SOLVED

outlook 2010 and 2013 continually asks for password in hybrid environment

Brass Contributor

Hello,
I have implemented a full hybrid solution with an exchange 2016 cu17 server.
I created the migexchange.it domain on o365 and synchronized the AD users via AAD connect.
The autodiscover records,autodiscover.migexchange.it, for both the lan and the internet points to my on premise server.
The automatic outlook configuration works correctly both from the LAN and from the internet for mailboxes on premises (with outlook 2010,2013 and 2016).
The autodiscover records will be moved to autodiscover.outlook.com after the mailboxes migration is complete.
I migrated, on exchange online, a test user who uses outlook 2016 and no problem.
I migrated, on exchange online, a test user with outlook 2010 and 2013 and I can't log in.
Outlook keeps asking for the password.
In my opinion it is outlook 2010 and 2013 not working properly with autodiscover in a hybrid solution but I can't find a solution that works.
The autodiscover service I imagine is configured correctly as with outlook 2016 everything works correctly (both from the LAN and from the internet).
I tried to do the solutions proposed by the articles https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/outlook-prompt-password-m... and https://docs.microsoft .com / en-us / outlook / troubleshoot / sign-in / continually-prompts-password-office-365 without success.
Unfortunately my customer cannot change all the old offices as it is quite a big expensive.
How can I solve my problem?

 

Thank you

 

Regards

30 Replies
Hello pazzoide76,

Outlook 2016 has an extra step in Autodiscover process, to look for an O365 mailbox :-
https://support.microsoft.com/en-in/help/3211279/outlook-2016-implementation-of-autodiscover

Outlook 2010 and 2013 does not have these hardcoded into them. Older versions of Outlook 2010, i believe older than SP2 does not support O365 completely because of the unsupported authentication mechanism.
You can check if the migrated mailbox has a valid Remote Routing Address or Target Address. Your Autodiscover configuration is correct for now you do need to point it to your on premises, and attributes like remote routing address should be able to route your AutoD request to O365.

@DeepakRandhawa 

Thanks for your answer.
The outlooks, both 2010 and 2013, have been updated with all the patches through windows updates.
Excuse my ignorance how do I check the Remote Routing Address or Target Address.

 

Thank you

 

Regards

@DeepakRandhawa 

I checked from ecp and the remote routing adress looks correct and is:
pizza@migexchange.mail.onmicrosoft.com
Where can I check the target address.
If they were wrong, shouldn't it not work with Outlook 2016?

@DeepakRandhawa 

The target address is correct

SMTP:pizza@migexchange.mail.onmicrosoft.com

Can you try this for Outlook 2013, create below registry key

Registry key HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
Type REG_DWORD
Value 1

let me know if this works.

Ref Article:- https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/enable-modern-authentic...

@DeepakRandhawa 

Hello,
I entered the registry key but the problem persists.
I did an email autoconfiguration test with outlook and the result is autoconfiguration was unable to determine your settings!
Any other ideas?

Thank you

Hello @pazzoide76

The registry entry article I shared was specifically for Outlook 2013 and not for Outlook 2010, hope you have tested on a Outlook 2013 machine.
Run below command for your tenant and check the status of OAuth :-

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

@DeepakRandhawa 

Yes, I tried the registry key obviously with outlook 2013.
This weekend I reproduced an identical environment in the laboratory (which works with outlook 2010 and 2013)
The difference is that in the environment that does not work is that I have enabled https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... MSDN it as HCW reported this warning:
warning HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
In the test infrastructure I have not implemented that functionality and both outlook 2010 and 2013 works.

By running the Get-OrganizationConfig | ft name, * OAuth * both on premises and on exchange online I get (the results are the same on both the test environment that works and the environment that doesn't work)
[PS] C:\Windows\system32>Get-OrganizationConfig | ft name, *OAuth*

Name OAuth2ClientProfileEnabled
---- --------------------------
First Organization False

mentre sull’exchange online è abilitata

PS C:\Users\challancin> Get-OrganizationConfig | ft name, *OAuth*

Name OAuth2ClientProfileEnabled
---- --------------------------
migexchange.onmicrosoft.com True

 

So I'm pretty sure the problem is https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... MSDN
At this point I would like to understand how to disable it but I have not found any article.
I have already tried this article https://docs.microsoft.com/it-it/microsoft-365/enterprise/remove-or-disable-hybrid-modern-authentica...? view = o365-worldwide without success.

