Aaron Marks IT Consulting
EHLO; MAIL FROM: Aaron; RCPT TO: You; SUBJECT: Enjoy!
Non-domain Joined Outlook/Exchange Users
Author: Aaron Marks9 Mar
This topic is rarely addresssed because most Outlook/Exchange users tend to be domain joined, but in my testing I ran into a few issues that are worth making a public note of. First off, I want to say that I only tested this scenario with Exchange 2007, but this may be relevant to Exchange 2003 as well.
I did not run into any issues when using Exchange 2007 with Outlook when the Exchange server was also the Domain Controller (DC) and Global Catalog (GC) server. When I separated the Exchange 2007 server and the DC/GC I ran into an issue with Outlook not authenticating properly to the Directory Service through the RPC over HTTPS proxy. I was not able to track down the full reason behind the problem, but I figured out the solution as well as contributing factors.
Symptoms:
- Even when the RPC over HTTPS proxy in Outlook is configured to use NTLM authentication instead of basic it attempts to authenticate every time that Outlook opens. If Outlook does not ask for authentication at startup, then a simple peak into the connection status (right-click on the Outlook icon in the system tray while holding down the left-control key or launching Outlook using Run… outlook.exe /rpcdiag) will say that Directory is still connecting while Mail will say that it established.
- While the “Directory” says that it is still connecting in the connection status, Outlook will appear to be constantly synchronizing. This will eventually timeout and the user will be prompted for a password about 15 to 30 minutes into their Outlook session.
- No matter how many times the user specifies to “remember password”, the password will not be remembered.
Contributing factors:
- The directory authentication is not being properly proxied through to the DC/GC.
- The DC and Exchange server have different names; i.e. longhorn.aaronmarks.com (my Exchange server) and blackcomb.aaronmarks.com (my DC/GC)
- Exchange 2007 has a field that is not automatically filled in under the Management Console. Right-click on “Server Configuration” and select “Configuration Domain Controller”. These settings were not filled in for me, so if necessary fill them in appropriately.
Solution:
- The solution is to save the user’s password. In Windows XP and Vista this is referred to as saving a network password.
- This can be done in one of two ways, either for all server names or as a wildcard entry.
- I chose to do the easier of the two, being a wildcard entry; i.e. “*.aaronmarks.com”
- To save the network password you have to go under the Users control panel and on the left side there is a link that says “Manage your network passwords”
- Then just edit the current saved entry or create a new one using wildcard/asterisk; i.e. “*.domain.tld”
Now everything should be functioning as expected. The password should be saved for the user and they should not be continuously prompted. The only thing that I have yet to test is what will happen if/when the user is required to change their password.
3 Responses for "Non-domain Joined Outlook/Exchange Users"
Hi,
First of all, I just wanted to thank you for the solution for the wildcard user/pass solutions. It helped out a lot.
Secondly, I was wondering if you had made any progress with this issue. I am actually encountering the same issue as soon as I separated my Win2k8EE Single Server Exchange into Mailbox, HT/CAS, and GC/DC servers. Although the wildcard solutions DOES work, it would be nice to get to the bottom of this issue.
Thanks,
Brennan
you are SUCH a lifesaver. I have tried everything else I can think of. Putting in the wildcard fixed everything.
Much thanks!
Thank you for the excellent article. Solved the issue I was seeing.
Leave a reply