Users can not login to Outlook and OWA, password asks repeatedly

Hy!

Yesterday I installed the CU14 and applying the latest SU and Hotfix Update. Today I cannot login to my mailbox, the password asks repeatedly. What was the wrong? How can I repair it?

And also, when I open the Exchange Management Shell, I got the following error:

New-PSSession : [servername] Connecting to remote server servername failed with the following err

or message : For more information, see the about_Remote_Troubleshooting Help topic.

At line:1 char:1

New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Micr ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin

gTransportException
FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed

Please help me!

in exchangeserverby Brilliant-Extent2684

86%

30d

Brilliant-Extent2684

30d

For now, I disabled the Extended Protection, I use this MS script for it:

https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/

The solution is the Exchange Management Shell error, what I wrote in the topic:

https://techcommunity.microsoft.com/t5/exchange/eac-issue-after-exchange-2019-cu14-install/m-p/4061435

After I talked Microsoft support, I found the port 443/SSL certificate binding on Default Website and Exchange Backend sites in IIS manager changed somehow on Exchange servers after CU14 (Or the binding used to work before CU14).

Default Website 443 binding should be set to public certificate and IP address set to "All Unassigned".
Exchange Backed site binding should be set with self-signed Exchange certificate and also set to "All unassigned".

After I made changes, I have refreshed the Application pools (or do a IISReset). It worked for me.

In IIS --> Sites --> Exchange Back End --> ECP --> Authentication --> Windows Authentication --> Advanced Settings --> Set Extended Protection to "Off"
Do the same for Powershell under Exchange Back End.
Do an IISReset to restart IIS.

After it, I can use the Exchange Management Shell and can run this command to disable the Extended Protection with script:

.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

After it, the users can login to their mailbox and the Outlook don't ask their password repeatedly.

ie-sudoroot

30d

Sounds like that’s Friday done… off to the pub!

Brilliant-Extent2684

30d

Yes, the weekend is started! :)

Barfmaster75

30d

.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

That only "SHOWS" the current status of ExtendedProtection

joeykins82

SystemDefaultTlsVersions is your friend

30d

In your load balancer’s config, disable SSL offloading and ensure that you are re-encrypting HTTPS traffic with the same cert/key combo.

Use the GPMC to identify where in your domain’s config you have the LAN Manager Authentication Level policy set. My recommendation is that in your Default Domain Policy and Default Domain Controllers Policy this setting should be set to level 4 (Send NTLMv2 only. Refuse LM.). If this policy setting is set to other values in other GPOs, clear those instances.

Look up the article for configuring Kerberos in a load balanced environment: you need to create a computer account for use as an ASA credential, deploy that credential to all servers with the script, and then register your Exchange namespace SPNs against that ASA. This will upgrade your auth mechanism from NTLM to Kerberos which is both more secure and generates less “work” for your clients, your Exchange servers, and your domain controllers.

Brilliant-Extent2684

30d

I checked the LAN Manager Authentication Level on Default Domain Policy and Default Domain Controllers Policy, and the setting is Not Definied.

Can I apply this setting only for Exchange server? Or is it require to the whole domain?

Can I apply this in regsitry?

joeykins82

SystemDefaultTlsVersions is your friend

30d

What about your other policies? Is it set somewhere else? Policy is the best place for this. Are there other policies that are overriding this setting? It needs to be to all systems because it sets both the client and server operating mode for NTLM versions, so if you have clients that are being told to only use NTLMv1 they’ll fail negotiation.

Have you checked your SSL offloading status and started work on upgrading to Kerberos?

Captain_Lykke

30d

Did you activate extended protection and made sure all requirmenrs where set?

My first guess would be that your still on NTLMv1, which is no longer supported with extended protection

Brilliant-Extent2684

30d

I didn't activate manually the extended protection. I think enable it the CU14 installation.

Captain_Lykke

30d

EP is activated within the CU update, unless you tell it not to do. NTLNv1 clients are no longer supported after EP so you need to make sure to swap them to NTLMv2 atleast.

Most Password related problems after cu 14 Update are EP / NTLM based

Final-Show9998

30d

Yep it has appened to me last month, disable ntlmv1, enable ntlmv2 via GPO and everything is fine!

ample_space

30d

did you install the CU from an elevated CLI?

Brilliant-Extent2684

30d

I run the CU install with GUI.

ample_space

28d