Outlook 2016 Password Silliness and Unable to Add New AD Accounts

I have seen this all over the web and no one had the answer that worked for me untill I found a clue hidden in an update.

The Symptoms are (in my case)
Outlook 2016 Suddenly (after an update) Starts asking for a password, although it seems to take the password and username eventually on some machines, more often than not it’ll keep asking.
In this case we are using Exchange 2010. There are a mixed bag of machines on the network and its only the 2016 machines that are doing this. Most of the time cancelling the dialog would make Outlook behave for a while but one or two machines were behaving oddly.

Reset everything in credential manager, forced the autodection via registry, rebuilt the profiles (More on that in a sec), reset passwords, reinstalled Office, tried a fresh install in fact NOTHING worked.

When we created new profiles we could not get them to work, they would not log in no matter what we tried, however OWA was fine with the same details.

At this point we are three months in…

So a few days ago with the intention of doing something else entireley I looked a bit deeper. Rand the connection diagnostics and noticed that was coming back clear. Isolated the machine from the net and BOOM! Prompt gone, Outlook goes back to normal. Allow access to the net again and the prompt is back. So some sniffing at the firewall and Outlook is talking to something at Microsoft prior to even looking at the AD/Exchange servers. A red flag is coming up at this point.

Office 16.0.6741.2017 Added support for something called Direct Connect to Office 365. A few people flagged up that during migrations this ‘Feature’ can screw up where Outlook goes to get mail and cause all manner of stuff ups. The reccomendation is that during a migration you set a registry key:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\autodiscover
DWORD: ExcludeExplicitO365Endpoint
Value = 1

So I set this key and bam! Again, Outlook is behaving. Then it dawned on me. When 365 launched it was being given away like candy by a number of businesses including BT. Both sites where I’ve seen this they are/were BT customers and both had been given free 365 accounts. These accounts were long defunct but aparently still there. As we migrated them to AD and Exchange the email addresses would be the same, of course we changed the passwords for most, but not all. Where the passwords were not changed the login would work, Outlook would behave normally but things like checking for email automatically or calendar events were not quite right. Changing the password on one of these accounts broke it like the others. Disabling the “feature” put everything back to normal.

So the new profile I created for myself didn’t work because I had never had an account on 365, Outlook was trying to log into the now no good account for the customers’ domain with details that never existed and failing then not even trying AD. When the registry change was installed I could setup a new account.

Long story short, it seems that MS didnt think that people would ever move away from 365, and by assuming that O365 is ALWAYS authoritative over internal AD and DNS it means that anywhere 0365 has been in place in the past on a domain, you are going to get this error. Of course if the domain has never had an account O365 just denies all knowledge and we fall back to AD without ever knowing.

I’m not sure when overriding settings put in place by an admin became a good idea, but its just another part of the huge train wreck that Microsoft QA has become.

 

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.