Non-domain Joined Outlook/Exchange Users
Author: Aaron Marks
This topic is rarely addresssed because most Outlook/Exchange users tend to be domain joined, but in my testing I ran into a few issues that are worth making a public note of. First off, I want to say that I only tested this scenario with Exchange 2007, but this may be relevant to Exchange 2003 as well.
I did not run into any issues when using Exchange 2007 with Outlook when the Exchange server was also the Domain Controller (DC) and Global Catalog (GC) server. When I separated the Exchange 2007 server and the DC/GC I ran into an issue with Outlook not authenticating properly to the Directory Service through the RPC over HTTPS proxy. I was not able to track down the full reason behind the problem, but I figured out the solution as well as contributing factors.
- Even when the RPC over HTTPS proxy in Outlook is configured to use NTLM authentication instead of basic it attempts to authenticate every time that Outlook opens. If Outlook does not ask for authentication at startup, then a simple peak into the connection status (right-click on the Outlook icon in the system tray while holding down the left-control key or launching Outlook using Run… outlook.exe /rpcdiag) will say that Directory is still connecting while Mail will say that it established.
- While the “Directory” says that it is still connecting in the connection status, Outlook will appear to be constantly synchronizing. This will eventually timeout and the user will be prompted for a password about 15 to 30 minutes into their Outlook session.
- No matter how many times the user specifies to “remember password”, the password will not be remembered.
- The directory authentication is not being properly proxied through to the DC/GC.
- The DC and Exchange server have different names; i.e. longhorn.aaronmarks.com (my Exchange server) and blackcomb.aaronmarks.com (my DC/GC)
- Exchange 2007 has a field that is not automatically filled in under the Management Console. Right-click on “Server Configuration” and select “Configuration Domain Controller”. These settings were not filled in for me, so if necessary fill them in appropriately.
- The solution is to save the user’s password. In Windows XP and Vista this is referred to as saving a network password.
- This can be done in one of two ways, either for all server names or as a wildcard entry.
- I chose to do the easier of the two, being a wildcard entry; i.e. “*.aaronmarks.com”
- To save the network password you have to go under the Users control panel and on the left side there is a link that says “Manage your network passwords”
- Then just edit the current saved entry or create a new one using wildcard/asterisk; i.e. “*.domain.tld”
Now everything should be functioning as expected. The password should be saved for the user and they should not be continuously prompted. The only thing that I have yet to test is what will happen if/when the user is required to change their password.
Filed under: Exchange, Office