SOLVED

outlook 2010 and 2013 continually asks for password in hybrid environment

Brass Contributor

Hello,
I have implemented a full hybrid solution with an exchange 2016 cu17 server.
I created the migexchange.it domain on o365 and synchronized the AD users via AAD connect.
The autodiscover records,autodiscover.migexchange.it, for both the lan and the internet points to my on premise server.
The automatic outlook configuration works correctly both from the LAN and from the internet for mailboxes on premises (with outlook 2010,2013 and 2016).
The autodiscover records will be moved to autodiscover.outlook.com after the mailboxes migration is complete.
I migrated, on exchange online, a test user who uses outlook 2016 and no problem.
I migrated, on exchange online, a test user with outlook 2010 and 2013 and I can't log in.
Outlook keeps asking for the password.
In my opinion it is outlook 2010 and 2013 not working properly with autodiscover in a hybrid solution but I can't find a solution that works.
The autodiscover service I imagine is configured correctly as with outlook 2016 everything works correctly (both from the LAN and from the internet).
I tried to do the solutions proposed by the articles https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/outlook-prompt-password-m... and https://docs.microsoft .com / en-us / outlook / troubleshoot / sign-in / continually-prompts-password-office-365 without success.
Unfortunately my customer cannot change all the old offices as it is quite a big expensive.
How can I solve my problem?

 

Thank you

 

Regards

30 Replies

@ChristianBergstrom 

At this moment modern authentication is disabled but neither outlook 2010 nor outlook 2013 works with the mailboxes migarted on exchange online.
However I made those registry changes in the 2013 outlook clients and they don't work.
I repeat in the test environment that I installed over the weekend, which is the same as the one that is giving problems, the only difference is that I have not enabled that feature (https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan...) and Outlook 2010 and 2013 are working.

Hello @pazzoide76 ,

 

Long one!!

 

First off, Oauth is largely an authorization protocol and not an authentication one, which means you have to be authenticated against office 365 first in order to leverage the Oauth authorization piece which you setup with exchange on-premises. The article reads Oauth authentication because you are setting up an authentication flow between the servers i.e how they will be passing tokens amongst themselves for an authenticated user. Somewhat like signing in as a google account on a third party website.

That being said, in your case most probably even the authentication is not happening, so it is highly unlikely that Oauth is causing an issue. Also, if you have latest exchange 2016 CU and you are using latest HCW wizard setup, Oauth should have been configured automatically, if that did not happen for  some reason and you followed the manual method to enable it and you would like to disable it anyhow, you won't find a definitive guide as such but you can pretty much retract all the manual steps you performed in the article to the same effect.

Remove added authservers, disable partner application, Delete Intraorganization connectors office 365 and on-prem, Remove added MSOLprinicipal entries you added manually. You can skip retracting the part where you imported the cert in Azure, Once you have done all that you would be good. But remember next time you run hybrid quite possibly it would be back!

 

So before beating the Oauth horse to death, which most probably would rise like phoenix anyhow. I would recommend exhausting all other options. Based on what you stated:

 

You already have run the command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $False ; against office 365, great, that's how it has to be if you are to use outlook 2010 in the environment.

I have seen it take even 24 hours at times to replicate!

 

Here is another thing you can try, Create an in-cloud user in office 365 with .onmicrosoft.com suffix, assign it an exchange license and then try to configure a profile with it in outlook 2013/2010. This should help isolate if it is the client or office 365 has still not disabled modern authentication despite running the command.

 

Thanks

@harveer singh 


Thanks for your reply and clarifications.
However, more than 24 hours have passed and I tried again with an outlook 2013 client and I am prompted for the password.
I created a test user with dns suffix migexchange.onmicrosoft.com and outlook 2013 keeps asking for the password.
The same outlook 2013 client works in my test environment and on another o365 tenant of my customer (which I migrated to online exchange 1 month ago).

 

Thanks

 

regards

 

Hey @pazzoide76 ,

 

If even a .onmicrosoft account is not working that would mean that there is some issue with office 365 Tenant itself. Though disabling modern authentication should take care of the following but still check the following:

1. Make sure MFA is not enabled for the account via conditional access or otherwise.

2. Turn off Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

3. Ensure there is no MFA when you login via web browser.

4. This one should not be required but still disable ADAL on-premises using the same key for 2013  which you used earlier to enable it. 

5. Use SARA to configure profile with .onmicrosoft account, see if it gives you any error :https://support.microsoft.com/en-gb/office/about-the-microsoft-support-and-recovery-assistant-e90bb6...

 

If all fails then i guess its time to bug Microsoft about it !

@harveer singh 

You are great.
The solution was Turn off Security defaults.
Now both the 2010 and 2013 outlooks go.
But is this feature enabled by default?

 

Thank you

best response confirmed by pazzoide76 (Brass Contributor)
Solution

@pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..

 

@harveer singh Good job!

 

@pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.

@ChristianBergstrom 

I simply have Turn off Security defaults.
The absurd thing is that I opened a call to 0365 support for a week and they kept telling me that it was the fault of registry keys or the autodiscover even though I told them that those outlooks worked with other tenants and that therefore it was not a problem of outlook.
An hour after your reply support 0365 also told me about Turn off Security defaults but it took a week of useless testing.

 

Thanks again

Hey @pazzoide76  Glad it worked out for you!

 

It all basically started last year when various security reports started pointing out weaknesses in office 365 security platform as it did not provide MFA enabled by default for admins/ critical accounts. Like this one: https://us-cert.cisa.gov/ncas/analysis-reports/AR19-133A

 

Office 365 did already provide base lines policies via conditional access to enforce MFA on admin accounts but the catch was it had to be enabled manually and most of the admins didn't. So Microsoft's answer to that was Security defaults launched this year:

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults...

 

My purpose of sharing the info with you; if you noticed the security report (first article), have pointed out that allowing legacy authentication protocols to connect to office 365 environment is also a possible threat. So your next task should be to look at conditional access policies to control from where you are allowing legacy applications to connect to office 365.

 

Thanks

 

@pazzoide76 Please mark @harveer singh reply as best response (not mine). Cheers!