Q: Why are my users continually prompted for their passwords when connecting to Exchange Server through Microsoft Outlook?
A: Every now and then, an Outlook user sets up an Exchange account and find that his password simply isn’t being saved. This problem can even persist in spite of repeated connection attempts over different network media, across reboots and even reinstallations of Microsoft Outlook. Not only is this annoying, but it’s also a terrible waste of time.
So why does this keep happening? After a bit of research, I’ve found four reasons why passwords may not be properly stored in Outlook.
1. Incorrect authentication settings
This is one of the easier fixes, so try this first. Outlook has a few options that pertain to how network security is negotiated with an Exchange server. Incorrectly setting one of those options can cause the connection to fail. In the Exchange account, navigate to Settings, then More Settings, then the Security Tab. Set Logon Network Security to “Negotiate authentication” and provide the user’s password. Also, make sure that the Always prompt for username and password option is not checked. If it is, it’s probably the reason your user is continually being prompted for his password.
2. Stored credentials issues
Windows stores credentials for several common connection types, including Exchange Server. You can manually replace or update these credentials if you think one of them has been stored incorrectly. This editing is done in the Windows Credential Manager.
In Windows Vista and Windows 7, go to the Users section of the Control Panel and select Manage your credentials. Under Generic Credentials, click Add a generic credential, then supply a username and password for your Exchange server.
Some Exchange hosts have different domain names for their proxy and their actual server. This confuses Outlook when it tries to store a password for one versus the other. Eventually it ends up passing the wrong password for the wrong domain. If you find that this is the problem, you can manually add another credential for your proxy. Remember that you can use a wildcard like *.serverdomain.com to cover all servers on that domain if necessary.
3. A damaged DPAPI folder
From Windows 2000 and up, the storing and retrieval of symmetrically-encrypted data is done through the Data Protection Application Programming Interface (DPAPI). Outlook uses the DPAPI to store authentication data. Therefore, if the folder containing DPAPI’s data is damaged, DPAPI won’t work correctly. Because DPAPI calls are fairly deep within Outlook’s code, the end user is never informed about possible problems with it; the only symptom a user sees is that his password has not been stored.
To recreate the folder, close Outlook and open the %userprofile%\AppData\Roaming\Microsoft\Protect folder. You’ll see at least one folder that starts with S-1-5-21-, followed by four clusters of digits. Registry hackers will recognize these digits; they’re the same numbers used to identify a user profile. Rename the folders to something else like TEST, then reopen Outlook. You’ll be prompted for your user’s password again. If the password gets saved, then you’ll know that this was the problem.
If the password isn’t stored, close Outlook. Delete the newly created folder and restore the names on the pre-existing folders. This way you won’t have to re-supply passwords for any other programs that rely on the DPAPI, since it isn’t the issue.
4. A damaged Outlook user profile
Outlook segregates each user’s data on a given machine into separate profiles. You can manipulate this data manually, which comes in handy if you have several users sharing the same PC. It’s also useful if you want to switch an instance of Outlook between multiple mail configurations.
If the profile is damaged, whether from an Outlook crash or a disk error, then passwords may not be cached correctly in the profile. To access a list of Outlook profiles, navigate to Mail in the Control Panel. Try creating a new profile and use the new profile to see if the problem disappears. You can also delete the existing profile, but if you find out that this has nothing to do with the Outlook problem you’ve trashed it for nothing.
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about computers and IT for more than 15 years for a variety of publications, including SearchWinIT.com, SearchExchange.com, InformationWeek and Windows magazine.
This was first published in August 2011