Recently, I had started migration of mailboxes to Microsoft Exchange 2013 CU1. As I started to move accounts over employees begun receiving prompts to enter their credentials for Outlook 2010/2013 and sometimes Lync 2013. These prompts had appeared during the opening of Outlook, Lync and intermittently thereafter. Reading two different articles one from TechNet: After Migration to Exchange 2013 – Credential user keep prompting on Outlook 2010 SP1 and Microsoft KB Article: Users of Exchange Server 2013 or Exchange Online can’t open public folders or shared mailboxes on an Exchange 2010 or Exchange 2007 server, I had tried different solutions ranging from changing authentication protocol to NTLM to Kernel-Mode Authentication for RPC and other virtual directories. The irony in all this, I had run into a similar issue with Exchange 2007 several years earlier.
Here are the steps I had to perform to fix this issue.
1. Logon to Exchange 2013 CAS Server.
2. Open IIS 7.0.
3. Locate virtual directories for Autodiscover and EWS (Exchange Web Services) under default website.
4. Select EWS.
5. Select authentication.
6. Set status DISABLED for Anonymous authentication.
7. Select Windows authentication, click ADVANCED SETTINGS, select ENABLE KERNEL-MODE AUTHENTICATION. Click OK.
8. Repeat Steps 5-7 for Autodiscover.
9. Go to command prompt, run IISRESET.
10. Close and re-open Outlook client.
Read more:
After Migration to Exchange 2013 – Credential user keep prompting on Outlook 2010 SP1 (TechNet)
garzafx 
This one helped me: https://blog.bissquit.com/mail-servers/exchange-server/exchange-server-and-split-dns/
LikeLike
I went down the Google rabbit hole trying to fix this and tried 4 or 5 different solutions to this problem and this is the only thing that worked. I’m testing a migration of our environment from Exchange 2007 to 2013 in a test environment and have hit several snags that have been easy to fix, but this one was a major pain. Thanks for documenting this!
LikeLiked by 1 person
Also, as a side note. I had this issue on CU22. The only issue I still have on the client side is that after migrating a mailbox, Outlook tells the user that the admin has made changes and they have to restart Outlook…so I restart Outlook, and it just stays in “Disconnected” state with no error popups or anything. The only fix is to blow up the Outlook profile and start over, turn off cached mode, or go into Account Settings and hit “repair” which seems to rediscover server settings and then it’s good. Only tested in Outlook 2013.
LikeLiked by 1 person
This is POST migration from 2010 to 2013 BTW. But we have users who get prompted for a password sometimes. But I noticed that if they change the username from [emailaddress] to [domain\username] it will login fine. Do you think this is the same issue as you were running into? Some are Outlook 2010 clients and others Outlook 2016.
LikeLike
Sorry for the delay, similar, try changing the order of offered authentication. Also is the UPN the same as Email address?
LikeLike
I don’t know what you mean by “irony” in your statement “The irony in all this, I had run into a similar issue with Exchange 2007 several years earlier.” I see no irony at all in this statement. This is probably one of the most misused words in the English language. Most people use the word irony or ironic when they really mean coincidence or coincidentally, as in “Coincidentally I had run into a similar issue with Exchange 2007 several years earlier.”
Other than this, your article was very helpful to me. Thanks for sharing it!
LikeLiked by 1 person
Just migrated from exchange 2010 to 2016, well in the process really. I have some users on EX2016 and some on 2010. Outlook prompt to enter password. Internally or externally. OWA / and devices seems to be working fine. i’ve tried your fix above and didnt do it. Is there anything else i can do.
LikeLiked by 1 person
Nothing you haven’t thought of already.
LikeLike
This will deactive the EWS Connections in use with Apple Macintosh and Outlook!
LikeLike
I had very similar problems with moving from 2010 to 2016. I’ve tried almost everything to fix this but problem remained. In the end it turns out that Outlook 2013 saw Exchange 2016 and thought: “Cool! Screw the RPC over HTTP, I can do MAPI over HTTP, despite the fact that IIS Auth methods for MAPI are set to none”. So, the solution was to tell exchange something:
> Get-MapiVirtualDirectory
> Get-MapiVirtualDirectory -identity “get one from previous command” | fl *IIS*
in case of {} result, do
> Set-MapiVirtualDirectory -identity “same thing here” -IISAuthenticationMethods Negotiate
LikeLiked by 1 person
Hi,
we have already migrated 1400 Mailboxes from Ex2007 to Ex2013. Everything is fine, but some users told us, that they get sometimes a prompt for username and pasword. It does not come frequently.
