Article ID: 927612 - View products that this article applies to.

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

Important These procedures only apply to Exchange Server 2003 and 2007. Do not apply the steps that are described in this article to Exchange Server 2010. A new article is being written for Exchange Server 2010 and will be referenced here when it is available.
Expand all | Collapse all

SYMPTOMS

You have a mailbox that is hosted on a server that is running Microsoft Exchange Server 2003. When you start Microsoft Office Outlook 2007 to access this mailbox, you are repeatedly prompted to enter your credentials. If you click Cancel, you receive the following error message:
The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
In this situation, you cannot access your mailbox by using Outlook 2007.

If you use another program such as Microsoft Office Outlook 2003 to access the mailbox, you can successfully connect to Exchange.

CAUSE

This problem occurs if the following Service Principal Names are registered on the Exchange server and if the Exchange server is not a global catalog server:
  • exchangeAB/ExchangeServerName
  • exchangeAB/ExchangeServerName.example.com
A Service Principal Name (SPN) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without correctly configured SPNs.

RESOLUTION

To resolve this problem, correctly configure the exchangeAB resources in the Active Directory directory service. To do this, follow these steps:
  1. Determine which global catalog server Exchange uses. To do this, follow these steps:
    1. Start the Exchange System Manager program.
    2. Expand Administrative Groups, expand your administrative group, expand Servers, right-click the Exchange server that you want to examine, and then click Properties.
    3. In the ExchangeServerName Properties dialog box, click the Directory Access tab.
    4. In the Show list, click Global Catalog Servers.
    5. Note the name of the computer that appears in the Domain Controller column.
  2. Install the Setspn.exe tool if it is not already installed. The Setspn.exe tool is included with the Windows Server 2003 Support Tools. To install the Windows Server 2003 Support Tools, double-click SUPPTOOLS.MSI in the Support\Tools folder on the Windows Server 2003 CD. Additionally, the Setspn.exe tool is included with the Microsoft Windows 2000 Resource Kit tools. To obtain this tool, visit the following Microsoft Web site:
    http://go.microsoft.com/fwlink/?LinkId=28103
  3. List the SPNs that are configured on the Exchange server. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type setspn -L ExchangeServerName, and then press ENTER. Results that resemble the following are returned:
      Registered ServicePrincipalNames for CN=<ExchangeServerName>,CN=Computers,DC=example,DC=com:
         exchangeAB/<ExchangeServerName>
         exchangeAB/<ExchangeServerName>.example.com
         exchangeMDB/<ExchangeServerName>
         exchangeMDB/<ExchangeServerName>.example.com
         exchangeRFR/<ExchangeServerName>
         exchangeRFR/<ExchangeServerName>.example.com
         SMTPSVC/<ExchangeServerName>
         SMTPSVC/<ExchangeServerName>.example.com
         HOST/<ExchangeServerName>
         HOST/<ExchangeServerName>.example.com
      In this output, ExchangeServerName is the name of the Exchange server. Additionally, example.com is the name of the domain.

      When you work with a clustered Exchange Server configuration, the following SPNs should be set on each node:
      ServicePrincipalName: SMTPSVC/<ExchangeServerNodeName>.example.com
      servicePrincipalName: SMTPSVC/ <ExchangeServerNodeName>
      servicePrincipalName: HOST/ <ExchangeServerNodeName>
      servicePrincipalName: HOST/ <ExchangeServerNodeName>.example.com
      
      The following SPNs should be set only on the Exchange Virtual Server name, if clustered:
      ServicePrincipalName: exchangeMDB/<ExchangeVirtualServerName>.example.com
      servicePrincipalName: exchangeMDB/<ExchangeVirtualServerName>
      servicePrincipalName: exchangeRFR/ <ExchangeVirtualServerName>.example.com
      servicePrincipalName: exchangeRFR/ <ExchangeVirtualServerName>
      servicePrincipalName: MSClusterVirtualServer/ <ExchangeVirtualServerName>.example.com
      servicePrincipalName: MSClusterVirtualServer/<ExchangeVirtualServerName>
      servicePrincipalName: HOST/ <ExchangeVirtualServerName>.example.com
      servicePrincipalName: HOST/ <ExchangeVirtualServerName>
      Note These SPNs should not be set on the individual node names because it can create duplicate SPNs and can cause Kerberos issues.
  4. Unregister the exchangeAB SPNs from the Exchange server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:
      setspn -D exchangeAB/ExchangeServerName ExchangeServerName
    2. At the command prompt, type the following command, and then press ENTER:
      setspn -D exchangeAB/ExchangeServerName.example.com ExchangeServerName
  5. Register the exchangeAB SPNs with the global catalog server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:
      setspn -A exchangeAB/GlobalCatalogServerName GlobalCatalogServerName
    2. At the command prompt, type the following command, and then press ENTER:
      setspn -A exchangeAB/GlobalCatalogServerName.example.com GlobalCatalogServerName

WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, configure Outlook 2007 and Outlook 2010 to use Windows authentication (NTLM). To do this, follow these steps:
  1. Double-click the Mail Control Panel item, and then click Show Profiles.

    Note If no Outlook profiles are configured on the computer, the Mail dialog box appears. In this situation, you cannot click Show Profiles.
  2. Follow these steps:
    • If no Outlook profile is created, follow these steps:
      1. In the Mail dialog box, click Add.
      2. Type a name in the Profile Name box, and then click OK.
      3. In the Add New E-mail Account dialog box, click to select the Manually configure server settings or additional server types check box, and then click Next.
      4. Click Microsoft Exchange, and then click Next.
      5. In the Microsoft Exchange server box, type the fully qualified domain name of the Exchange server, type your alias in the User Name box, and then click More Settings.

        Note If you are prompted to enter your credentials, click Cancel. You may have to click Cancel more than one or two times.
      6. In the Microsoft Exchange dialog box, click the Security tab.
      7. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      8. Click Next, and then click Finish to create the Outlook profile.
    • If you have an Outlook profile, follow these steps:
      1. In the Mail dialog box, click your Outlook profile, and then click Properties.
      2. Click E-mail Accounts, and then click Change.
      3. In the Change E-mail Account dialog box, click More Settings.
      4. In the Microsoft Exchange dialog box, click the Security tab.
      5. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      6. Click Next, click Finish, and then click Close two times.
  3. Click OK to close the Mail dialog box.

Properties

Article ID: 927612 - Last Review: September 20, 2011 - Revision: 5.0
APPLIES TO
  • Microsoft Office Outlook 2007, when used with:
    • Microsoft Exchange Server 2003 Enterprise Edition
    • Microsoft Exchange Server 2003 Standard Edition
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbexpertisebeginner kbtshoot kbprb KB927612

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com