Back to Community Threads
Windows 11 24H2 could cause a huge trouble in some scenarios
Idea shared by Daniel - 2/18/2025 at 2:45 AM
Proposed
Sticky
D
Hello,

I encountered a strange problem with some user working with Outlook and upgrading to W11 24H2, while googling I found this tread https://community.spiceworks.com/t/win11-24h2-update-outlook-client-exchange-account-repetitive-ad-account-locked/1130088/31?page=2

So it seems that with w11 24h2 if the ad user.name is the same as in the mail account (say ad account addomain.local\user.name and email user.name@domain.com) it ignores that the domains are different and hits the stored mail account password against your domain controllers (if they are different, and you have account lockout configured → your AD account will be locked out).
So for now the only bypasses are :
1. same password for ad and mail
2. disable account lockout
3. change the username on one of the systems

Smartermail cloud help us by allowing us to have a different username (for login) than emailadress@domain.
(Perhaps a solution like ignoring . in the username login (user.name@domain.com = ok user..name@domain.com = ok)
N
I ran into this too. The workaround I ended up with is making an extra dummy AD account for each affected user, and on the dummy account I set the UPN suffix to the same as the email domain so the full UPN ("User logon name" text box plus dropdown box on the Account tab in the user's properties in Active Directory Users and Computers) is the same as the user's email address. The user's real AD account needs a UPN suffix that's different from the email domain (in our case the UPN suffix for the users' real AD accounts is similar to something.example.com and the email domain is example.com).

Then I made up a pre-Windows 2000 logon name (I just prefixed their real username with an e, for email). I made up a random long password for it and disabled the account ("Account is disabled" in the "Account options" box). The pre-Windows 2000 logon name can be pretty much anything that isn't otherwise in use, doesn't matter much since nobody will actually be using it, but you have to enter something.

It looks like this dummy account will be attempted instead of the real one (I guess since it is an exact match) and the real AD account doesn't get bothered anymore. Kind of messy but it seems to get the job done.

You might have to add the UPN suffix that matches the email domain in Active Directory Domains and Trusts -> Right click Active Directory Domains and Trusts -> Properties -> UPN Suffixes, if you don't already have it available in the user properties in Active Directory Users and Computers.
s
Ran into this last week. Nick's solution was brilliant.
Holy cow, I've run into this recently as well, but only at one customer's office. I have been trying in vain to discover what was causing the AD lockout, and have wasted so much time poking into credential manager looking for cached credentials, etc., that could be causing this conflict. I know this isn't an ST problem but I had come to the conclusion that it had something to do with Outlook/Win11 and AD accounts. Thanks for the work-around leg work. I had disabled the AD account lockout group policy item (which I am totally against) but couldn't figure out any other way to stop it. I'm going to try this out. Thanks. Still, yet another example of Microsoft really failing us.
D
Trying to make sense of this problem and its connection to OAUTH2.  The big surprise is that Outlook tries to log into Active Directory before it tries to login into the mail server.   But the desire to support OAUTH2 seems to explain why.

My layman’s understanding of OATH2:
  • Trusted device is authenticated to the server
  • A trusted application is used on the trusted device
  • If the device or trusted application trusts the user, then the server chooses to trust the user also.
Applying this scenario to Outlook:
  • The trusted device is the Windows PC and the trusting server is Active Directory.
  • Outlook can only become a trusted application if it authenticates to the same server context as the PC, so it must also authenticate to Active Directory.
  • A design assumption is that Outlook has been configured with an application password that uniquely identifies the application (probably based on user-agent string) and a specific user account.
  • Outlook tries to determine the Active Directory account that will work with the configured email address and application password.   (Outlook apparently ignores the email address field in Active Directory.)   Outlook first tries for an exact match on the full email address.  If that does not exist, it settles for an exact match on the username portion of the email address in any domain.  If the second guess is attempted to a server where the same username exists in multiple domains, results are likely to be unpredictable and undesirable.
  • If no Active Directory account is found, Outlook gives up on OAUTH2 and uses NTLM.
  • If an Active Directory account is found, Outlook attempts multiple logins, triggering the login failures.   After enough failures, it finally gives up on preparing OAUTH2 authentication and uses NTLM.
I assume that Office365 provides a way to configure an application-specific password for Outlook into the user’s Active Directory account.   I don’t use Office365 and I do not know how to do that in a fully on-prem environment.

Therefore, the workarounds can be:
  • Find a way to disable Outlook’s OAUTH2 behavior completely.
  • Find a way to implement an application-specific password in your Outlook/ActiveDirectory environment.
  • Use any user interface other than OAUTH2-enabled Outlook.
  • Ensure that Outlook finds an Active Directory account where its store password will work.   This will occur if:
    • the email address is resolved to the correct Active Directory account and the mail system authenticates against that same Active Directory, or
    • the email system is configured to use the same password as the Active Directory account that Outlook finds.
  • Ensure that Outlook finds an exact-match account which is already is disabled, so that it eventually gives up trying to enable OAUTH2.  This is the strategy that Nick described.

Implications for SmarterMail

If a SmarterMail account is configured for Active Directory authentication, then I expect SmarterMail to be configured with the same Active Directory account as the one that Outlook finds.   SmarterMail already allows the Active Directory domain and user to be different than the email address.

If a SmarterMail account is configured to use SmarterMail authentication, or any security environment other than the PC’s Active Directory environment, then the problem can occur, and one of the workarounds will be necessary.
  
It seems to be related to the agentic nature of windows11.

Most of it is broken....
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Remote Server returned: '602' errorSmarterMail > Troubleshooting
SmarterTrack/WHMCS Addon ModuleUtilities and Conversion Tools
Autodiscover and Registry Edits for Outlook and MAPISmarterMail > Desktop and Mobile Synchronization
SmarterMail, LDAP, and Active DirectorySmarterMail > Server Configuration and Management
TLS 1.0/1.1 Deprecation InformationGeneral Topics