Why is Communicator prompting me for credentials?

Summary:

When signing-in to Office Communications Server 2007 using cached Domain Credentials (e.g. you login to your corporate domain-joined laptop at home), Office Communicator 2007 may prompt you with an additional authentication dialog box:

 

Details:

When Office Communicator 2007 signs in, it also attempts to retrieve availability data via Exchange 2007 Web Services. It does so by leveraging the Autodiscover functionality built into olmapi32.dll's HrGetAutoDiscoverXML function.

Communicator will issue SOAP requests (over HTTPS) to the published Autodiscover (*1) server, who returns the URLs for the Microsoft Exchange 2007 Client Access Server(s) that will feed the availability data back to Office Communicator.

The additional prompt for authentication stems from Communicator being hard-wired to authenticate using NTLM. When IIS (on the Exchange 2007 CAS machines) returns it's WWW-Authenticate headers, it does so in the form of:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

When Communicator attempts to negotiate authentication using your cached credentials (over the Internet), it will fail with a "401.2 Unauthorized" (*2), and subsequently prompt you for authentication as above. However, if we force NTLM from either the client side or the server side, we eliminate these additional prompts for credentials.

Client-side fix:

After de-selecting "Enable Integrated Windows Authentication" (*3) in Internet Explorer (Tools, Internet Options, Advanced, scroll down to the "Security" section), you should no longer receive the additional authentication prompt from Office Communicator 2007 (to retrieve availability + out-of-office data via Autodiscover / Exchange Web Services.

This checkbox & the wording is admittedly a bit misleading in that it DOES NOT turn on/off NTLM; it simply controls whether Internet Explorer and the underlying Win32 API will perform security negotiation against IIS (that is Kerberos or NTLM; checkbox enabled), or simply default to NTLM (checkbox disabled).

This is the registry location/value that this checkbox controls:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Name: EnableNegotiate

Type: REG_DWORD

Data: 0 (Disabled, unchecked in the UI) or 1 (Enabled, checked in the UI); default is Enabled

Server-side fix:

Essentially, we are instructing IIS on the Exchange 2007 CAS server(s) to offer NTLM as the first authentication provider (with Negotiate as the fallback provider) in the WWW-Authenticate header.

 

For Internet Information Services 6.0:

 

1. On the Exchange 2007 CAS machine(s), start -> run -> cmd -> OK. Change to the C:\Inetpub\AdminScripts directory.

2. Execute the commands below ...

    a. Inspecting current status:

C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

The parameter "NTAuthenticationProviders" is not set at this node. (*4)

    b. Setting the parameter:

C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "NTLM,Negotiate"

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

NTAuthenticationProviders : (STRING) "NTLM,Negotiate"

c. Verifying the output:

C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

NTAuthenticationProviders : (STRING) "NTLM,Negotiate"

3. Restart the IIS Admin Service (which will restart all dependent services) on the Exchange 2007 CAS machine(s).

 

 

For Internet Information Services 7.0: (*5)

 

Lists configuration
appcmd list config /section:windowsAuthentication 

 

Removes Negotiate
Appcmd.exe set config /section:windowsAuthentication /-providers.[value='Negotiate']

 

Adds Negotiate
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost

 

Lists configuration
appcmd list config /section:windowsAuthentication 

Here is a list of the results:

C:\Windows\System32\inetsrv>appcmd list config /section:windowsAuthentication
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="false">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>

C:\Windows\System32\inetsrv>Appcmd.exe set config /section:windowsAuthentication /-providers.[value='Negotiate']

C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost

C:\Windows\System32\inetsrv>appcmd list config /section:windowsAuthentication
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="false">
<providers>
<add value="NTLM" />
<add value="Negotiate" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>

 

 

Server-side fix (specific to Exchange 2010):

I had a customer report (my sincere thanks, Elan Shudnow!) that their OAB wasn’t working externally. Once they fixed the OAB, the [Communicator Credentials] prompt went away and other users reported it went away for them as well.

References:

(*1) "Overview of the Autodiscover Service"

http://technet.microsoft.com/en-us/library/bb124251.aspx

(*2) “401.2 Denied by Server Configuration”

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO\_Diagnose\_IIS\_401\_Access\_Denied.aspx

(*3) “Integrated Windows Authentication (IIS 6.0)”

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

(*4) This is expected output as per http://support.microsoft.com/kb/215383

 

(*5) Big thanks to Jason Dozier for the IIS7 instructions