Microsoft Exchnage Outlook 2010 Authentication Failed Mac
- Outlook Express Email
- Microsoft Exchange Outlook 2010 Setup
- Microsoft Exchange Outlook 2010
- Microsoft Exchange Outlook 2010 Authentication Failed Mac Os
- Connect To Microsoft Exchange Outlook 2010
- Microsoft Exchange Outlook
- Microsoft Exchange Outlook 2010 Authentication Failed Mac Os
- Feb 11, 2020 When you disable Basic authentication for users in Exchange Online, their email clients and apps must support modern authentication. Those clients are: Outlook 2013 or later (Outlook 2013 requires a registry key change) Outlook 2016 for Mac or later.
- This article provides instructions about configuring Outlook® 2010 email client to work with your Microsoft® Exchange® 2010 mailbox. Note: We recommend that customers on Exchange 2010 update to a later Exchange version or to our Office 365® offering. Click the Windows® Start button, select Control Panel, and then select the Mail icon.
Jan 25, 2017 Have you experienced on MAC that Outlook Exchange server constantly shows you 'Authentication failed' for OutlookOffice365? Here is work around to fix Outlook Exchange office 365 login failure. In Microsoft Outlook 2016 for Mac, you are repeatedly prompted for authentication while you're connected to your Office 365 account. This issue occurs because of the presence of duplicate tokens in the keychain. To resolve this issue in Outlook 2016 for Mac, install the February 2017 Outlook update (version 15.31.0) from the.
Summary
This article describes configuration requirements for Modern Authentication after a transition from Microsoft Office 365 dedicated/ITAR to vNext, depending on Outlook version.
More Information
The configuration requirements vary, depending on the Outlook version. The following table outlines the requirements and includes links to related articles.
Outlook version | Modern auth support | EnableADAL reg key required | AlwaysUseMSOAuthForAutodiscover reg key required | MAPI/HTTP required(remove any blocks currently) |
---|---|---|---|---|
Outlook 2016 | Yes | No | Yes | Yes |
Outlook 2013 | Yes | Yes | Yes | Yes |
Outlook 2010 | No | Not available | Not available | Not available |
Important Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restorationin case problems occur.
Outlook 2010
- Modern Authentication is not supported.
- Users use Basic Authentication and may be prompted multiple times for credentials.
Outlook 2013
Modern Authentication is not enabled by default.
Modern Authentication can be set by using the following registry subkeys. To do that, set the DWORD value to 1.
HKCUSOFTWAREMicrosoftOffice15.0CommonIdentityEnableADAL
HKCUSOFTWAREMicrosoftOffice15.0CommonIdentityVersion
For more information, see Enable Modern Authentication for Office 2013 on Windows devices.
Recommend that users force Outlook to use Modern Authentication. To do that, set the DWORD value of the following registry key to 1.
HKEY_CURRENT_USERSoftwareMicrosoftExchangeAlwaysUseMSOAuthForAutoDiscover
Outlook 2016
Modern Authentication is enabled by default.
Recommend that users force Outlook to use Modern Authentication. To do that, set the DWORD value of the following registry key to 1.
HKEY_CURRENT_USERSoftwareMicrosoftExchangeAlwaysUseMSOAuthForAutoDiscover
For more information, see KB 3126599 - Outlook prompts for password when Modern Authentication is enabled.
MAPI/HTTP cannot be disabled. For more information, see KB 2937684 - Outlook 2010, 2013, or 2016 may not connect using MAPI over HTTPs as expected.
Skype for Business or Lync 2013
Recommend that users enable Modern Authentication after the Skype migration is completed.
Recommend that users enable the following registry keys if you use Modern Authentication for Exchange. To do that, set the DWORD value to 1.
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice15.0Lync AllowAdalForNonLyncIndependentOfLync
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice16.0Lync AllowAdalForNonLyncIndependentOfLync
Note
If you've enabled security defaults in your organization, Basic authentication is already disabled in Exchange Online. For more information, see What are security defaults?.
Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic authentication can help protect your Exchange Online organization from brute force or password spray attacks. When you disable Basic authentication for users in Exchange Online, their email clients and apps must support modern authentication. Those clients are:
Outlook 2013 or later (Outlook 2013 requires a registry key change)
Outlook 2016 for Mac or later
Outlook for iOS and Android
Mail for iOS 11.3.1 or later
If your organization has no legacy email clients, you can use authentication policies in Exchange Online to disable Basic authentication requests, which forces all client access requests to use modern authentication. For more information about modern authentication, see Using Office 365 modern authentication with Office clients.
This topic explains how Basic authentication is used and blocked in Exchange Online, and the corresponding procedures for authentication policies.
