Having dealt with XP in other Exchange 2013 environments we tried all the usual tricks:
- Update Office 2007 / 2010 to the correct hotfix level
- Edit the lmcompatibility level in the registry of the XP box by locating the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Change lmcompatibilitylevel object to 2 or 3 (we used 3), then restart computer. - Run “Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.domain.com”
- Manually set the security in the Outlook client to NTLM.
- Change the OWA authentication methods to the following:
InternalHostname : email.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
But none of these worked! The unique thing about this customer’s setup compared to others was that they were using a wildcard cert. We noticed that the cert SAN name for OutlookProvider was set to “mail.domain.com” and it really should’ve been “*.domain.com”. Here is the command that saved the day.
Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
Do a “get-OutlookProvider | fl” in order to confirm the settings. Then wait for a few minutes and try again. We had to open Outlook once with a failure to login and then close Outlook and start it again. The continual login prompt was gone!
Side note: For the Set-OutlookProvider command EXCH is for internal OWA clients and EXPR is for external clients.