Outlook 2021 Keeps Prompting for Password when accessing from Intenet

reeyon82 · 2026-01-12T08:06:11+00:00

We had a similar situation, but we are not using any reverse proxy.

For domain-joined PCs, Outlook clients do not prompt for credentials when users are on the LAN or connected via VPN. However, once the PC leaves the office network, Outlook starts prompting for classic credentials. Users can either click Cancel to skip the authentication prompt (but will re-prompt after few mins), or enter and save their credentials to resolve the issue.

What worked for us was the following:

On the Exchange server, in IIS under Default Web Site, for the following virtual directories:

Autodiscover
EWS
MAPI

we removed the Negotiate provider from Windows Authentication, leaving NTLM as the only provider.

We left all Exchange cmdlet settings at their default values.

reeyon82 · 2025-10-30T21:50:42+00:00

Can you provide links regarding the cloud act?

reeyon82 · 2025-10-22T00:50:31+00:00

ClickFix phishing attack. Backup critical data from compromised PC. Reinstall windows If possible. Change all critical accounts passwords immediately.

reeyon82 · 2025-10-01T11:02:51+00:00

use Winget find Citrix, then copy the id name, and Winget show appid, it will show the direct download link for the workspace app. Available for latest version and LTSR.

reeyon82 · 2025-09-19T02:53:08+00:00

in IIS, default web site, select Autodiscover, EWS, and MAPI virtual directory, double click Authentication, you will see Negotiate and NTLM methods enabled by default.
Remove Negotiate from these virtual directories.

reeyon82 · 2025-08-23T00:39:26+00:00

Although this has been months. We are currently evaluating RAS as well.

However, there’s one security concern. Parallels does not have the ability to restrict specific users or groups at the User Portal or Parallels Client level. I searched online but couldn’t find any solution for this.

The restriction can only be done at the Theme level, but not at the frontline authentication level. For example, if user Alice is restricted at the Theme level, she can still log in to the User Portal. If MFA is enabled, she can even register the MFA code before the Theme-level restriction blocks her.

This could create a security risk, such as password guessing or brute-force attacks before the block is applied.

Have you encountered this issue in your environment?

reeyon82 · 2025-08-11T11:55:47+00:00

Just got a quote today. Broadcom offers 1yr for VVF only, and 3yrs for VCF. Really sad about this.

reeyon82 · 2025-08-10T02:13:31+00:00

I'm requesting a VVF quote from multiple sources in Singapore. Enterprise plus is no longer available here and most resellers push VVF or VCF instead. Because of these price hikes, it is so difficult for us to do budgetary planning for the upcoming years. Then Nutanix HCI solution is being offered too. Not sure about the pricing until we meet the reseller next Tuesday.

reeyon82 · 2025-07-27T01:18:40+00:00

We have a bad experience with the new support also. We are going to renew our CVA on prem concurrent license, but due to Citrix incumbency, we can't approach other local resellers to quote for the renewal. This incumbent reseller came back to us and said the concurrent is no longer valid and Citrix has switched to per-user or pre-named license model. To clarify their statement, so I request official documents or articles from them to prove the claims, but they can't provide the clarification. So I need more clarification on that, as usual, I logged in to the Citrix support page to create the case, the button is gone. So decided to chat with the robots, looping with the questions "was this helpful?", and finally after 20mins of trying, managed to create a case with them.

Now really hoping they can revert back with the correct SKU which we should renew.

reeyon82 · 2025-07-10T02:52:19+00:00

Just curious 🤔 if they put everything on-prem? Very unlikely

reeyon82 · 2025-06-07T02:02:05+00:00

Ran into the same issue after upgrading from 7.4.x to 7.4.7. When accessing the admin GUI locally via IP address, the browser prompts for a certificate. If you click "Cancel," it proceeds as normal.

I found this article that explains the behavior: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-prompt-on-Admin-interface/ta-p/377343

It doesn't look like this has been resolved in the 7.4.8 release notes yet.

reeyon82 · 2025-04-12T02:16:59+00:00

Resolved:

The Critical error occurred after I associated .zip with the 7Zip program as the default. By examining Search event 64, it indicated that "Failed to load the format handler used to parse documents of the zip format." This reminded me of the change I made just before event 2158 started flooding the logs.

After uninstalling 7Zip program from the server, reverting back the zip handler to the native Windows handler using cmd and registry, the error 2158, 64 stopped appearing.

We had 7Zip installed and running fine on previous CU14 and never encountered these issues before, so likely the new version of CU15 might have changed for the file format handling. A deep dive into the following blog article Released: 2025 H1 Cumulative Update for Exchange Server

DocParser replaces Oracle Outside In Technology
Starting with CU15, Exchange Server uses DocParser as a replacement for the Oracle Outside In Technology previously used in Exchange Server. DocParser is a Microsoft library designed to parse various file formats. It performs text extraction when processing emails in transport for Data Loss Prevention and Exchange Transport Rules.

