Outlook's Credential Prompts when access exchange online archives

Have you ever encountered a frustrating issue while trying to access your in Outlook, where you are prompted to enter your credentials repeatedly? My team faced this issue recently across multiple Exchange online users, and it caused a lot of disruptions to work. After researching the problem, this issue occurs due to a specific Autodiscover call for the Archive Mailbox, which is going to the 'Root Domain.'

A third-party server answers the 'Root Domain' call, and it should not be returning a 401 for Autodiscover calls. This caused Outlook to believe that it needed to authenticate, and as a result, it ended up prompting me after the cached credentials failed.

We analyzed the problem by collecting data from my Outlook Advanced Logs and Fiddler Traces. This showed that the Root Domain call was causing the issue and that it was an expected Outlook behavior.

Next, I deployed the 'ExcludeHttpsRootDomain' Registry Key on a machine. This prevented the Basic Auth looking prompt and allowed Outlook to avoid the Root Domain call altogether. After relaunching Outlook, the issue was resolved, and the Autodiscover calls for the Primary and Archive mailboxes were successful.

Microsoft later recognized the issue being caused for multiple customers and suggested the fix we deployed was correct. In conclusion, if you are facing a similar issue with Outlook credential prompts for archive mailboxes, you can follow this multi-step process to resolve it. Start by analyzing the problem and collecting data from your Outlook Advanced Logs and Fiddler Traces.

Issue Some users are having issues with Credential Prompts for Archive Mailboxes in Outlook Analysis - We collected data from an affected user including Outlook Advanced Logs and Fiddler Traces - This showed us the prompting is coming from specific Autodiscover calls for the Archive Mailbox which is going to the ‘Root Domain’: POST https://<Domain here>/autodiscover/autodiscover.xml 401 Authorization Required (text/html) - The Root Domain call is answered by a 3rd party server and should not be returning a 401 for Autodiscover calls: Server: IdeaWebServer/5.1.0 - Since the server is retuning a 401 instead of a 500 or other hard failure, Outlook believes it needs to authenticate and ends up prompting after the cached credentials all fail - This ‘Root Domain’ call is By Design Outlook behavior - This Authentication Failure state is due to the Basic Authentication prompt which prevents proper Authentication using Modern Authentication for all subsequent connections, not just the Autodiscover call - Outlook shows a ‘Need Password’ indicator at the bottom of the screen and clicking this allows Modern Authentication to proceed again - That resolves the disconnected state, and the Primary and Archive connections succeed as expected - We deployed the ‘ExcludeHttpsRootDomain’ Registry Key on the affected client machine, relaunched Outlook and the issue was resolved: https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/unexpected-autodiscover-behavior - This prevented the Basic Auth prompting and allowed Outlook to avoid the Root Domain call altogether as it is not expected to succeed on this environment - A Fiddler trace after the change showed us the Autodiscover calls for the Primary and Archive mailboxes were then successful and no issue with the connectivity