You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature

You try to connect to a computer that is running Microsoft Exchange Server 2003 by using the Exchange RPC over HTTP feature of Microsoft Office Outlook 2003. However, you are prompted to provide your user account credentials even if you are logged on by using the Windows account that is mapped to your Exchange account.

This issue occurs for one of the following reasons:

• You are using Basic authentication to the proxy server for Exchange.
• You are using NTLM authentication to the proxy server for Exchange, but Windows does not automatically send the NTLM challenge/response data. Windows does not do this because the older LANMAN challenge/response password is included in the authentication data.

You can use the Exchange Remote Connectivity Analyzer to help diagnose and resolve this issue. To do this, visit the following Web site:https://www.testexchangeconnectivity.com (https://www.testexchangeconnectivity.com/)
Note Exchange Remote Connectivity Analyzer is a Web-based troubleshooting and diagnostic tool that will help identify the point of failure for Internet-based Exchange Server client connectivity scenarios. The tool simulates all the activities a client must be able to perform to connect, and then isolate the exact point of failure. Frequently, it will point out known configuration issues and provide suggested steps for resolution. The connectivity testing across the Internet (from outside your organization) is performed by a Web site hosted in a Microsoft datacenter.

Identifying a solution

Basic authentication

If you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically. If you want to log on automatically, you must configure your Outlook profile to use NLTM authentication to the proxy server for Exchange.

Before you switch to NTLM authentication, you must verify with your administrator that NTLM authentication is permitted or even possible in your environment. Many firewalls and proxy servers will prevent successful NLTM authentication, whereas Basic authentication will work successfully. See the More Information section for additional details.

Note The authentication mechanism that you configure in Outlook is used only for the HTTP session to the proxy server for Exchange. The actual authentication between Outlook and your Exchange server always uses NTLM. See the More Information section for additional details.

To change the authentication mechanism on the Outlook client to NTLM, follow these steps:

1. Start Outlook 2003.
2. On the Tools menu, click E-mail Accounts.
3. Click View or change existing e-mail accounts, and then click Next.
4. Under Outlook processes e-mail for these accounts in the following order, click Microsoft Exchange Server, and then click Change.
5. On the Exchange Server Settings page, click More Settings.
6. Click the Connection tab.
7. Click Exchange Proxy Settings.
8. Under Proxy authentication settings, click NTLM Authentication in the Use this authentication when connecting to my proxy server for Exchange list.
9. Click OK two times.
10. Click OK again in response to the prompt that you must restart Outlook for the changes to take effect.
11. Click Next, and then click Finish.
12. Restart Outlook.

NTLM authentication

You notice that your account is configured to use NTLM authentication and that you are still prompted for your user name and password when you are logged on as the Windows account that has access to your Exchange mailbox. In this situation, you must set LmCompatibilityLevel on the client to a value of 2 or 3. To do this, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, click Run, type regedit in the Open box, and then press ENTER.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3. In the pane on the right side, double-click lmcompatibilitylevel.
4. In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click OK.
5. Exit Registry Editor.
6. Restart your computer.

The authentication mechanism that is configured in your Outlook profile is used only for the HTTP session to the proxy server for Exchange. The actual authentication mechanism between Outlook and the Exchange server always uses NTLM when the mechanism is accessed by using remote procedure call (RPC) over HTTP. We strongly recommend that you use Secure Sockets Layer (SSL) encryption for the HTTP session to the proxy server for Exchange. This is especially true when you are using Basic authentication. If you use SSL encryption, this prevents your user name and password from being sent in clear text. Outlook will not let you use Basic authentication when you connect to the proxy server for Exchange without using SSL encryption.

You must sometimes use Basic authentication because NTLM authentication will fail if the proxy server for Exchange does not trust the authentication information. This issue can be caused by firewalls that examine the HTTP traffic and change it in some way. For example, a firewall may end the session from the Internet and establish a new session to the proxy server for Exchange instead of passing the HTTPS (SSL) session straight through without modification. This process is sometimes known as reverse proxying or Web publishing. Certain firewalls such as Microsoft Internet Security and Acceleration (ISA) Server 2004 can successfully reverse proxy or Web publish the session and still enable NTLM authentication to succeed. Basic authentication is not affected by this process and will work regardless of firewalls. However, if you use Basic authentication, this means that you must type your user name and password every time that you start an Outlook session.

LmCompatibilityLevel settings

The LmCompatibilityLevel registry entry can be configured by using the following values:

• LmCompatibilityLevel value of 0: Send LAN Manager (LM) response and NTLM response; never use NTLM version 2 (NTLMv2) session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
• LmCompatibilityLevel value of 1: Use NTLMv2 session security, if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
• LmCompatibilityLevel value of 2: Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
• LmCompatibilityLevel value of 3: Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
• LmCompatibilityLevel value of 4: (Server Only) - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers refuse LM authentication, and accept NTLM and NTLMv2 authentication.
• LmCompatibilityLevel value of 5: (Server Only) - Domain controllers refuse LM and NTLM responses, and accept only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2 session security if the server supports it; domain controllers refuse NTLM and LM authentication, and accept only NTLMv2 authentication.

For more information about the Exchange over the Internet feature, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to configure RPC over HTTP in Exchange Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: