Outlook 2003 prompts for logon credentials when connected over aCisco VPN

[JGood]

I'm having an issue with Outlook 2003 running on WinXP Pro SP2 in an
Exchange Server 2003 enviroment. Two people with laptops have the
same issue. When they connect using Cisco VPN client (ver
4.8.01.0300) from home, Outlook prompts for username and password.
Entering the correct info does not help -the prompt just comes back
even after multiple attempts. The VPN client has no problem
connecting and staying connected as they can access other network
resources. This problem just began occuring a few days ago. Outlook
is not set to prompt for a password. When they are connected to our
office LAN there is no issue. Also, the issue does not occur when
using a wireless broadband internet service - only when using thier
ISP's at home (wired or wireless). This is not an ISP issue as I had
one of the people take an identically configured spare laptop home and
it works fine. I have un/reinstalled the VPN client several times and
checked thier Outlook profiles to make sure they are the same as the
other users here. Any ideas? Anybody seen this before? If this is
not the correct group for this issue, please advise me of the correct
group. Thanks!

 

[neo [mvp outlook]]

Change Outlook 2003's authentication type to NTLM. (The default is
Kerberos/NTLM and considering Kerberos tends to be more UDP than TCP, it
gets dropped by the VPN client software)

The setting I'm talking about is in the profile's advanced settings area
under the security tab.

 

[JGood]

Change Outlook 2003's authentication type to NTLM.  (The default is
Kerberos/NTLM and considering Kerberos tends to be more UDP than TCP, it
gets dropped by the VPN client software)

The setting I'm talking about is in the profile's advanced settings area
under the security tab.






- Show quoted text -

Interesting. I had thought about trying this, but why would one
laptop work and another one not work with both using the default
setting of Keberos/NTLM? Also, another thing I forgot to mention is
that OWA does not work via VPN on the laptop in question, but does
work on the other one. Thanks.

 

[neo [mvp outlook]]

The size of the Kerb packet goes up based on how many groups one belongs to.
More groups, the bigger the UDP packet, at a certain UDP packet size, the
VPN software doesn't like it and drops it rather than pass it thru.

If OWA doesn't work internally via VPN connection, then I would check DNS
name resolution. (Same would hold true for Outlook. If DNS/WINS resolution
isn't working correctly, then you could see issues where it can't connect.)

Change Outlook 2003's authentication type to NTLM. (The default is
Kerberos/NTLM and considering Kerberos tends to be more UDP than TCP, it
gets dropped by the VPN client software)

The setting I'm talking about is in the profile's advanced settings area
under the security tab.






- Show quoted text -

Interesting. I had thought about trying this, but why would one
laptop work and another one not work with both using the default
setting of Keberos/NTLM? Also, another thing I forgot to mention is
that OWA does not work via VPN on the laptop in question, but does
work on the other one. Thanks.

 

[JGood]

The size of the Kerb packet goes up based on how many groups one belongs to.
More groups, the bigger the UDP packet, at a certain UDP packet size, the
VPN software doesn't like it and drops it rather than pass it thru.

If OWA doesn't work internally via VPN connection, then I would check DNS
name resolution.  (Same would hold true for Outlook.  If DNS/WINS resolution
isn't working correctly, then you could see issues where it can't connect.)







Interesting.  I had thought about trying this, but why would one
laptop work and another one not work with both using the default
setting of Keberos/NTLM?  Also, another thing I forgot to mention is
that OWA does not work via VPN on the laptop in question, but does
work on the other one.  Thanks.- Hide quoted text -

- Show quoted text -

Thanks for the quick response. What "groups" are you refering to in
this context? If you mean network user groups, this client is only in
one group. Your explaination about the UDP packets makes sense, but I
still don't see how that explains why one laptop works and the other
doesn't. The DNS/WINS configuration is exactly the same on the 2
laptops and nothing has changed with our VPN setup. Other users are
not having any issues. It would seem to be a laptop issue, but I we
have 2 with the same issue. Thanks.

 

[neo [mvp outlook]]

Groups = Active Directory groups


Lets start with the basics and rule out name resolution issues. Connect to
the corp backbone via cisco vpn client. Once connected, test DNS/WINS name
resolution. The commands I'm thinking of are...

nslookup -q=A fqdn.exchange.server
nslookup -q=A fqdn.domain.controller
nslookup -q=A fqdn.global.catalog.domain.controller

ping -a ip.address.of.exchange.server
ping -a ip.address.of.domain.controller
ping -a ip.address.of.global.catalog.domain.controller

nbtstat -a netbios.name.exchange.server
nbtstat -a netbios.name.domain.controller
nbtstat -a netbios.name.global.catalog.domain.controller

The other question I would ask does your VPN client software include a
stateful firewall? Most corps I know tend to use something that integrates
well with their VPN solution in order to do some sort of network access
control and I just want to make sure you ruled this out.

