Two Login Prompts for Communicator Outside the Firewall? RRS feed

  • Question

  • When launching Communicator outisde the firewall, our users (running machines that are on the Domain) recieve two login prompts for their Domain credentials:

    1. The OCS Web Components server
    2. The Excahnge Autodiscover server

    Is there a way we can reduce this down to one prompt - or zero?


    It seems that to get it down to one prompt we would need SSO enabled on all services that Communicator needs to access through the ISA server.  I was not able to get the rule to publish the OCS Web Components working with SSO becuase you have to disable HTML Form Authentcation and we use that for all of our other services.  So, both our Exchange Autodiscover and RPC/HTTP rules share a listener with SSO enabled along with HTML forms auth.


    Anyone found a way around this?




    Friday, January 25, 2008 5:12 AM

All replies

  • Bump. I'd be curious as well since I ran into the same problem.Seems to happen only for users w/ an Exchange 2007 mailbox + Outlook 2007.
    Friday, April 18, 2008 10:36 PM
  • There is a good article from Jens Trier which describes this issue. the most common reason for having these errors is that the autodiscover.<domainname> didn't have the correct common name (so cert name exactly be the same as name in Exchange. The other option is strange. Can you do some debug or sending me some debug logs for investigation.


    Joachim Farla

    http://unified-communications.blogspot.com (RSS enabled)


    Monday, April 21, 2008 5:57 PM
  • Do you have a link to the article? I couldn't find anything you mentioned except in regards to OC Phone Edition.

    I DID find a way to make this work, although it's a giant security hole. I created 2 rules in ISA, both using the same web listener with the lowest common denominator - the OCS requirements. So it was a no authentication, SSL listener, wildcard certificate. For each rule I chose the "Client may authenticate" option. Outlook Anywhere was configured for basic auth on Exchange.

    Using those settings, the hole to Exchange was open and when the client hit the server it would fail and prompt for credentials, but it would do it only once and it was the Exchange server requesting authentication. I never saw a prompt for Autodiscover. Obviously this isn't ideal because it completely negates the purpose of letting ISA do the authentication for the client, but it works.

    Right now I'm testing with NTLM auth between ISA and Exchange to see if that has any effect. Maybe because OCS was using NTLM authentication and Exchange was using basic caused the prompt? Just a theory at this point. I'll post with my results.
    Monday, April 21, 2008 6:50 PM

    As Joachim noted it's likely a cert issue where the cert doesn't have a SAN matching the autodiscover.domain.com. It could also be that the root cert for the OCS cert isn't trusted (only a problem if you use internal/notrusted certs)



    Tuesday, May 6, 2008 12:13 AM
  •  We are having the exact same issue as the original post.  We have OCS 2007, Access Edge, and AV Edge servers.  We also utlize ISA.  All of it is working.   When logging into Communicator client it prompts for the autodisover and Exchange Web Services credentials.  Any solution yet.
    Monday, January 26, 2009 6:51 PM
  • I have the same but I'm pretty shure that autodiscover is ok.

    I have read somewhere that OC does not reuse/share the MAPI session used by outlook thus you have two logins for MAPI session (one for Outlook and one for OC) and one login for OC authentication at OCS.


    Johann Deutinger | MCTS Exchange 2007 / OCS 2007
    Monday, January 26, 2009 8:57 PM
  • Check this out mate, it might fix your problem:
    Saturday, March 7, 2009 5:20 AM