Manage Learn to apply best practices and optimize your operations.

How to fix repeated Outlook password prompts and make end users happy

When Outlook keeps asking for password verification, the problem is almost always a configuration issue. However, there's an easy fix.

One of the most annoying Exchange-related problems for end users is when Outlook keeps prompting them for a password....

In Outlook 2007, a bug caused this problem. However, there's no known bug that causes Outlook 2013 to do this. Here are some possible causes for the persistent Outlook 2013 password prompt and some ways to fix it.

When you connect Outlook 2013 to an Exchange Server 2013 mailbox for the first time, Outlook will ask for a password. This is especially true in situations where Outlook is connected to a mailbox residing on Office 365. When this occurs, the password prompt dialog box contains a checkbox users can select to force Outlook to remember their credentials. If this checkbox is selected, users won't see the password prompt again until the next time they change their password. When the Outlook password prompt appears again, end users can enter the new password and once again select the checkbox to force Outlook to remember it.

If this procedure doesn't correct the problem, the issue with the Outlook password prompt is probably related to an improper Global Catalog server registration. Before I explain how to check for and resolve this issue, I'll point out that this procedure is written for Exchange Server 2013. It can easily be adapted to earlier versions of Exchange, but depending on the Windows and Exchange versions in use, you may have to install the Windows Server Support Tools.

Exchange Server uses a service principal name to identify a specific instance of a service. Kerberos authentication is impossible unless the service principal names are correctly configured. Exchange uses a number of service principal names that are correctly registered -- in most cases. However, the server to which some specific service principal names are registered must be a Global Catalog server. These service principal names will occasionally be registered to an Exchange Server. If that Exchange Server is not also a Global Catalog server --and it usually isn't -- Kerberos authentication for the corresponding services breaks down.

One of the most annoying Exchange-related problems for end users is when Outlook keeps prompting them for a password.

Fortunately, this problem is usually easy to correct. The service principal name you must examine is called ExchangeAB. There are two separate ExchangeAB listings: one is connected to your Exchange Server's host name and the other is connected to your Exchange Server's fully qualified domain name (FQDN). For example, my lab server is named As such, my two ExchangeAB listings are:



The first step in resolving the Outlook password prompt issue is to open an elevated command prompt window on your mailbox server and enter the SETSPN –L command followed by the name of your Exchange Server (Figure 1).

Use the SETSPN –L command to list the registered service principal names.

There are two things to look for in this screen: Make sure the ExchangeAB entries exist and ensure that they list the correct host name and fully qualified domain name. The exception to this would be in a clustered environment where these entries would need to reference the cluster's identity rather than specific cluster nodes.

Once you've confirmed the ExchangeAB entries, you'll have to determine the Global Catalog server name. To do so, open PowerShell on a domain controller and use the following command to determine the names of your global catalog servers (Figure 2):

Get-ADForest <forest name> | FL GlobalCatalogs

Use the Get-ADForest cmdlet to determine the names of your global catalog servers.

The last step is to remove the existing service principal name registrations and reregister them using your Global Catalog server. If the Exchange server's FQDN is and the Global Catalog server's FQDN is, you can use these commands to perform the deregistration:

Setspn –D exchangeAB/Lab15E2K13 Lab15E2K13
Setspn –D exchangeAB/ Lab15E2K13

You can then reregister the servers using these commands:

Setspn –A exchangeAB/Lab15DC Lab15DC
Setspn –A exchangeAB/ Lab15DC

These techniques should correct most instances when the Outlook 2013 password prompt is constant. If you continue having trouble resolving the issue, make sure your external DNS entries are correct and your Autodiscover service is properly configured.

Another possible Outlook password fix

Users may find Outlook keeps asking for a password each time an email is sent, which can happen if Outlook has not been set up to save user passwords.

When Outlook is connected to a POP3 account, if the option to save the user's password is not selected, then Outlook will request the password each time the user sends a message. Open the Control Panel and use the Mail option to make the fix to the Outlook profile.

Next Steps

Four reasons why an Outlook password won't stick

How to correct five common Outlook problems

When Outlook won't connect, there are a few ways to repair it 

This was last published in October 2013

Dig Deeper on Outlook management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are some methods you've used to correct Outlook or Outlook Web Access email issues?
Will you see the exchangeAB records on mailbox servers that do not have the CAS role also?

I have followed the instructions above for an exchange 2016 install but, have a question. The last step of registering the exchangeAB is against the DC/GC and leaves these records missing from the mail server. Is this intentional? After these changes should the exchangeAB records be missing from the mail server as the reregister is again, against the DC and not the mail server?
You left off one reason that I just got hit with: a virus/Trojan.
I had my Outlook connected to MS  Seconds after typing in my password into the dialog box, I got an email from Microsoft on another account alerting me to "Unusual Signin activity".  Someone from Europe (according to the IP address) was trying to get into my account.