 

Thanks

 

Regards

@pazzoide76

Try disabling modern authentication in cloud :-

Set-OrganizationConfig -OAuth2ClientProfileEnabled $False

Give it couple of hours or so, as it is a tenant wide setting it takes time to replicate.

Also Consider upgrading outlook clients as MS has it on its agenda to disable basic authentication in office 365.

@DeepakRandhawa 

Thanks for the reply
As previously written, I had already done that test (and it had given a negative result) however I made the change I waited 4 hours but the problem persists.
The weird thing as I wrote earlier that in a mirrored test environment (the only difference is that OAuth authentication between Exchange and Exchange Online organizations has not been enabled)
The speech of updating the Outlook clients is correct however 2010 and 2013 are supported until October and in the test environment they work ....

 

Thank you

 

Regards

@pazzoide76 

Can you share the password prompt you are getting in Outlook 2010 client, I would like to see if it the basic authentication prompt or modern authentication one.

More details hereOutlook Basic Authentication PromptOutlook Basic Authentication PromptOutlook Modern Authentication PromptOutlook Modern Authentication Prompt

@Mukesh 

this is the password prompt that is displayed (take from outlook 2013)

pazzoide76_0-1597745085705.png

 

@pazzoide76 Hello, in addition to the previous suggestions (Modern Authentication/ADAL). Try using the ExcludeExplicitO365Endpoint registry key during the migration (and then remove it).

 

https://getadmx.com/?Category=Office2016&Policy=outlk16.Office.Microsoft.Policies.Windows::L_Outlook...

 

Exclude initial check to Office 365 Autodiscover URL

Registry Hive HKEY_CURRENT_USER
Registry Path software\policies\microsoft\office\16.0\outlook\autodiscover
Value Name excludeexplicito365endpoint
Value Type REG_DWORD
Default Value 0
True Value 1
False Value 0

@ChristianBergstrom 

The problem manifests itself with users migrated to exchange online (keep asking for login).
With users in the on-premises exchange everything works fine.
Anyway I tried the registry key but it keeps asking for the login.
I repeat that over the weekend I configured a mirror environment (in the test environment I did not enable https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan...) and outlook 2010 and 2013 clients work.
I repeat the two environments are the same changes only OAuthauthentication between Exchange and Exchange Online organizations.

@pazzoide76 Ah, I understand. Could it be an incorrect autodiscover entry in the migrated mailbox that's causing this? Let me see if I can find an article describing this behavior.

@ChristianBergstrom 

If it was a badly configured autodiscover problem, why do Outlook 2016 clients work?

The problem occurs with all migrated mailboxes

@pazzoide76 I hear you, just trying to figure stuff out at the same time working ;)

 

It's difficult to fully understand your config and scenario, I just attached the previous info as I've heard about it before. As for ADAL and your Outlook clients, have you taken this into consideration? 

https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-c...

@ChristianBergstrom 

My configuration is composed with exchange 2016 cu17 and a full hybrid has been configured via HCW.
Since at the end of the wizard the warning came out:
HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
I used the procedure described in the articlehttps://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... and in my opinion it is this configuration that causes authentication problems with outlook 2010/2013.
Is there a procedure to delete that configuration?
I haven't done anything else.
I repeat in the test environment that I installed over the weekend I did not enable that feature and outlook 2010 and 2013 work.
I have already tried the proposed keys without success.

 

Thank you

 

Regards

 

@pazzoide76 Well, as for Outlook 2010 you did see this?

 

  • Modern Authentication is not supported.
  • Users use Basic Authentication and may be prompted multiple times for credentials.

And have you also tried AlwaysUseMSOAuthForAutoDiscover? (Outlook 2013+).

 

I sure someone with more experience from migrations will reply at some point.

 

Good luck!

1 best response

Accepted Solutions
best response confirmed by pazzoide76 (Brass Contributor)
Solution

@pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..

 

@harveer singh Good job!

 

@pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.

View solution in original post