Frequent Outlook/MAPI Password Prompts
Problem reported by Jay Dubb - 9/10/2024 at 7:23 AM
Submitted
A subset of users on Outlook using MAPI are plagued with password prompts.  At first users were being prompted to enter their 365 credentials (using Outlook 365) at least daily, some as often as every few hours, and their Smartermail passwords at least daily.  So, we gave the client the registry patch to force autodiscover directly to the Smartermail server-- putting only the Smartermail server under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers.

This stopped the MS 365 login prompts, presumably because Outlook is now communicating directly with the Smartermail server instead of proxying via 365 cloud.

However, the Smartermail Password prompts have NOT stopped.  Some users are still getting prompted for their email password every day or even every few hours.  

IT team has cleaned out Windows Credential Manger of any email-related accounts.  They've also deleted the Outlook profile and created a new one for affected users.  Still the password prompts continue, and these users are complaining to executives, which in turn is raining back down on us.

Anyone seen this?  Any ideas?  Fixes?  Workarounds?  SM version 8930 currently but it's been happening across multiple prior versions, too.  

NOTE:  Checking the "Remember my credentials" box is ineffective.

Derek Curtis Replied
Employee Post
Jay,

Are these users able to log in to webmail without issue? If they can't log in to webmail, you may want to check IDS settings. We've seen this behavior when the IDS settings are a bit too restrictive.
Derek Curtis
CCO
SmarterTools Inc.
Douglas Foster Replied
Outlook passwords are not stored in our roaming profiles.  As a result, users with multiple accounts have to enter secondary account passwords every day when they log in.  Is that related to your problem?
ICT Informatik Replied
Hi Jay

Perhaps our observations will help.

We're currently evaluating an MS Exchange alternative. Smartermail is promising, but we're still experiencing some major Outlook/Windows authentication issues with LDAP. 

1. Password prompt once per MAPI connection (multiple connections possible. Examples: public folders, shared mailboxes...). "Remember my credentials" is required.
-> Outlook/Exchange is able to pass through credentials. 
2. New AD user: password prompt -> Requires webmail login first.
3. AD user password change: Password prompt -> Requires webmail login first.
-> Imagine 200 Outlook users, password change twice a year = 400 support tickets. 

We're in contact with Smartermail support to solve these issues. Fortunately, the support team is very friendly and responsive.

Update 1: According to SmarterMail support, this is normal behavior. There are plans to implement OAuth, but without a release date.
At this point in time, this is not a viable alternative to MS Exchange.

Jay Dubb Replied
@Derek - We confirmed it's not an IDS issue.  In fact, it couldn't be, because we aggressively increased the penalty box to many hours (or days depending on type of violation).  If they triggered an IDS rule, they'd be locked out for a very long time, and re-entering the password wouldn't quickly restore access like it does now.

@Douglas - Thank you for the reply; it may help others.  However, this particular customer is not running an AD domain, so they don't have roaming profiles.  They have so many BOYD devices, that they elected not to go the domain route for the minority percentage of devices that are company owned.  For the small number of workers who need to share files, they use a cloud file sharing service.  The vast majority work in personal silos.
 
Run this on client machines

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"ExcludeScpLookup"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers]
"yourmailserver.com"=hex(0):


Remember to watch for your version of office. We are running 16.0
Jay Dubb Replied
@Brian - thank you.  That's actually the first thing her IT team did (kill the MS redirect servers) and autodiscover straight to Smartermail only.

I relayed Derek's response to our admin, who just took a long look at IDS blocks for the past 7 days, just to rule it out for sure.  None of the users having the "re-enter password" problem have triggered any IDS rules.  

For every IDS trigger in the past week, he traced it down "who did it" and nearly all of them are Chinese IPs or former employees with BYOD who apparently never removed their old email address from their email client, which is still trying to log in to non-existent accounts.  It's one of the hazards of BYOD.
 
Mohammad Gnj Replied
@Jay
Hi
Same problem here with Outlook 2024 MAPI and Smarter  v100.0.9546 
Could you solve your problem?
terry fairbrother Replied
I have a reg file for all new Outlook installs as MS also changes the signature settings so this sorts out Outlook prompting for a password and also reverts the signatures to local


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Setup]
"DisableRoamingSignatures"=dword:00000001



However, where there's a drop in connection to the server, Outlook will occasionally keep asking for the password even reconnected, especially where Outlook is connected to multiple mailboxes. When this happens I have to delete the users credentials in credential manager then open Outlook and readd the passwords when prompted
Douglas Foster Replied
If you have two accounts in the Outlook profile, secondary account passwords are stored in local profile, not roaming.  In a VDI environment where non-roaming data is discarded, the user has to enter secondary account passwords every day as Outlook launches, and it is easy to get confused about which account is being requested.
Andrew Barker Replied
Employee Post
@Mohammad Gnj I recommend taking a look at the KB article Autodiscover and Registry Edits for Outlook and MAPI. It includes an explanation of when Outlook does autodiscover, the steps it takes to perform autodiscover, and a set of suggested registry keys that can be used to modify the autodiscover process. If you are encountering the issue Jay originally described with user being prompted for Microsoft365 credentials, the registry dword ExcludeExplicitO365Endpoint in key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover will probably help you out.

Andrew Barker
Lead Software Developer
SmarterTools Inc.
www.smartertools.com 

Mohammad Gnj Replied
Thanks to all

I used this and it is hours that no prompt appeared. 


Windows Registry Editor Version 5.00

; Disable Modern Authentication
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableAADWAM"=dword:00000001
"DisableADALatopWAMOverride"=dword:00000001
"EnableADAL"=dword:00000000

; Outlook AutoDiscover
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
"DisableOffice365SimplifiedAccountCreation"=dword:00000001


What is now killing me is that any meeting in outlook set is appeared in other mail recipients (I mean external mail servers - from internal account to internal account it is ok) one hour ahead. And this only happens in MAPI setup. Web and EAS are ok, There may be any reg fix for this too?


Andrew Barker Replied
Employee Post
@Mohammad Gnj Most likely, this is some sort of time zone mismatch. When it comes to synced appointments, there are four time zones that have an impact: the time zone configured in the SmarterMail account settings, the start and end time zones specified on the appointment itself, and the time zone on the client machine - in this case, the computer running Outlook.

Since you indicated that the appointment times look correct in webmail and when synced over EAS, that seems to indicate a problem on the computer running Outlook. Even with the issue narrowed down like that, there are still a number of possible causes like an incorrectly set time zone, misconfigured daylight savings, outdated time zone definitions, or a sync issue, to name a few.

Due to this complexity, you'll probably get the best help by submitting a support ticket. They can help you determine the underlying cause and how to resolve the problem. If it turns out to be a sync issue, they can also escalate the problem to our development team.

Andrew Barker
Lead Software Developer
SmarterTools Inc.
www.smartertools.com 

Mohammad Gnj Replied
Thanks Andrew

Many clients have this problem., nearly all of them. The timezone of clients and server are the same. I nearly tested everything from timezone to DST and else. From the source client, if you set any meeting via MAPI of Smartermail in the destination it has problems. On the source and destination, Also there are Exchange accounts also via MAPI (another account) and if you set the meeting using the same outlook for that destination, it is ok. The problem is just from MAPI smartermail outlook client to destination on every external mail server. Does this help to narrow down the issue?

Reply to Thread

Enter the verification text