Additional authentication prompt is displayed when an external network user signs in to an Office Communicator 2007 client

Article translations Article translations
Article ID: 2633194 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

When a user tries to sign in to a Microsoft Office Communicator 2007 client from an external network, an additional credential prompt is displayed to retrieve calendar data from Outlook. 

Cause

This issue occurs because the Exchange Server 2007 Client Access server uses both Negotiate and NTLM protocols for authentication to return the available data back to the Office Communicator client. However, Office Communicator uses the NTLM protocol only to negotiate authentication. Therefore, an additional authentication is requested.

Workaround

To work around this issue, follow any of these steps.

Workaround 1: Enable Integrated Windows Authentication in Internet Explorer

You can retrieve available data through the Autodiscover service on the Office Communicator client. To do this, follow these steps:
  1. Open Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. On the Advanced tab, scroll down to the Security section.
  4. Click to clear the Enable Integrated Windows Authentication check box.
  5. Click OK.
  6. Exit Internet Explorer, and then start Internet Explorer.

Workaround 2: Use Registry Editor

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
You can use Registry Editor to enable the NTLM authentication on the Office Communicator client. To do this, follow these steps: 
  1. Click Start, and then click Run.
  2. In the Open box, type regedit and then click OK.
  3. In Registry Editor, select the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  4. Right-click EnableNegotiate, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. On the File menu, click Exit.

Workaround 3: Use Internet Information Services

You can instruct Internet Information Services on the Exchange Server 2007 Client Access server to set NTLM as the first authentication provider in the WWW-Authenticate header. To do this, use the appropriate method for the version of IIS that you have. 

For Internet Information Services 6.0

  1. Click Start, and then click Run.
  2. Type cmd, and then press ENTER.
  3. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
  4. Use the following command to retrieve the current values for the NTAuthenticationProviders metabase property:
    cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
    In this command, WebSite is a placeholder for the Website ID number. The Website ID number of the default Website is 1.

    Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.

    Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note that is mentioned earlier in this section.
  5. Use the following command to enable the NTLM process:
    cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM,Negotiate"
  6. Repeat step 4 to verify that the NTLM process has enabled.
  7. Restart the IIS Admin Service that will restart all dependent services on the Exchange Server 2007 Client Access server.
Note If you receive an error message when you try to verify that the Negotiate process is enabled, make sure that you did not leave a space between "NTLM" and "Negotiate". For example, "NTLM,Negotiate" differs from "NTLM, Negotiate".

For Internet Information Services 7.0

  1. Click Start, and then click Run.
  2. Type cmd, and then press ENTER.
  3. Locate the directory that contains the Appcmd.exe file. By default, this directory is C:\Windows\System32\inetsrv.
  4. Use the following command to retrieve the current values for the WindowsAuthentication metabase property:
    appcmd list config /section:windowsAuthentication
    Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
  5. Use the following commands to remove Negotiate authentication:
    Appcmd.exe set config /section:windowsAuthentication /-providers.[value='Negotiate']
  6. Use the following commands to add Negotiate authentication:
    appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost
  7. Repeat step 4 to verify that the NTLM process has enabled.
  8. Restart the IIS Admin Service that will restart all dependent services on the Exchange Server 2007 Client Access server.

More information

For more information about the Autodiscover service, visit the following Microsoft website:
General information about the Autodiscover service

For more information about the Integrated Windows authentication, visit the following Microsoft website:
General information about the Integrated Windows authentication

Properties

Article ID: 2633194 - Last Review: January 28, 2013 - Revision: 2.0
Applies to
  • Microsoft Office Communicator 2007
  • Microsoft Exchange Server 2007 Standard Edition
  • Microsoft Exchange Server 2007 Enterprise Edition
Keywords: 
kbprb kbsurveynew kbtshoot kbexpertiseadvanced KB2633194

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com