Knowledgebase
Login fails in Outlook Add-In or in Web Access
Posted by Philip Schaffrath on 30 Aug 2018 10:33

Issue: Authentication in the MailStore Outlook add-in or Web Access fails.

Background: When authenticating to MailStore, various components play a role, e.g. the connection to the directory service, the domain membership, client settings, and more. Since an error in one of these components can lead to an error in the authentication, it is often not seen at first sight exactly where the error lies. The most common potential root causes are listed here.


General reasons:


Cause 1:

The client must accept cookies from the MailStore server in order for the logon to be successful. This may be restricted by security guidelines.

You can check the settings under "Control Panel" > "Internet Options" > "Privacy".

This error is often seen in the fact that another login screen or the redirection to the new Web Access is displayed within Outlook.


Cause 2:

The logon fails if the hostname of the MailStore server contains an underscore.

The Internet Explorer and the Internet Explorer component in Outlook check if the hostname is a valid DNS name. Underscores are not allowed in DNS hostnames, therefore the Internet Explorer refuses to accept cookies and the login fails.


Cause 3:

If the login is successful when using the IP address of the MailStore server, but not when using the host name, there may be a problem in the DNS.


Cause 4:

If your company uses a HTTP-Proxy, please make sure that users log in to MailStore Web-Access by bypassing the Proxy-Server, because there could be problems with the Windows-Authentication / Single Sign-on.

To set up this bypassing within the Internet Explorer, please follow the next steps:

  • Open the Extras in the Menu from the Internet Options. If the Menu is not visible, hold the Alt-key.
  • Open the Connections.
  • Click on LAN settings.
  • Click on the Tab Advanced in the Proxy Server section.
  • Enter the IP-Address or the Hostname (depending on the configuration) to the list of exceptions.
  • Close all previous opened windows by pressing OK

These settings can be centrally managed by an administrator via group policy and cannot be changed by the end user under certain conditions.



Windows-Authentication:


Cause 5:

Windows authentication only works when you use Active Directory services. Other types, such as LDAP Generic or Office 365, do not support Windows authentication.

Even if you synchronize your mail server with Active Directory and then synchronize MailStore with the mail server, Windows authentication will not work.


Cause 6:

The users synchronized in MailStore are no longer up-to-date.

In the MailStore Directory Service Settings, check if clicking on Test Settings displays all affected users as unmodified users.

If this is not the case and users are displayed under modified users or added users run the synchronization, to update those users in MailStore.
If an affected user appears under deleted users or does not appear at all, you must adjust your synchronization settings so that the user is captured by the synchronization process.

Users must be able to be captured by the synchronization process in order to make the logon permanent. If your users or their properties change more frequently, e.g. a user is moved to another organizational unit, you should perform the synchronization periodically and automatically. This may be e.g. from a "Job", or for some archiving profiles before execution.


Cause 7:

If multiple MailStore users have the same LDAP DN string (Distinguished Name) in the properties, Windows authentication may not work.

If a user has been renamed within Active Directory, e.g. because of marriage, and the automatic deletion of users in the synchronization settings is not activated in MailStore, the user is created again under a new name. However, the LDAP DN string is the same as the old user. In this case, mapping between MailStore users and Active Directory users may fail, and the user can not be authenticated.


Cause 8:

To enable Windows authentication in the Outlook add-in and in Internet Explorer, the appropriate functionality must be activated in the Internet options.

To enable Windows authentication, follow these steps:

  • Quit Outlook.
  • Open Internet Explorer, and then click in the the Tools menu on Internet Options. If the menu is not visible, press the Alt key.
  • Select the Advanced tab.
  • In the Security section, activate Enable Integrated Windows Authentication.
  • Restart Internet Explorer.
  • Now start Outlook, select the MailStore tab, open the MailStore Outlook add-in Settings and click on the Clear Cached Credentials button.
  • Close the window, and then try again to connect the MailStore Outlook add-in to the MailStore server using Windows authentication.

These settings can be centrally managed by an administrator via group policy and cannot be changed by the end user under certain conditions.


Cause 9:

To enable Windows authentication in the Outlook add-in and in Internet Explorer, the server on which MailStore is installed must be assigned by Internet Explorer to the zone Local Intranet.

To make this assignment, proceed as follows:

  • Quit Outlook.
  • Open Internet Explorer, and then click in the the Tools menu on Internet Options. If the menu is not visible, press the Alt key.
  • Select the Security tab.
  • Select the Local Intranet zone.
  • Select Sites -> Advanced and add the address of the MailStore server to the zone.
  • Restart Internet Explorer.
  • Go to the archive page.
  • Click on File -> Properties and check whether zone Local Intranet is set correctly.
  • Start Outlook.
  • Select the MailStore tab, then open the MailStore Outlook add-in Settings and click on the Clear Cached Credentials button.
  • Close the window, and then try again to connect the MailStore Outlook add-in to the MailStore server using Windows authentication.

These settings can be centrally managed by an administrator via group policy and cannot be changed by the end user under certain conditions.


Cause 10:

If Windows authentication is used, the credentials are stored in the Windows Credential Manager. It may be that the information stored there is invalid or incorrect, and logging on with the credentials will fail. There may be Kerberos Events with the ID 14 in the Windows Eventlog.

  • Open the Run dialog by pressing the Windows-Key + R .
  • Enter "rundll32 keymgr.dll, KRShowKeyMgr" without quotes and confirm with the Enter key.
  • Remove any entries that might be used by MailStore.
  • Do not use the Control Panel > Logon Information Management to delete the entries because this dialog may not display incorrect entries.
  • If the user does not have permission to execute the above command, open an elevated command line as an administrator and run the runas /user:<domain>\<username> "rundll32 keymgr.dll,KRShowKeyMgr" command, replace the the placeholder <domain> and <username> with the values of the affected user.

Example
domain: testdom2
user: testuser01
command:
runas /user:testdom2\testuser01 "rundll32 keymgr.dll,KRShowKeyMgr"


Cause 11:

Windows authentication may use the Kerberos mechanism. In order for this mechanism to work, all systems involved must be correctly configured. These systems are the client, the MailStore Server, and the domain controller running the Key Distribution Center (KDC).

The system time on these systems must not differ by more than 5 minutes and the timezones must be configured correctly.

Common Kerberos errors are logged in the Windows system event log.

Specific unsuccessful login attempts are logged in the Windows security event log.


Cause 12:

The error "Authentication failed on the remote side (the stream might still be available for additional authentication attempts)." appears when using Windows authentication. To solve this problem unjoin the computer where MailStore Server is installed on from the domain, and then join it again.


Cause 13:

The Windows authentication is only successful if the MailStore Server Service is running under the Local System account. This can be checked and corrected if necessary in the Windows Services or by running services.msc.


Miscellaneous:

If the Windows-authentication is further not working, the following steps can be done to contain the issue:

  • Test the login with standard-authentication. Enter the username without domain and use the domain password of the user.
  • If the login with standard-authentication is working, the problem might be between the connection from the Client to the MailStore Server.
  • If the login with standard-authentication is not working, the problem might be between the connection from the MailStore Server to the Active Directory.




Artikel-ID: KB201601270-EN (Deutsche Version)

(3 vote(s))
Helpful
Not helpful

Navigation
Remote Support

Please download this TeamViewer client in order to allow the MailStore support team a one-time only access to your system.

Got Premium Support?

If your MailStore Server license includes Premium Support or you are using the MailStore Service Provider Edition, you are entitled to get in touch with our support team directly via phone.

International

+49 2162-5029912

Phone (USA)

800-747-2915