Outlook is attempting to authenticate to the Exchange server using local username and password

Copper Contributor

Hi!

We are using Exchange Server 2016 with the latest updates and primarily using Outlook 2019 or 2021 clients. We have bound an internal Exchange mailbox account, and every time Outlook is launched on a non-domain computer, it attempts multiple authentications on the Exchange server using the local user account (some of my users are working on non-domain computers). However, Outlook actually functions properly. I'm not sure why it is attempting to authenticate using the local username. I have checked if the incorrect username and password are saved in the Credential Manager for the user. I can see a large number of Event 4625 audit failures in the failed logs on the Exchange server, 

 

 

 

corresponding to my non-domain computer account "ZYY" in this case.


账户登录失败。

用户:
安全 ID:S-1-0-0
账户名称: -
账户范围: -
登录ID: 0x0

登录类型: 3

登录失败的账户:
安全 ID:S-1-0-0
账户名称:ZYY
账户范围: LAPTOP-P0SO72JO

失败信息:
失败原因:未知用户名或密码错误。
状态: 0xC000006D
子状态: 0xC0000064

进程信息:
调用方进程ID: 0x0
调用方进程名: -

网络信息:
工作站名称: LAPTOP-P0SO72JO
来源网络地址: 123.52.19.87
源端口: 14118

详细身份验证信息:
登录进程: NtLmSsp
身份验证数据包:NTLM
配送服务:-
数据包名(仅限 NTLM): -
长度: 0

登录请求失败时在尝试访问的计算机上生成此事件。

"用户"字段指示本地系统上请求登录的帐户。这通常是一个服务(例如 Server 服务)或本地进程(例如 Winlogon.exe 或 Services.exe)。

"登录类型"字段指明了发生的登录类型。最常见的类型是 2 (饮料)和 3 (网络)。

"进程信息"字段表明系统上的哪个账户和进程请求了登录。

"网络信息"字段指示远程登录请求来自哪里。"工作站名"并不总是可用,而且在某些情况下可能会留为空白。

"身份验证信息"字段提供有关此特定登录请求的详细信息。
-"传递服务"指明了哪些直接服务参与了此登录请求。
-“数据包名”指明在 NTLM 协议之间使用了哪些子协议。
-"密钥长度"指示生成的会话密钥的长度。如果没有请求会话密钥,则该字段为0。

 

I came across a similar issue while browsing for solutions, and I suspect that this might be a long-standing problem. Here are some relevant links:

 
10 Replies
Try deleting unnecessary items in Control Panel -> Credential Manager!
HI YOUN ANN
Thank you very much for your reply. I tried to look for the credentials in the credential manager, but I couldn't find any relevant credentials. It's possible that these credentials are not visible in the control panel.

I found that Outlook automatically uses the current Windows system login user credentials to authenticate with the Exchange server. For example, on my computer without a domain, the local user is Administrator. This results in corresponding authentication records for Administrator on the Exchange server, and multiple failed attempts can lead to the Administrator user account on the domain server being locked.

This method of using the Windows system user credentials for authentication is more suitable for domain-joined computers, but it can be problematic for non-domain computers when it comes to the Exchange system.

I'm wondering if there is a way to make Outlook only use its own email account credentials for authentication, instead of using the Windows system user credentials.

These are just my guesses and thoughts, and they may not be correct. I would like to understand the specific reasons and solutions. I welcome further discussion. Thank you.
Is same domain account and non-domain computer account?
There will be similar situations, but most of them are different.

When the domain account and the non-domain computer account are the same, the error code generated in the log is “0xc000006a, At this time, the user exists, but the password of the non-domain computer account does not match the password of the domain account. Frequent verification will cause the domain account to trigger the lockout policy.

When the domain account and the non-domain computer account are different, the error code generated in the log is ”0xc0000064.“ Using a non-domain computer account within the domain does not exist, and it will leave a large number of 4625 failure logs on the Exchange server.
Is Outlook Anywhere authentication method set to "NTLM" in Exchange Server 2016?
Currently, our OutlookAnywhere settings are as follows: external client authentication method is Basic, internal client authentication method is NTLM.
We have observed that the issue exists in both internal and external network environments. When checking the logs on the Exchange server, we can see that there are source IP addresses from both external and local network.

Here is the result of the Exchange PowerShell query.

[PS] C:\Windows\system32>Get-OutlookAnywhere |fl ExternalClientAuthenticationMethod, InternalClientAuthenticationMethod,IISAuthenticationMethods
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
ExternalClientAuthenticationMethod is Basic.
Please change Basic to NTLM.

Basic Authentication:
This method is the simplest form of HTTP authentication, where the username and password are sent over the network in plain text (base64 encoded), which is inherently insecure unless used over HTTPS.
I will try to make the modification.
Also, I would like to know if changing the ExternalClientAuthenticationMethod to NTLM can solve the issue of Outlook using computer local user credentials. We have observed that the issue exists internally as well, and the InternalClientAuthenticationMethod is already set to NTLM.

Currently, our client communicates with the Exchange server using HTTPS and has an SSL certificate binding. Is it safe to use NTLM in this scenario?
It's better more than Basic Authentication.
Hi YOUN ANN
I have changed the ExternalClientAuthenticationMethod to NTLM, but I still see failed authentication records for non-domain computer users in the Exchange server logs. Is there any other solution to this problem?