How Basic authentication works in Exchange Online
Basic authentication is also known as proxy authentication because the email client transmits the username and password to Exchange Online, and Exchange Online forwards or proxies the credentials to an authoritative identity provider (IdP) on behalf of the email client or app. The IdP depends your organization's authentication model:
Cloud authentication: The IdP is Azure Active Directory.
Federated authentication: The IdP is an on-premises solution like Active Directory Federation Services (AD FS).
These authentication models are described in the following sections.
Cloud authentication
Outlook Express Email
The steps in cloud authentication are described in the following diagram:
The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
Exchange Online sends the username and password to Azure Active Directory.
Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
Federated authentication
The steps in federated authentication are described in the following diagram:
The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
Exchange Online sends the username and password to the on-premises IdP.
Exchange Online receives a Security Assertion Markup Language (SAML) token from the on-premises IdP.
Exchange Online sends the SAML token to Azure Active Directory.
Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
How Basic authentication is blocked in Exchange Online
You block Basic authentication in Exchange Online by creating and assigning authentication policies to individual users. The policies define the client protocols where Basic authentication is blocked, and assigning the policy to one or more users blocks their Basic authentication requests for the specified protocols.
When it's blocked, Basic authentication in Exchange Online is blocked at the first pre-authentication step (Step 1 in the previous diagrams) before the request reaches Azure Active Directory or the on-premises IdP. The benefit of this approach is brute force or password spray attacks won't reach the IdP (which might trigger account lock-outs due to incorrect login attempts).
Because authentication policies operate at the user level, Exchange Online can only block Basic authentication requests for users that exist in the cloud organization. For federated authentication, if a user doesn't exist in Exchange Online, the username and password are forwarded to the on-premises IdP. For example, consider the following scenario:
An organization has the federated domain contoso.com and uses on-premises AD FS for authentication.
The user ian@contoso.com exists in the on-premises organization, but not in Office 365 (there's no user account in Azure Active Directory and no recipient object in the Exchange Online global address list).
An email client sends a login request to Exchange Online with the username ian@contoso.com. An authentication policy can't be applied to the user, and the authentication request for ian@contoso.com is sent to the on-premises AD FS.
The on-premises AD FS can either accept or reject the authentication request for ian@contoso.com. If the request is accepted, a SAML token is returned to Exchange Online. As long as the SAML token's ImmutableId value matches a user in Azure Active Directory, Azure AD will issue a user ticket to Exchange Online (the ImmutableId value is set during Azure Active Directory Connect setup).
In this scenario, if contoso.com uses on-premises AD FS server for authentication, the on-premises AD FS server will still receive authentication requests for non-existent usernames from Exchange Online during a password spray attack.
Authentication policy procedures in Exchange Online
You manage all aspects of authentication policies in Exchange Online PowerShell. The protocols and services in Exchange Online that you can block Basic authentication for are described in the following table.
Protocol or service | Description | Parameter name |
---|---|---|
Exchange Active Sync (EAS) | Used by some email clients on mobile devices. | AllowBasicAuthActiveSync |
Autodiscover | Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online | AllowBasicAuthAutodiscover |
IMAP4 | Used by IMAP email clients. | AllowBasicAuthImap |
MAPI over HTTP (MAPI/HTTP) | Used by Outlook 2010 and later. | AllowBasicAuthMapi |
Offline Address Book (OAB) | A copy of address list collections that are downloaded and used by Outlook. | AllowBasicAuthOfflineAddressBook |
Outlook Service | Used by the Mail and Calendar app for Windows 10. | AllowBasicAuthOutlookService |
POP3 | Used by POP email clients. | AllowBasicAuthPop |
Reporting Web Services | Used to retrieve report data in Exchange Online. | AllowBasicAuthReportingWebServices |
Outlook Anywhere (RPC over HTTP) | Used by Outlook 2016 and earlier. | AllowBasicAuthRpc |
Authenticated SMTP | Used by POP and IMAP client's to send email messages. | AllowBasicAuthSmtp |
Exchange Web Services (EWS) | A programming interface that's used by Outlook, Outlook for Mac, and third-party apps. | AllowBasicAuthWebServices |
PowerShell | Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication. | AllowBasicAuthPowerShell |
Typically, when you block Basic authentication for a user, we recommend that you block Basic authentication for all protocols. However, you can use the AllowBasicAuth* parameters (switches) on the New-AuthenticationPolicy and Set-AuthenticationPolicy cmdlets to selectively allow or block Basic authentication for specific protocols.
For email clients and apps that don't support modern authentication, you need to allow Basic authentication for the protocols and services that they require. These protocols and services are described in the following table:
Client | Protocols and services |
---|---|
Older EWS clients | • Autodiscover • EWS |
Older ActiveSync clients | • Autodiscover • ActiveSync |
POP clients | • POP3 • Authenticated SMTP |
IMAP clients | • IMAP4 • Authenticated SMTP |
Outlook 2010 | • Autodiscover • MAPI over HTTP • Offline Address Book • Outlook Anywhere (RPC over HTTP) • Exchange Web Services (EWS) |
Note
Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.