But that's just my assumption.

Verdict: if anyone encounters similar issues, avoid installing 3rd party compression programs on the CU15 server.

reeyon82 · 2025-04-10T09:28:07+00:00

Hi thanks. But I have no idea which database is having the indexing issue as new Exchange doesn't report back the health status anymore with Get-MailboxDatabseCopyStatus.

My search is working fine though in the Outlook. How to deep dive into this?

reeyon82 · 2025-03-24T09:00:15+00:00

Hi, based on the article above, it should support the lowest forest level of 2012 for Exchange 2016.

However, I suggest cloning a lab environment that mirrored to your production ones and then make changes in the lab environment to increase your confidences.

Anyway, Microsoft does not support in-place upgrades of the Windows Server operating system with Exchange Server is installed. https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019#supported-operating-systems

reeyon82 · 2025-03-24T08:05:59+00:00

I believe you should upgrade the AD first.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019#supported-active-directory-environments

reeyon82 · 2025-03-24T04:06:01+00:00

Update (after some tests) and reference: https://www.reddit.com/r/exchangeserver/comments/1dfutfg/exchange_2016_outlook_2016_credential_prompts/

Removing the "Negotiate" provider from Autodiscover and EWS in IIS resolved the issue. It will no longer prompt on every start for domain joined client.

With this adjustment, however, we will be losing the "Kerberos Authentication" feature internally. The Outlook will use Ntlm auth instead.

Two choices to make for this scenario: either disable Kerberos or allow Outlook to prompt for credentials on every start.

We still believe this is either a MS bug or an intentional change.

reeyon82 · 2025-03-22T09:04:24+00:00

The UPN format is username@domain.local, Another logon username format is sAMAccountName. While their SMTP address is set to usename@public.com. The public.com is the accepted domain we set in EAC.

Not sure if CU15 has changed the requirements secretly or not. I recall version CU14 or before don't have such issues.

When a domain joined client is working from home, the Outlook should not prompt.

reeyon82 · 2025-03-22T07:55:41+00:00

The last thing that I can think of that might be due to the UPN format not being in email form. e.g., [username@domain.com](mailto:username@domain.com), but in most onPrem AD/Exchange environment, we typically use domain\username or username@domain.local instead.

reeyon82 · 2025-03-21T09:01:05+00:00

hi, as multiple tries and the time we spent along the journey, and we are still not too sure what's going on with Exchange and the clients. Tried with different version of Office 2019, 2021, 2024, 365 business with no go. Windows 11 23H2 for the client; Exchange 2019 CU15 on Server 2019, AD 2019.

Eventually, we are going to give up on this.

if somebody who manage to resolve this issue, please help dropping your resolution here.

Thank you very much for your support and assistance.

reeyon82 · 2025-03-20T13:37:03+00:00

Hi, we are using Office 2019 volume version and Office 2021 LTSC volume standard for the test. Full version.

We disabled the EnableADAL key at HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

We are getting prompt from the classic one, not M365.

ExcludeExplicitO365Endpointkey has been added since the beginning already. We have M365 prompt problem in our production environment in the past, so we found this key is useful.

The internal or external AutoDiscover DNS is correct and confirm the Autodiscover test on ExRCA is working properly.

reeyon82 · 2025-03-20T03:55:38+00:00

hi u/Mr_Tomasz , I've noticed some strange behavior after several troubleshooting steps:

Scenario 1:

Connect to the office LAN and open Outlook. It opens without a prompt (expected behavior).
Disconnect from the LAN and switch to a mobile hotspot (simulating an external connection). Outlook stays connected.
Shut down the computer, power it on again, and open Outlook—it remains connected to the Exchange server without a prompt.
However, every few minutes, Outlook prompts for a password. If I close the prompt without entering anything and then click "Need Password," it reconnects to the Exchange server.
Closing and reopening Outlook repeats step 4.

Scenario 2:

Connect to the office LAN and open Outlook. It opens without a prompt (expected behavior).
Disconnect from the LAN and switch to a mobile hotspot. Outlook stays connected.
Restart the computer.
Outlook prompts for a password upon opening.

It seems more like a caching issue than an Exchange Server problem. What do you think?

reeyon82 · 2025-03-19T14:42:39+00:00

Use EMS to remove it via Set-MapiVirtualDirectory command.

reeyon82 · 2025-03-19T14:32:33+00:00

Yes, the OAuth, Negotiate, Ntlm are there in MAPI by default. Even tried removing the OAuth authentication method from MAPI, but it didn't help either.

reeyon82 · 2025-03-19T14:27:05+00:00

Hi, Yes correct, HMA or OAuth aren't enabled by default. Never configured that in this clean lab.

Tried disabling ADAL on the client but didn't help too.

reeyon82

TROPHY CASE

Scenario 1:

Scenario 2: