%0A%24x.ServicePrincipalnames.Add(%22https%3A%2F%2Fautodiscover.domain.com%2F%22)%0ASet-MSOLServicePrincipal%20-AppPrincipalId%2000000002-0000-0ff1-ce00-000000000000%20-ServicePrincipalNames%20%24x.ServicePrincipalNames%3C%2FPRE%3E%3CP%3EThe%20problem%20has%20been%20resolved%20for%20the%20past%20hour.%26nbsp%3B%20I'm%20still%20monitoring%20before%20the%20celebration.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have an Exchange (2016 CU 16) Hybrid set up, with all mailboxes stored On-Prem.  I use MFA/ADFS for Authentication.

 

A number of my users are getting "Need Password" a few minutes after starting Outlook.  You can double click on this (no prompt for password) and it connects to exchange, downloads the latest messages and then reverts back to "Need Password".  Creating a new profile resolves the issue for a little while, but then reverts back to the same issue.

 

The only long term fix I have found is to disable ADAL :

[HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableADAL"=dword:00000000

 I was under the impression that ADAL is more secure, and hence I don't particularly want to disable it. 

 

Can anyone enlighten me as to why I need to disable ADAL to get Outlook to work?  What implications does it have?

 

Thanks

2 Replies
Highlighted

@BrentStobbs Hello Brent, I certainly agree that you should enable and use ADAL. ADAL/WAM issues can be a real pain, especially in some environments. I've heard from some organizations that they have solved similar issues either by using the registry key 'ExcludeExplicitO365Endpoint' or reestablishing the Microsoft.AAD.BrokerPlugin at the affected machines (which I believe could be the case here).

 

I am attaching a couple of links to guide you in the right direction and for reference.

 

https://www.linkedin.com/pulse/solving-modern-authentication-issues-office-365-chris-leet/

 

https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/automatic-authentication-fail...

 

https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover

 

 

Highlighted
Best Response confirmed by BrentStobbs (Occasional Contributor)
Solution

@bec064 Thank you

 

I believe I have resolved this issue.  After researching the issue and coming across the suggestion to delete the registry key

 

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities

 

While this didn't resolve the issue, it pointed me to the error : AADSTS500011: The resource principal named <autodiscover URL> was not found in the tenant named <tenant ID>.

 

After checking the Service Principal URLs I found that the Autodiscover URL was not added.

 

After running the following commands (As per https://blog.markdepalma.com/?p=490:(

$x = Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
$x.ServicePrincipalnames.Add("https://autodiscover.domain.com/")
Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames

The problem has been resolved for the past hour.  I'm still monitoring before the celebration.