Outlook Clients Can't Connect and Are Prompted for Authentication Repeatedly

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

This topic covers a connectivity issue that Outlook clients experience when they connect over Outlook Anywhere in an Exchange 2007 SP1 environment running on Windows Server 2008 that has Integrated Windows authentication enabled in kernel mode.

When an Outlook client using Outlook Anywhere tries to connect to Exchange 2007 running on Windows Server 2008, the client receives repeated prompts to enter their credentials and can't connect.

This is because Internet Information Services (IIS) 7.0, the Web server role in Windows Server 2008, has kernel mode enabled by default for Integrated Windows authentication.

Resolution

For clients to connect by using Outlook Anywhere when the Exchange 2007 SP1 Client Access server is running on Windows Server 2008, kernel mode must be disabled for Integrated Windows Authentication on IIS.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Organization Administrator role. You must have an administrator account or be a member of the Administrators group on the computer that is running Windows Server 2008, and you must have read-write access permissions to the following target server-level configuration files: Machine.config, the root Web.config file (in the .NET Framework directory), and ApplicationHost.config.

If you are running 64-bit Windows, use Appcmd.exe from the LocalDrive\system32\inetsrv directory, not the LocalDrive\syswow64\inetsrv directory.

Procedure

Disable kernel mode in Integrated Windows authentication on the computer running the Exchange 2007 SP1 Client Access server role on Windows Server 2008

  1. Click Start > Run.

  2. In the Open box, type cmd, and then press Enter.

  3. Type the following command:

    %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false /commit:apphost
    

Note

If legacy Entourage clients exist in your organization, or you have users that connect to Outlook Web Access by using an /exchange virtual directory, you must repeat these steps on all Exchange 2007 Mailbox servers that have IIS 7 installed.

Stop and start IIS on the Exchange 2007 SP1 Client Access server running Windows Server 2008

  1. Click Start > Run.

  2. In the Open box, type the following file path, and then press Enter:

    %windir%\system32\inetsrv
    
  3. Right-click Appcmd.exe, and then click Run as administrator.

  4. Type the following commands to stop IIS at the site level:

    Stop Site MySite
    Set Site MySite /serverAutoStart:false
    
  5. Type the following commands to start IIS at the site level:

    Start Site MySite
    Set Site MySite /serverAutoStart:true