What do you need to know before you begin?
Verify that modern authentication is enabled in your Exchange Online organization (it's enabled by default). For more information, see Enable or disable modern authentication in Exchange Online.
Verify your email clients and apps support modern authentication (see the list at the beginning of the topic). Also, verify that your Outlook desktop clients are running the minimum required cumulative updates. For more information, see Outlook Updates.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Create and apply authentication policies
The steps to create and apply authentication policies to block Basic authentication in Exchange Online are:
Create the authentication policy.
Assign the authentication policy to users.
Wait 24 hours for the policy to be applied to users, or force the policy to be immediately applied.
These steps are described in the following sections.
Step 1: Create the authentication policy
To create a policy that blocks Basic authentication for all available client protocols in Exchange Online (the recommended configuration), use the following syntax:
This example creates an authentication policy named Block Basic Auth.
For detailed syntax and parameter information, see New-AuthenticationPolicy.
Notes:
You can't change the name of the policy after you create it (the Name parameter isn't available on the Set-AuthenticationPolicy cmdlet).
To enable Basic authentication for specific protocols in the policy, see the Modify authentication policies section later in this topic. The same protocol settings are available on the New-AuthenticationPolicy and Set-AuthenticationPolicy cmdlets, and the steps to enable Basic authentication for specific protocols are the same for both cmdlets.
Step 2: Assign the authentication policy to users
The methods that you can use to assign authentication policies to users are described in this section:
Individual user accounts: Use the following syntax:
This example assigns the policy named Block Basic Auth to the user account laura@contoso.com.
Filter user accounts by attributes: This method requires that the user accounts all share a unique filterable attribute (for example, Title or Department) that you can use to identify the users. The syntax uses the following commands (two to identify the user accounts, and the other to apply the policy to those users):
This example assigns the policy named Block Basic Auth to all user accounts whose Title attribute contains the value 'Sales Associate'.
Sep 11, 2006 Excel is a spreadsheet, and exists in a Mac version (in fact, the Mac version predates the Windows version). Do you instead mean Microsoft Access? If so, there's no direct equivalent, but there are a number of Mac databases, including Filemaker Pro (probably the most popular), OpenBase, MySQL, FrontBase and others. May 22, 2017 Apple's alternative to Office is iWork. It's the most comparable alternative to Microsoft's productivity suite, only it comes free with every Mac. The interface is different, and will take some time to get used to, but if you're really interested in kicking Office to the curb, the iWork suite is the best alternative on Mac. Jul 16, 2019 Full list of the top Spreadsheet Software apps that are similar to Microsoft Excel 2016, including Apple Numbers, Tables, XLSTAT (Mac), QI Macros, Multiple Regression Analysis and Forecasting, PDF. Mar 19, 2020 In the Mac keyboard the function keys (on laptop Keyboard) set various items like Brightness Sound Dashboard. For Function keys act as True keys you must use the Fn Key or you can go to Keyboard Control panel and set as shown here. There are many alternatives to Microsoft Office Excel for Mac if you are looking to replace it. The most popular Mac alternative is LibreOffice - Calc, which is both free and Open Source. If that doesn't suit you, our users have ranked more than 50 alternatives to Microsoft Office Excel and many of them are available for Mac so hopefully you can find a suitable replacement.
Use a list of specific user accounts: This method requires a text file to identify the user accounts. Values that don't contain spaces (for example, the Office 365 work or school account) work best. The text file must contain one user account on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.comThe syntax uses the following two commands (one to identify the user accounts, and the other to apply the policy to those users):
This example assigns the policy named Block Basic Auth to the user accounts specified in the file C:My DocumentsBlockBasicAuth.txt.
Filter on-premises Active Directory user accounts that are synchronized to Exchange Online: For details, see the Filter on-premises Active Directory user accounts that are synchronized to Exchange Online section in this topic.
Note
To remove the policy assignment from users, use the value $null
for the AuthenticationPolicy parameter on the Set-User cmdlet.
Step 3: (Optional) Immediately apply the authentication policy to users
By default, when you create or change the authentication policy assignment on users or update the policy, the changes take effect within 24 hours. If you want the policy to take effect within 30 minutes, use the following syntax:
This example immediately applies the authentication policy to the user laura@contoso.com.
This example immediately applies the authentication policy to multiple users that were previously identified by filterable attributes or a text file. This example works if you're still in the same PowerShell session and you haven't changed the variables you used to identify the users (you didn't use the same variable name afterwards for some other purpose). For example:
or
View authentication policies
To view a summary list of the names of all existing authentication policies, run the following command:
To view detailed information about a specific authentication policy, use this syntax:
This example returns detailed information about the policy named Block Basic Auth.
