After migrating from Exchange 2003 to 2010, many administrators notice a new authentication behavior where Outlook clients prompt for credentials after server reboots or network interruptions. Unlike the seamless reconnection in Exchange 2003, users now need to enter credentials in domain\username format or restart Outlook entirely.
Exchange 2010 implements stricter Kerberos authentication by default. When the server reboots:
- The service principal names (SPNs) get temporarily invalidated
- Outlook 2010+ clients don't automatically fall back to NTLM
- The RPC client authentication cache gets cleared during disconnection
Add this registry key to force Outlook to retry authentication properly:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC] "EnableRpcTcpFallback"="1" "ConnectTimeout"=dword:0000001e
For Exchange 2010 specifically, also configure these server-side settings:
Set-RpcClientAccess -Server EXCH01 -TCPKeepAlive $true Set-OutlookProvider -Identity EXPR -Server EXCH01.domain.com -CertPrincipalName msstd:EXCH01.domain.com
Deploy this fix across your domain with Group Policy Preferences or this PowerShell script:
$regPath = "HKCU:\Software\Microsoft\Office\14.0\Outlook\RPC"
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force
}
Set-ItemProperty -Path $regPath -Name "EnableRpcTcpFallback" -Value "1" -Type String
Set-ItemProperty -Path $regPath -Name "ConnectTimeout" -Value 30 -Type DWord
For Outlook 2013/2016 clients, additional caching parameters can help:
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover] "ExcludeExplicitO365Endpoint"=dword:00000001 "PreferLocalXML"=dword:00000001
Implement this PowerShell check to monitor disconnected clients:
Get-Counter '\MSExchange RpcClientAccess\RPC Averaged Latency' -ComputerName EXCH01 |
Where-Object { $_.CounterSamples.CookedValue -gt 50 } |
ForEach-Object {
Send-MailMessage -From "monitor@domain.com" -To "admin@domain.com"
-Subject "High RPC Latency Detected" -Body "Potential authentication issues"
}
After migrating from Exchange 2003 to 2010, we've encountered an annoying authentication behavior. When the Exchange server reboots or loses connectivity, Outlook clients suddenly demand credentials - requiring users to enter credentials in domain\username format or restart Outlook entirely.
The seamless reconnection in Exchange 2003 was handled by:
1. NTLM authentication fallback
2. Cached Exchange Mode optimizations
3. Simpler RPC communication protocolThe new version implements stricter security protocols:
- Kerberos ticket expiration handling
- RPC over HTTP (Outlook Anywhere) differences
- Autodiscover service behavior changesHere are three approaches to solve this:
1. Registry Fix for Cached Mode
Create a PowerShell script to deploy this registry tweak:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\14.0\Outlook\RPC"
-Name "EnableRpcTcpFallback" -Value 1 -Type DWORD2. Group Policy Adjustment
Configure these GPO settings via PowerShell:
$gpoParams = @{
Name = "OutlookAuthPolicy"
Key = "HKLM\Software\Policies\Microsoft\Office\14.0\outlook\rpc"
ValueName = "DisableNtlmFallback"
Value = 0
Type = "DWORD"
}
New-GPRegistryValue @gpoParams3. Exchange Web Services Workaround
For developers maintaining custom integrations:
// C# example for EWS authentication handling
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010);
service.Credentials = new WebCredentials("user", "pass", "domain");
service.EnableScpLookup = false; // Bypass Autodiscover issues
service.AutodiscoverUrl("user@domain.com", RedirectionCallback);Implement this PowerShell check for authentication issues:
Get-EventLog -LogName Application -Source "MSExchange RPC"
-After (Get-Date).AddHours(-1) |
Where-Object {$_.EventID -eq 9646} |
Select-Object -First 10While Exchange 2010's security improvements are valuable, they require proper configuration. The registry tweak combined with Group Policy adjustments typically provides the most reliable solution for most environments.