Looks like this is somehow an ongoing task:

Narrow down Outlook prompts for credentials. And it seems a new root cause comes into play each time. So like in the latest issue after I upgraded to Click-to-Run Office 2016. After my upgrade and on the first start I got immediately prompted for credentials. First thought was this is related to my machine or account. But my co-worker also got it and we could reproduce it constantly everytime you logon to the machine after a complete logoff.

Update June, 2017:

Good news that this particular issue is also fixed for Outlook 2013 already in October, 2016. Somehow I missed this one, but here it is:

You need to apply KB3118367.

Update September, 2016:

This issue is fixed and currently available in the September update in the First Released for Deferred channel:

https://technet.microsoft.com/en-us/office/mt465751

“Fix an issue where, when connecting to Exchange Server 2013 that is enabled for MAPI/HTTP, the user is prompted for credentials instead of being silently logged in with the user’s desktop credentials.”

The good news is that this is related to 2 consecutive failed requests. The bad news is, I found the same issue in Outlook 2013.

This was confirmed by the Outlook team and currently work on a fix for Outlook 2013 is ongoing.

We started analyzing the issue and tried to do a repro with Outlook 2013, but we couldn’t . Thus the question came up what is the difference between those version? ADAL was the first what came into my mind.

ADAL is enabled by default for Office 2016, while for Office 2013 you need to enable it by adding a registry key. You can find more information here:

Even with ADAL enabled on Office 2013 we didn’t get the prompt. But when we disabled ADAL on Office 2016 the issues was solved.

Fiddler

The next step was to take some traces with Fiddler in order to find the requests causing the prompt. We could see that there are two specific requests, which causes the prompt:

When Outlook 2016 starts it gathers the settings for Groups. What are Unified Groups? I encourage you to get information from fellow MVP Justin Harris (@ntexcellence) here:

As you can see Outlook sends directly an ADAL token to the on-premises Exchange server within those requests. As the on-premises Exchange server doesn’t support this authentication method an authtentication error occurs.

To be really on the safe side we added a little rule in Fiddler, which returns an error 404 on HTTP level in the area of OnBeforeResponse of FiddlerScript:

if (oSession.uriContains("exchange.asmx")) { var oBody = System.Text.Encoding.UTF8.GetString(oSession.requestBodyBytes); if (oBody.Contains("GetUnifiedGroupsSettings")) { oSession.responseCode = "404"; oSession["ui-color"] = "blue"; } }

And for sure no prompt occured!

Conclusion

We filed a case and the Outlook team confirmed that there is an issue. A hotfix is on the way. This was experienced with Outlook 2016 version 16.0.6001.1068.

As the scenarios and also the features are more and more complex there could be some unforeseen circumstances, which lead into user unfriendly experience.

Take this article maybe more as a How-To for analyzing issues like this with tools like Fiddler and mybe you suffer the same issue, which saves you some time of troubleshooting.