Although we are no longer witnessing exchange password prompts, upon migration to Lync from communicator, we now see command prompts from Lync when both Outlook and Lync are started OUTSIDE the network, so over the edge and outlook anywhere WITHOUT vpn. Although yet to widely deploy we are seeing this behaviour consistently in our pilot and I’ve been unable to resolve the issue. Unlike the other post referring to this, these prompts are dismissable and do not return (you just get the red bangs)
I have just opened an MS case on this and although awaiting further info, they seem fairly convinced it is our use of Kerberos-Constrained Delegation on the outlook anywhere site that Lync is trying to use that causes the recurring issue. This particular set of authorisation prompts crops up when Lync attempts to get calendar information from. If you disable windows integrated authentication in IE, it goes away. This problem is utterly unrelated to the Lync infrastructure.
When I have more clarity from the engineers I will post back though it seems that they want to change our authentication method for EWS/outlookanywhere on our TMG listener for the exchange CAS so we no longer use KCD. I’ve tried all manner of solutions, the only thing that gets rid of the prompts in the meantime is disabling integrated authentication in IE as per a number of technet articles, this isn’t a great solution however as may cause problems for other apps and will require touching every machine or deploying by gpo.
If you aren’t using KCD you may have some luck with this http://msexchangeanywhere.wordpress.com/2011/12/29/how-to-fix-lync-services-signin-type-your-user-name-and-password-to-connect-for-retrieving-calendar-data-from-outlook/.
MS tech got back to me – it seems Lync definitely doesn’t like KCD on OutlookAnywhere. Microsoft’s engineers recommendation is to allow exchange to do direct authentication rather than allowing TMG to proxy/pre authorise, for us this involved two changes:
- Change authentication method on your outlook anywhere rule in TMG from ‘Kerberos Constrained Delegation’ to ‘No delegation, but client may authenticate directly’.
- Add ‘All Users’ to the allowed user sets on the rule.
Once this was applied, no more authentication requests.
No changes needed to the listener providing it is set up as MS ask.
I will update after speaking to the engineer with any further explanation.
Having been round in circles for months on this, please don’t hesitate to contact me if you are having similar issues.