1

I/we have a problem with our Windows Server 2008 forest and Exchange. We are buying Exchange hosting from another firm and Exchange Server is in their Windows Server 2008 forest. So, we have two forests and there isn't any trusts between these two forests. Our own forest logon name is first.surname@firm.com and we also use the same email address to logon to the Exchange mailbox.

Everything works fine if both our AD account and Exchange mailbox account have the same password, but if the passwords don't match, our AD account gets locked out. I have tried to figure out why Outlook sends false logon attemps to our AD. If someone can help, please do.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Something weird going on with the two ADs. Try an experiment .. use a different username on the local network, and see what happens. – tomjedrz Aug 26 '09 at 20:19
  • Tried that, everything works fine when username isn't same as our case it's email address. –  Aug 26 '09 at 20:22
  • Please post some details about how the Exchange account is configured in Outlook .. perhaps screen shots of the profile screens. – tomjedrz Aug 26 '09 at 20:45

4 Answers4

1

As your usernames are the same, this is going to be a problem. Outlook will first attempt single sign-on by using the currently logged in user's credentials. As the username matches that as the one in the other forest, you are going to get account lockouts when the passwords do not match.

Ideally, you would create a trust relationship between forests and then give your users Full Access to the mailboxes in the Exchange forest.

If that is not possibly, you could try forcing Outlook to prompt for logon credentials every time it is opened by checking the box below (Advanced settings on the mailbox setup in Outlook).

Outlook prompt for logon

I guess a last option would be to rename the accounts (or use a different UPN) in one of the domains.

Glorfindel
  • 1,213
  • 4
  • 15
  • 22
Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
0

Clearly Outlook is confused about the domains. I suggest that you try and authenticate to the Exchange server without the "@firm.com". I suspect that Outlook is interpreting that to mean that the user authenticates in the firm.com domain, which it knows all about!

tomjedrz
  • 5,974
  • 1
  • 16
  • 26
0

Outlook first tries with the credentials used to sign in to the PC. If the username matches that in AD, but different password then it will lock the account.

See also Unexpected Account Lockouts Caused When Logging On to Outlook from an Untrusted Domain.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
user299454
  • 1
0

I think I have the same issue as you, with a Hosted email provider and the same UserPrincipalName for our users and their email accounts. And I don't believe the other answers have the problem in the right order[1].

When Outlook tries to use the local credentials to open the Hosted Email, it fails gracefully and asks for the password. You put in your Hosted Email password, and Outlook makes a connection and is happy. But then in the background, Outlook seems to use the Hosted Email password to try to connect to your local Active Directory, and not only tries once but tries repeatedly and silently locks the AD account.

This is exactly what is happening to us right now, about 8 years after you raised the question/issue. Did anyone ever come up with a real solution?

One workaround is to set a different UPN for users, then it doesn't match and it won't lock the account. It's still a bad alternative, as we get thousands of "bad user" messages in AD when Outlook tries and fails on the username. And for us, it's unworkable as we are now migrating to O365 and need the UPN to be correct in order to use AD-Connect.

[1] The reason I'm criticizing the other answers is they are inferring the local AD credentials are being passed to the Hosted Email, and if that were the case the Hosted Email accounts would be getting locked out, not the local AD accounts. Completely different.

Wolske
  • 53
  • 1
  • 1
  • 6