Does somebody know this issue?
BR, David
LikeLike
The prompt goes in waves?
LikeLike
It pops up by some users in different times.
LikeLike
That’s what I experienced
LikeLike
Great fix for Exchange 2016 CU1 Outlook password prompting!! Thanks!
LikeLiked by 1 person
[…] source : https://garzafx.com/2014/05/05/fix-for-outlook-20102013-prompts-for-user-id-and-password-after-migra… […]
LikeLiked by 1 person
There is another reason for this , if someone have not decommission the exchange servers correctly ! In my case it was Public Folder which was causing this problem since it was hosted on old exchange 2010 and we have shutdown those old server but those Public Folder records were still in AD then by using ADSiEdit we just have clear those Public Folder records , after that the popup for Password in outlook was gone forever.
LikeLike
Doing the suggested settings did not solve the problem at us, unfortunately. Actually, it created problems reaching the “Out of Office” settings from Outlook. Clients received a “The server is not available, please try again later.
When reverting the suggested settings, “Out of Office” works just fine again.
Best regards Ole.
Win Small Business Server 2011 Standard with Exchange Server 2010
LikeLike
Thanks so much for the great fix!
LikeLiked by 1 person
Glad to hear it!
LikeLike
This didn’t work for us, we migrated from 2007 to 2013 and only the 2013 users are experiencing these issues.
LikeLike
Might want to check authentication order. I was using internal and external under one namespace.
LikeLike
My envt. is simple as well. All roles on single server. Yes, still Ex- 2007. Handful of users left to migrate. I doubt its settings or authentication issue, as the moment I reset iis, it will work or if I wait for few hours and then try to configure profile it will definitely work. So I doubt there is settings, protocol issue. Its just something not refreshed instantly in IIS. That something is killing me..
LikeLike
Mine was consistent. Perhaps Ntlm authentication limitation in the mix.
LikeLike
This does not resolve the issue. resetting IIS relove it. But if I move another user after a while same issue. I knnow IIS rest will resolve it again but that will disconnect the users.
LikeLike
Have you tried sorting the authentication methods
LikeLike
Yes Sir.
LikeLike
That’s what worked for me but, mine environment was simple with just one exchange server with all the roles. Did you bind and resort the authentication in the gui or config file elsewhere ?
LikeLike
Additionally if I leave as it is for hours, and rebuild the outlook profile. It will work as well. So, that tells me something refresh after certain time that IISreset does instantly.
LikeLike
Following the steps provided in this article result in loss of connectivity from outlook clients to the 2013 server as well as a busted OWA page.
LikeLike
Loss of service, busted OWA page hadn’t experienced or heard of regarding these steps.
LikeLike
This worked for me.
Thank you very much for taking the time to post the fix.
LikeLiked by 1 person
Glad to hear it!
LikeLike
Hi Mark
We recently upgraded 2010 to 2013 and we are still in testing process. I created couple of new users on exchange 2013 and was testing outlook. I tested both on domain joined and workgroup machines and i’m unable to configure outlook as its keeps promting for the password at last stage.
Does the above fix apply even though i’m testing with 2013 users? (Not migrated users from 2010)
2013 Settings
1. OA authentication set to Basic – External and NTLM – Internal
2. We are using a new namespace for 2013 (email.domain.com) where in 2010 (mail.domain.com)
3. AudoDiscover currently ponts to CAS servers internal FQDN
4. Internal AD CA’s SSL being used
Please advise
Maz
LikeLike
Correct shouldn’t matter the kind of users. Just make sure to understand limitations of Ntlm vs. Kerebos authentication.
LikeLike
My environment is experiencing the same issue (I think). Did you have users get locked out of AD at any point? Our support center is having to unlock accounts daily because of this.
LikeLike
No AD lockouts Ryan
LikeLike
Thanks, that’s good to know. Mine may be a different root issue than yours with most of the same symptoms.
LikeLike
No
LikeLike
I am still getting the password prompt after this fix and the 7 others I have found. I have spent most of a day on this and am at my wits end. Any other insight into this?
LikeLiked by 1 person
Couple of questions?
1. What version of Exchange is being run?
2. What version of Office are you on?
3. Also, on the client side, what is your Adapter Binding order for the active nic? Outlook is very fickle when leveraging mapi. Make sure it is listed first.
LikeLike