We released an update for Rollup 8 for Exchange Server 2007 Service Pack 1 (KB 968012) back on May 26th, 2009. When Exchange 2007 is running on a Windows Server 2008, the Exchange 2007 clients may be repeatedly prompted for their credentials during Outlook Anywhere session, or an OAB download will be perceived to hang forever.

This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box.

By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on the Client Access server. To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.

The Fix

To disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008

  • At a command prompt, type the following command, and then press ENTER:

    %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Running the following command will verify that the changes have taken place:

C:\Windows\System32\inetsrv>appcmd.exe list config /section:WindowsAuthentication

<system.webServer>
   <security>
     <authentication>
       <windowsAuthentication enabled="false" useKernelMode="false">
         <providers>
           <add value="Negotiate" />
           <add value="NTLM" />
         </providers>
       </windowsAuthentication>
     </authentication>
   </security>
</system.webServer>

NOTE: Installing an Exchange Rollup or IU should never change a web.config file on a server. Running this command is a manual step that must be preformed, and is outlined in the following TechNet documentation:

http://technet.microsoft.com/en-us/library/bb123889.aspx

Dave