You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

You are repeatedly prompted to enter your credentials when you try to connect to an Exchange mailbox by using Outlook 2007


Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

Important These procedures only apply to Exchange Server 2003 and 2007. Do not apply the steps that are described in this article to Exchange Server 2010. A new article is being written for Exchange Server 2010 and will be referenced here when it is available.
SYMPTOMS
You have a mailbox that is hosted on a server that is running Microsoft Exchange Server 2003. When you start Microsoft Office Outlook 2007 to access this mailbox, you are repeatedly prompted to enter your credentials. If you click Cancel, you receive the following error message:
The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
In this situation, you cannot access your mailbox by using Outlook 2007.

If you use another program such as Microsoft Office Outlook 2003 to access the mailbox, you can successfully connect to Exchange.
CAUSE
This problem occurs if the following Service Principal Names are registered on the Exchange server and if the Exchange server is not a global catalog server:
  • exchangeAB/ExchangeServerName
  • exchangeAB/ExchangeServerName.example.com
A Service Principal Name (SPN) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without correctly configured SPNs.
RESOLUTION
To resolve this problem, correctly configure the exchangeAB resources in the Active Directory directory service. To do this, follow these steps:
  1. Determine which global catalog server Exchange uses. To do this, follow these steps:
    1. Start the Exchange System Manager program.
    2. Expand Administrative Groups, expand your administrative group, expand Servers, right-click the Exchange server that you want to examine, and then click Properties.
    3. In the ExchangeServerName Properties dialog box, click the Directory Access tab.
    4. In the Show list, click Global Catalog Servers.
    5. Note the name of the computer that appears in the Domain Controller column.
  2. Install the Setspn.exe tool if it is not already installed. The Setspn.exe tool is included with the Windows Server 2003 Support Tools. To install the Windows Server 2003 Support Tools, double-click SUPPTOOLS.MSI in the Support\Tools folder on the Windows Server 2003 CD. Additionally, the Setspn.exe tool is included with the Microsoft Windows 2000 Resource Kit tools. To obtain this tool, visit the following Microsoft Web site:
  3. List the SPNs that are configured on the Exchange server. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type setspn -L ExchangeServerName, and then press ENTER. Results that resemble the following are returned:
      Registered ServicePrincipalNames for CN=<ExchangeServerName>,CN=Computers,DC=example,DC=com:   exchangeAB/<ExchangeServerName>   exchangeAB/<ExchangeServerName>.example.com   exchangeMDB/<ExchangeServerName>   exchangeMDB/<ExchangeServerName>.example.com   exchangeRFR/<ExchangeServerName>   exchangeRFR/<ExchangeServerName>.example.com   SMTPSVC/<ExchangeServerName>   SMTPSVC/<ExchangeServerName>.example.com   HOST/<ExchangeServerName>   HOST/<ExchangeServerName>.example.com
      In this output, ExchangeServerName is the name of the Exchange server. Additionally, example.com is the name of the domain.

      When you work with a clustered Exchange Server configuration, the following SPNs should be set on each node:
      ServicePrincipalName: SMTPSVC/<ExchangeServerNodeName>.example.comservicePrincipalName: SMTPSVC/ <ExchangeServerNodeName>servicePrincipalName: HOST/ <ExchangeServerNodeName>servicePrincipalName: HOST/ <ExchangeServerNodeName>.example.com
      The following SPNs should be set only on the Exchange Virtual Server name, if clustered:
      ServicePrincipalName: exchangeMDB/<ExchangeVirtualServerName>.example.comservicePrincipalName: exchangeMDB/<ExchangeVirtualServerName>servicePrincipalName: exchangeRFR/ <ExchangeVirtualServerName>.example.comservicePrincipalName: exchangeRFR/ <ExchangeVirtualServerName>servicePrincipalName: MSClusterVirtualServer/ <ExchangeVirtualServerName>.example.comservicePrincipalName: MSClusterVirtualServer/<ExchangeVirtualServerName>servicePrincipalName: HOST/ <ExchangeVirtualServerName>.example.comservicePrincipalName: HOST/ <ExchangeVirtualServerName>
      Note These SPNs should not be set on the individual node names because it can create duplicate SPNs and can cause Kerberos issues.
  4. Unregister the exchangeAB SPNs from the Exchange server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:
      setspn -D exchangeAB/ExchangeServerName ExchangeServerName
    2. At the command prompt, type the following command, and then press ENTER:
      setspn -D exchangeAB/ExchangeServerName.example.com ExchangeServerName
  5. Register the exchangeAB SPNs with the global catalog server. To do this, follow these steps:
    1. At the command prompt, type the following command, and then press ENTER:
      setspn -A exchangeAB/GlobalCatalogServerName GlobalCatalogServerName
    2. At the command prompt, type the following command, and then press ENTER:
      setspn -A exchangeAB/GlobalCatalogServerName.example.com GlobalCatalogServerName
WORKAROUND
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, configure Outlook 2007 and Outlook 2010 to use Windows authentication (NTLM). To do this, follow these steps:
  1. Double-click the Mail Control Panel item, and then click Show Profiles.

    Note If no Outlook profiles are configured on the computer, the Mail dialog box appears. In this situation, you cannot click Show Profiles.
  2. Follow these steps:
    • If no Outlook profile is created, follow these steps:
      1. In the Mail dialog box, click Add.
      2. Type a name in the Profile Name box, and then click OK.
      3. In the Add New E-mail Account dialog box, click to select the Manually configure server settings or additional server types check box, and then click Next.
      4. Click Microsoft Exchange, and then click Next.
      5. In the Microsoft Exchange server box, type the fully qualified domain name of the Exchange server, type your alias in the User Name box, and then click More Settings.

        Note If you are prompted to enter your credentials, click Cancel. You may have to click Cancel more than one or two times.
      6. In the Microsoft Exchange dialog box, click the Security tab.
      7. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      8. Click Next, and then click Finish to create the Outlook profile.
    • If you have an Outlook profile, follow these steps:
      1. In the Mail dialog box, click your Outlook profile, and then click Properties.
      2. Click E-mail Accounts, and then click Change.
      3. In the Change E-mail Account dialog box, click More Settings.
      4. In the Microsoft Exchange dialog box, click the Security tab.
      5. In the Logon network security list, click Password Authentication (NTLM), and then click OK.
      6. Click Next, click Finish, and then click Close two times.
  3. Click OK to close the Mail dialog box.
OL2007 Outlook2007
Properties

Article ID: 927612 - Last Review: 09/20/2011 22:06:00 - Revision: 5.0

  • Microsoft Office Outlook 2007
  • kbexpertisebeginner kbtshoot kbprb KB927612
Feedback
eta');m.name='ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?">