Forum Discussion
outlook 2010 and 2013 continually asks for password in hybrid environment
pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..
harveer singh Good job!
pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.
pazzoide76 I hear you, just trying to figure stuff out at the same time working 😉
It's difficult to fully understand your config and scenario, I just attached the previous info as I've heard about it before. As for ADAL and your Outlook clients, have you taken this into consideration?
https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-configuration#outlook-2010
My configuration is composed with exchange 2016 cu17 and a full hybrid has been configured via HCW.
Since at the end of the wizard the warning came out:
HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
I used the procedure described in the articlehttps://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help?redirectedfrom=MSDN and in my opinion it is this configuration that causes authentication problems with outlook 2010/2013.
Is there a procedure to delete that configuration?
I haven't done anything else.
I repeat in the test environment that I installed over the weekend I did not enable that feature and outlook 2010 and 2013 work.
I have already tried the proposed keys without success.
Thank you
Regards
pazzoide76 Well, as for Outlook 2010 you did see this?
- Modern Authentication is not supported.
- Users use Basic Authentication and may be prompted multiple times for credentials.
And have you also tried AlwaysUseMSOAuthForAutoDiscover? (Outlook 2013+).
I sure someone with more experience from migrations will reply at some point.
Good luck!
At this moment modern authentication is disabled but neither outlook 2010 nor outlook 2013 works with the mailboxes migarted on exchange online.
However I made those registry changes in the 2013 outlook clients and they don't work.
I repeat in the test environment that I installed over the weekend, which is the same as the one that is giving problems, the only difference is that I have not enabled that feature (https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help?redirectedfrom=MSDN) and Outlook 2010 and 2013 are working.Hello pazzoide76 ,
Long one!!
First off, Oauth is largely an authorization protocol and not an authentication one, which means you have to be authenticated against office 365 first in order to leverage the Oauth authorization piece which you setup with exchange on-premises. The article reads Oauth authentication because you are setting up an authentication flow between the servers i.e how they will be passing tokens amongst themselves for an authenticated user. Somewhat like signing in as a google account on a third party website.
That being said, in your case most probably even the authentication is not happening, so it is highly unlikely that Oauth is causing an issue. Also, if you have latest exchange 2016 CU and you are using latest HCW wizard setup, Oauth should have been configured automatically, if that did not happen for some reason and you followed the manual method to enable it and you would like to disable it anyhow, you won't find a definitive guide as such but you can pretty much retract all the manual steps you performed in the article to the same effect.
Remove added authservers, disable partner application, Delete Intraorganization connectors office 365 and on-prem, Remove added MSOLprinicipal entries you added manually. You can skip retracting the part where you imported the cert in Azure, Once you have done all that you would be good. But remember next time you run hybrid quite possibly it would be back!
So before beating the Oauth horse to death, which most probably would rise like phoenix anyhow. I would recommend exhausting all other options. Based on what you stated:
You already have run the command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $False ; against office 365, great, that's how it has to be if you are to use outlook 2010 in the environment.
I have seen it take even 24 hours at times to replicate!
Here is another thing you can try, Create an in-cloud user in office 365 with .onmicrosoft.com suffix, assign it an exchange license and then try to configure a profile with it in outlook 2013/2010. This should help isolate if it is the client or office 365 has still not disabled modern authentication despite running the command.
Thanks
