Outlook 2007 Prompts for Password
In the situation I came across, Outlook 2007 clients were constantly prompting for a password eventhough the users were on the LAN, members of the domain, and logged in to the PC with domain credentials. While I found several potential causes, the solution ended up being an SSL setting in IIS on the mail server.
The solution was to allow client certificates on the virtual directory for Exchange Autodiscover. It turns out the clients were attempting to use the Autodiscover service with Exchange 2007 to detect settings and the website wasn’t accepting their client certificate. The client certificates are apparently used for encryption between the client and the server. Disabling the checkbox to enable that type of communication may also have been a solution, but this is a better one because it maintains the security of an encrypted channel. Here are the instructions:
1.Using IIS7 - Open the IIS manager. Expand the Sites group and expand down to the Autodiscover virtual directory. Select this virtual directory then selec “SSL Settings” from the center pane. In the settings window, select “Accept Client Certificates”.
In addition, the authentication settings on this virtual directory can also cause this to happen if not configured correctly. Just make sure that Integrated Windows Authentication is checked.
In IIS Manager, double-click the local computer, and then right-click the Web site, directory, or file that you want and click Properties.
If you have not previously obtained a server certificate, click the Directory Security tab, and then under Secure Communications, click Server Certificate. For more information, see Obtaining Server Certificates.
If you have previously obtained a server certificate, click the Directory Security or File Security tab, and then under Secure Communications, click Edit.
In the Secure Communications box, select the Require secure channel (SSL) check box. Requiring a secure channel means that users cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
Under Client certificates select one of the following to enable client Certificate authentication:
• Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
• Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
• Ignore client certificates Users with or without a client certificate will be granted access.