For detailed syntax and parameter information, see Get-AuthenticationPolicy.
Modify authentication policies
By default, when you create a new authentication policy without specifying any protocols, Basic authentication is blocked for all client protocols in Exchange Online. In other words, the default value of the AllowBasicAuth* parameters (switches) is False
for all protocols.
To enable Basic authentication for a specific protocol that's disabled, specify the switch without a value.
To disable Basic authentication for a specific protocol that's enabled, you can only use the value
:$false
.
You can use the Get-AuthenticationPolicy cmdlet to see the current status of the AllowBasicAuth* switches in the policy.
This example enables basic authentication for the POP3 protocol and disables basic authentication for the IMAP4 protocol in the existing authentication policy named Block Basic Auth.
For detailed syntax and parameter information, see Set-AuthenticationPolicy.
Configure the default authentication policy
The default authentication policy is assigned to all users who don't already have a specific policy assigned to them. Note that the authentication policies assigned to users take precedence to the default policy. To configure the default authentication policy for the organization, use this syntax:
This example configures the authentication policy named Block Basic Auth as the default policy.
Note
To remove the default authentication policy designation, use the value $null
for the DefaultAuthenticationPolicy parameter.
Remove authentication policies
To remove an existing authentication policy, use this syntax:
This example removes the policy named Test Auth Policy.
For detailed syntax and parameter information, see Remove-AuthenticationPolicy.
How do you know that you've successfully disabled Basic authentication in Exchange Online?
To confirm that the authentication policy was applied to users:
Run the following command to find the distinguished name (DN) value of the authentication policy:
Use the DN value of the authentication policy in the following command:
For example:
Microsoft Exchange Outlook 2010 Setup
When an authentication policy blocks Basic authentication requests from a specific user for a specific protocol in Exchange Online, the response is 401 Unauthorized
. No additional information is returned to the client to avoid leaking any additional information about the blocked user. An example of the response looks like this:
Filter on-premises Active Directory user accounts that are synchronized to Exchange Online
This method uses one specific attribute as a filter for on-premises Active Directory group members that will be synchronized with Exchange Online. This method allows you to disable legacy protocols for specific groups without affecting the entire organization.
Throughout this example, we'll use the Department attribute, because it's a common attributes that identifies users based on their department and role. To see all Active Directory user extended properties, go to Active Directory: Get-ADUser Default and Extended Properties.
Step 1: Find the Active Directory users and set the Active Directory user attributes
Get the members of an Active Directory group
These steps require the Active Directory module for Windows PowerShell. To install this module on your PC, you need to download and install the Remote Server Administration Tools (RSAT).
Run the following command in Active Directory PowerShell to return all groups in Active Directory:
After you get the list of groups, you can query which users belong to those groups and create a list based on any of their attributes. We recommend using the objectGuid attribute because the value is unique for each user.
This example returns the objectGuid attribute value for the members of the group named Developers.
Set the filterable user attribute
After you identify the Active Directory group that contains the users, you need to set the attribute value that will be synchronized with Exchange Online to filter users (and ultimately disable Basic authentication for them).
Use the following syntax in Active Directory PowerShell to configure the attribute value for the members of the group that you identified in the previous step. The first command identifies the group members based on their objectGuid attribute value. The second command assigns the Department attribute value to the group members.
This example sets the Department attribute to the value 'Developer' for users that belong to the group named 'Developers'.
Use the following syntax in Active Directory PowerShell to verify the attribute was applied to the user accounts (now or in the past):
This example returns all user accounts with the value 'Developer' for the Department attribute.
Microsoft Exchange Outlook 2010
Step 2: Disable legacy authentication in Exchange Online
Note
The attribute values for on-premises users are synchronized to Exchange Online only for users that have a valid Exchange Online license. For more information, see Assign licenses to users in Office 365 for business.
Microsoft Exchange Outlook 2010 Authentication Failed Mac Os
The Exchange Online PowerShell syntax uses the following commands (two to identify the user accounts, and the other to apply the policy to those users):
This example assigns the policy named Block Basic Auth to all synchronized user accounts whose Department attribute contains the value 'Developer'.
Connect To Microsoft Exchange Outlook 2010
If you connect to Exchange Online PowerShell in an Active Directory PowerShell session, you can use the following syntax to apply the policy to all members of an Active Directory group.
This example creates a new authentication policy named Marketing Policy that disables Basic authentication for members of the Active Directory group named Marketing Department for ActiveSync, POP3, authenticated SMTP, and IMAP4 clients.
Microsoft Exchange Outlook
Note
Microsoft Exchange Outlook 2010 Authentication Failed Mac Os
A known limitation in Active Directory PowerShell prevents the Get-AdGroupMember cmdlet from returning more than 5000 results. Therefore, the following example only works for Active Directory groups that have less than 5000 members.