It’s been a while since I was troubleshooting prompt for credentials. The last time I was happy to find the root cause and how to fix this (you can read about it here).
There were besides security related updates also some major design changes implemented as described more in depth in KB3135145:
- Cloud Based Discovery
- UPN Enforcement for OrgID
- SIP Autodetection from Azure
Given the changes in combination with an existing OrgID and an on-premise infrastructure, I can see that the behavior of the client, when a transient error occurs, changed dramatically.
A typical transient error could be when a user is switching networks (e.g.: moving from desk to meeting room). Normally a user will not quit Outlook and Lync/SfB client when he is moving. Therefore the clients will experience a network outage.
Since December’s update I observed a different procedure when the Lync/SfB client experience a transient error:
- due to the transient error, the DNS-less Cloud Based Discovery is triggered
- as for the user an OrgID is discovered, the client enforces UPN and no longer accepts the NTLM format
- as the user’s cached credentials are in a different format (DOMAIN\USER), he will get the prompt for credentials
Luckily there is an option to control Cloud Based Discovery. All you need to do is to add the registry key described in KB3135145:
For Lync 2013 (Skype for Business) client:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\15.0\Lync
For Skype for Business 2016 client:HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Office\16.0\Lync
To disable cloud-based discovery logic, run the following command to set the DisableCloudBasedDiscovery parameter as REG_DWORD to 1:
reg add HKLM\Software\Policies\Microsoft\Office\15.0\Lync /v DisableCloudBasedDiscovery /t REG_DWORD /d 1 /f
The design changes should help to improve end-user experience. Nevertheless there are scenarios, where this new behavior might not play well in combination with on-premise services and users having OrgIds.