Outlook troubleshooting: Outlook keeps prompting for password

Credits

Originally posted at personal blog: Identityunderground.  Republished for community purpose.

Overview

Issue: when opening Outlook and afterwards on a regular intervals afterwards, Outlook keeps prompting for a password multiple times (x5 or more), even when the password is correct.

The error/connection message is sent to the desktop foreground on top of other applications.

Even when the password is ok, the message is thrown again multiple times, when the Outlook client is checking for mail, at certain intervals...

[Solution Spoiler = configure the registry to enable ExcludeExplicitO365Endpoint, but there might be other options for your case...]

Product version

In this specific situation, the products below were involved. The issue might also apply to other versions

• Office version= Microsoft 365
• Outlook version Microsoft® Outlook® for Microsoft 365 MSO (Version 2109 Build 16.0.14430.20224) 64-bit
• Exchange server version 15.1.2308.4008. (on premises)

Additional information

Type of mailbox

In this case, the issue was related to connecting to a functional/shared mailbox.
Connection to the personal mailbox was working fine, at first sight.

Standalone vs Domain

In this particular case, the PC was not connected to the domain of the Exchange server.

But also important connection on Outlook from domain joined PC is ok, no reconnection message.

[More on this at the end of the article, as the domain client had specific GPO policies configured, ...]

Multiple mail accounts

Outlook connected to multiple mail accounts (so removing Outlook completely, was not really an option...)

No issue on phone

Connecting the same account on a smartphone, works fine.

Symptoms

Error message

No explicit error message but you get a window with

"Windows security

Microsoft Outlook

Connecting to <... mailbox ...>

Remember my credentials"

Error screen

Troubleshooting

Account credentials

• Tried to change password (password reset)
• Tried to remove password in Microsoft credential manager
  • See Accessing Credential Manager: https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0

WARNING:

you might end up with a locked user account if you enter the wrong credentials by accident while outlook keeps popping up the password request. Better double check your password and better NOT enter it again, or change it in the password request. But you'll get this request multiple times in a few seconds, that it can be quite annoying to get past it.

Mail account

• Tried to reinstall the mail account.
• Removed the mail account and reinstalled mail account.

Configuration panel - Mail profile

Create a new Outlook profile (do NOT remove the existing Outlook profile) and add ONLY the problematic account. Set it to ONLINE mode (disable caching mode)

You can manage this option via Control Panel > mail

Alternatively, when reinstalling the mail account in outlook, disable the option "Use cached Exchange Mode to download email to an Outlook data file".

Check Outlook connection status

When Outlook is active, you'll find an Outlook icon in the task bar...

To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.

Then click "Connection Status..."

Check if you see the personal mailbox and shared mailbox connection.

Test Email AutoConfiguration...

When Outlook is active, you'll find an Outlook icon in the task bar...

To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.

Then click "Test Email AutoConfiguration..."

In the menu enter the mail address of the target mailbox, in this case it's a share mailbox with a specific mail address.

Very likely you'll see a bunch of autodiscover failures like:

Alternative - Network analysis with Fiddler

You can collect a network log with Fiddler or other network sniffer

www.telerik.com

1. Install Fiddler.
2. Select decrypt https traffic

1. Close fiddler
2. Close all programs, messengers, browser etc.
3. Start Fiddler
4. Start Outlook and wait until problem comes up
5. When problem appears STOP fiddler and close Outlook
6. Check the log files and see if you can detect the issue.

Solution

Policy control via registry setting

Source: Outlook 2016 implementation of Autodiscover

This applies to 2016 2019 etc… as well.

The policy values that are defined the Autodiscover Process section can be either policy-based registry values or non–policy-based values.  When they are deployed through GPO, or manual configuration of the policies key, the settings take precedence over the non-policy key.

Non-Policy Key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

Policy Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover

Each value is of type DWORD.

So to exclude Office365 checking point we add following key:

ExcludeExplicitO365Endpoint and set the value to 1.

This setting is registry for client only.

Outlook will skip checking Office365 Endpoint for Autodiscover.

If you have already configured XML autodiscover it should not affect the existing setting as the information are stored in this XML file locally anyway so Outlook will know how to connect.

Outlook as priority always prefer local XML configuration. Then in case it cannot obtain certain data goes to another check point. So apart from first two steps  Outlook 2016 implementation of Autodiscover (microsoft.com) there are checking points we can configure how Outlook should obtain certain information. We can disable them or force them.

You can give it a try if this won’t work as desired you can always revert the changes.

Always make a copy of your registry before you change anything in the registry.

There is no really any other way from the client perspective.

In our case we can see many redirections and autodiscover failures. Not sure why, looks like Outlook refers to some old data or old domain URLS or cannot obtain properly Autodiscover configuration file and it is trying different combinations to guess which link for Autodiscover is working.

Once it calls for HTTPS Autodiscover of the correct link it gets timeouts... which might also indicate firewall issue or something.

Then it tries unencrypted HTTP and it succeeds. Now it redirects to Autodiscover configuration link. But it takes a few attempts to get there.

That's why you get multiple popups of the error message / or the password prompt.

Why the issue did not hit the domain joined mail clients?

The mail administrator had following options configured already:

Setting the options for

• DisableAutodiscoverV2Service = 1
• ExcludeExplicitO365Endpoint = 1
• excludehttpredirect = 1
• excludehttpsautodiscoverdomain = 1
• excludehttpsrootdomain = 1
• excludelastknowngoodurl = 1
• excludeScpLookup = 1
• excludesrvrecord = 0
• zeroconfigexchangeonce = 1

References

• Outlook 2016 implementation of Autodiscover (microsoft.com)
• Enable and collect Outlook logs to troubleshoot profile creation issues: https://docs.microsoft.com/en-us/outlook/troubleshoot/performance/enable-and-collect-logs-for-profile-creation-issues