The size of the Kerb packet goes up based on how many groups one belongs
to.
More groups, the bigger the UDP packet, at a certain UDP packet size, the
VPN software doesn't like it and drops it rather than pass it thru.

If OWA doesn't work internally via VPN connection, then I would check DNS
name resolution. (Same would hold true for Outlook. If DNS/WINS resolution
isn't working correctly, then you could see issues where it can't
connect.)







Interesting. I had thought about trying this, but why would one
laptop work and another one not work with both using the default
setting of Keberos/NTLM? Also, another thing I forgot to mention is
that OWA does not work via VPN on the laptop in question, but does
work on the other one. Thanks.- Hide quoted text -

- Show quoted text -

Thanks for the quick response. What "groups" are you refering to in
this context? If you mean network user groups, this client is only in
one group. Your explaination about the UDP packets makes sense, but I
still don't see how that explains why one laptop works and the other
doesn't. The DNS/WINS configuration is exactly the same on the 2
laptops and nothing has changed with our VPN setup. Other users are
not having any issues. It would seem to be a laptop issue, but I we
have 2 with the same issue. Thanks.

 

[JGood]

Well, after allowing some time to pass, with no configuration changes
made to anything, one of the laptops in question is no longer
prompting for logon credentials in Outlook via VPN. The other laptop
in question needed a software rebuild (reinstalled Windows XP and all
apps from scratch) for unrelated reasons and so far so good with it as
well. I tested DNS/WINS name resolution over a VPN connection with
all of the commands you listed and the results were correct. The
Cisco VPN client we use is ver 4.8.01.0300 and it does include a
stateful firewall, but it is turned off by default. If I see this
issue again I will have the client check the firewall setting setting
first and will also have them change Outlook 2003's authentication
type to NTLM if need be. So, this seems to be an intermittent issue.
Could the number of clients attempting to connect simultaneously at a
given time cause the issue? Any further advise? Thanks for the help.

 

[JGood]

Well, after allowing some time to pass, with no configuration changes
made to anything, one of the laptops in question is no longer
prompting for logon credentials in Outlook via VPN.  The other laptop
in question needed a software rebuild (reinstalled Windows XP and all
apps from scratch) for unrelated reasons and so far so good with it as
well.  I tested DNS/WINS name resolution over a VPN connection with
all of the commands you listed and the results were correct.  The
Cisco VPN client we use is ver 4.8.01.0300 and it does include a
stateful firewall, but it is turned off by default.  If I see this
issue again I will have the client check the firewall setting setting
first and will also have them change Outlook 2003's authentication
type to NTLM if need be.  So, this seems to be an intermittent issue.
Could the number of clients attempting to connect simultaneously at a
given time cause the issue?  Any further advise?  Thanks for the help.

Update to above info: The issue has returned on the laptop I
rebuilt. I'll check the firewall setting and the authentication
setting in Outlook, but I don't see how the auth setting would affect
OWA? Thanks.

 

[neo [mvp outlook]]

It shouldn't. When things get quirky over a VPN the first two things that
pop to mind are dns/wins resolution and outlook 2003/7's kerberos
authentication. Since your ruled out name resolution, how does Outlook
connect to your Exchange 2003/7 backend (e.g. RPC over HTTPS or RPC over
TCP)? A good way to find this out is to start Outlook with the /rpcdiag
switch.

Another thing you can try is the RPCPing utility. This is a very good
utility to help diagnose connectivity issues.

Well, after allowing some time to pass, with no configuration changes
made to anything, one of the laptops in question is no longer
prompting for logon credentials in Outlook via VPN. The other laptop
in question needed a software rebuild (reinstalled Windows XP and all
apps from scratch) for unrelated reasons and so far so good with it as
well. I tested DNS/WINS name resolution over a VPN connection with
all of the commands you listed and the results were correct. The
Cisco VPN client we use is ver 4.8.01.0300 and it does include a
stateful firewall, but it is turned off by default. If I see this
issue again I will have the client check the firewall setting setting
first and will also have them change Outlook 2003's authentication
type to NTLM if need be. So, this seems to be an intermittent issue.
Could the number of clients attempting to connect simultaneously at a
given time cause the issue? Any further advise? Thanks for the help.

Update to above info: The issue has returned on the laptop I
rebuilt. I'll check the firewall setting and the authentication
setting in Outlook, but I don't see how the auth setting would affect
OWA? Thanks.

 

[JGood]

I used the /rpcdiag switch in the office this morning and it shows
TCP. I'll have to wait until tonight at home to see what results I
get over VPN. This should be helpful. However, I did a search of my
XP laptop, mail server, and domain controller, but couldn't find the
RPCPing utility. Is it part of an admin utility pack? Thanks.

 

[neo [mvp outlook]]

Windows 2003 resource kit and it is a free download from Microsoft.

http://www.microsoft.com/Downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en