You are locked out of the domain after you start Outlook 2007 in a hybrid Exchange environment

Applies to: Microsoft Office Outlook 2007

Symptoms


Consider the following scenario:

  • A domain account and a Microsoft Office 365 account have the same user principal name (UPN).
  • The passwords for the two accounts differ, and Active Directory Federation Services is not used in the domain.
  • The default lockout value is set to a value other than the default value.
  • You log on to the domain on a computer that's running Windows 7, and then you start Office Outlook 2007.
  • You send some WinHTTP requests to Office 365. For example, you open a shared calendar.
  • Exchange is in a hybrid configuration with some mailboxes or resources split between on-premises and cloud-based Exchange servers.
In this scenario, you are locked out of the domain.

Resolution


To resolve this issue, apply the following hotfix package:
2596845 Description of the Outlook 2007 hotfix package (Outlook-x-none.msp): December 11, 2012

Registry key information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you apply the hotfix package, follow these steps to enable the hotfix:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then select the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security  
  3. On the Edit menu, point to New, and then click Key.
  4. Type PerDomainDisabledWebAuthenticationType, and then press Enter.
  5. Select the PerDomainDisabledWebAuthenticationType key, point to New on the Edit menu, and then click DWORD (32-bit) Value.
  6. Type DomainName, and then press Enter.

    Note DomainName is a placeholder for the Office 365 domain on which you want to disable the Negotiate authentication.
  7. In the Details pane, right-click DomainName, and then click Modify.
  8. In the Value data box, type 10, and then click OK.

    Note This is a hexadecimal value. After you click OK, it is displayed as 0x00000010 (16).
  9. Exit Registry Editor.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
2598365 You are locked out of the domain after you start Outlook 2010

2598366 You are locked out of the domain after you start Outlook 2007

For scenarios with on-premises or hybrid Exchange deployments:

2760400 You are locked out of the domain after you start Outlook 2010 in a hybrid Exchange environment