Additional authentication prompt is displayed when an external network user signs in to an Office Communicator 2007 client

When a user tries to sign in to a Microsoft Office Communicator 2007 client from an external network, an additional credential prompt is displayed to retrieve calendar data from Outlook.�

This issue occurs because the Exchange Server 2007 Client Access server uses both Negotiate and NTLM protocols for authentication to return the available data back to the Office Communicator client. However, Office Communicator uses the NTLM protocol only to negotiate authentication. Therefore, an additional authentication is requested.

To work around this issue, follow any of these steps.

Workaround 1: Enable Integrated Windows Authentication in Internet Explorer

You can retrieve available data through the Autodiscover service on the Office Communicator client. To do this, follow these steps:

1. Open Internet Explorer.
2. On the Tools�menu, click�Internet Options.
3. On the Advanced tab, scroll down to the Security section.
4. Click to clear the Enable Integrated Windows Authentication check box.
5. Click OK.
6. Exit Internet Explorer, and then start Internet Explorer.
   

Workaround 2: Use Registry Editor

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: You can use Registry Editor to enable the NTLM authentication on the Office Communicator client. To do this, follow these steps:�

1. Click Start, and then click Run.
2. In the Open box, type regedit and then click OK.
3. In Registry Editor, select the following registry key:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
4. Right-click EnableNegotiate, and then click Modify.
5. In the Value data box, type 1, and then click OK.
6. On the File menu, click Exit.

Workaround 3: Use Internet Information Services

You can instruct Internet Information Services on the Exchange Server 2007 Client Access server to set NTLM as the first authentication provider in the WWW-Authenticate header. To do this, use the appropriate method for the version of IIS that you have.�

For Internet Information Services 6.0

1. Click Start, and then click Run.
2. Type cmd, and then press ENTER.
3. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
4. Use the following command to retrieve the current values for the NTAuthenticationProviders metabase property:
   cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
   In this command, WebSite is a placeholder for the Website ID number. The Website ID number of the default Website is 1.
   
   Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
   
   Note This command fails if the NTAuthenticationProviders�metabase property is not defined. For more information, see the note that is mentioned earlier in this section.
5. Use the following command to enable the�NTLM process:
   cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM,Negotiate"
   
6. Repeat step�4 to verify that the NTLM process has enabled.
7. Restart the IIS Admin Service�that will restart all dependent services on the Exchange Server 2007�Client�Access server.

Note�If you receive an error message when you try to verify that the Negotiate process is enabled, make sure that you did not leave a space between "NTLM" and "Negotiate". For example, "NTLM,Negotiate" differs from "NTLM, Negotiate".

For Internet Information Services 7.0

1. Click Start, and then click Run.
2. Type cmd, and then press ENTER.
3. Locate the directory that contains the Appcmd.exe file. By default, this directory is C:\Windows\System32\inetsrv.
4. Use the following command to retrieve the current values for the WindowsAuthentication metabase property:
   appcmd list config /section:windowsAuthentication
   Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
5. Use the following commands to remove Negotiate authentication:
   Appcmd.exe set config /section:windowsAuthentication /-providers.[value='Negotiate']
   
6. Use the following commands to add Negotiate authentication:
   appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost
7. Repeat step�4 to verify that the NTLM process has enabled.
8. Restart the IIS Admin Service�that will restart all dependent services on the Exchange Server 2007 Client�Access server.

For more information about the Autodiscover service, visit the following Microsoft website:
For more information about the Integrated Windows authentication, visit the following Microsoft website: