There are multiple causes for Outlook clients to receive authentication prompts. This can be caused by impaired AD performance where the DCs are negatively impacted and cannot respond quickly. This can be caused by semaphore timeouts, due to NTLM bottlenecks. In Exchange 2010 the CAS Array uses NTLM by default, and the recommendation is to use Kerberos.
Sometimes the authentication prompts may be due to the client version and it’s configuration. For example Outlook 2007 requires additional configuration for Exchange 2010. This known issue is documented in KB 956531 — Outlook 2007 prompts you repeatedly for a password under certain network conditions.
You will need to ensure that Outlook 2007 is at the required build, and then edit the registry so that Outlook 2007 will automatically re-present the credentials to Exchange 2010. This issue does not occur with Outlook 2010, it is specific to Outlook 2007. Also note that Outlook 2007 has less than two years of extended support left at this time.
And now for the main feature!
Restarting Exchange 2010 CAS Server Causes Authentication Prompts
Whilst onsite with a customer today, we were discussing Exchange 2010 operational excellence, specifically around patching activities. The Senior Exchange admin noted that when she restarted a CAS server, the users who were connected to the server received an authentication prompt. This is the expected behaviour, and I commented that it is contained within the knowledgebase.
No problem, let’s dig out that KB.
I have to say that the search deities were not on my side and it took an inordinate amount of time to find the KB that I knew existed. Henceforth adding it here so it is in our shared bookmarks.
The article that contains the notes is KB 2634633 — Outlook prompts for credentials when an Exchange Server 2010 CAS restarts.
It is expected that the client connections to the Exchange 2010 CAS server which is being rebooted have been removed. If not, restarting the CAS server will cause connected users to experience a credential prompt. In this scenario, the RPC service on CAS shuts down any existing connections, and sends a reset notification to clients. When a client tries to create a new connection, the new connection fails because CAS is not accepting new connections. This manifests itself on the client as a prompt for credentials.
Please consult with your load balancing team as to how best to approach this issue. For example if there is a custom health check page on the server, the Exchange admin can edit that file to mark the server as down on the load balancer. The approach will vary depending upon your load balancing solution. Some load balancers support delegated access to certain functions, so that the network team can allow the Exchange team to perform certain tasks. Some do not. Your mileage will vary.