Windows Extended Protection


On 06.03.2023 Windows Extended Protection was enabled for Outlook connections. This prevents the encrypted connection from being broken, as happens, for example, with "Man in the Middle (MITM)" attacks (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).

If you have been receiving password prompts from Outlook ever since and are therefore having trouble connecting to our servers, please follow these steps:

  1. Restart Outlook or your computer
  2. Please check which virus scanner you are using
    If you use Bit Defender or Kaspersky as your virus scanner, please note the following
  3. Please check if your computer still uses NTLMv1

Possible reasons:

Antivirus software breaks the encrypted session

Your antivirus software breaks the connection to the Exchange Server. That is why Windows Extended Protection prevents you from logging on.

The following antivirus programs have known problems and solutions.

Kaspersky 

  • Click on the gear icon to open the settings.

  • Select "Threats and Exceptions" from the sidebar.

  • Click on "Specify trusted applications"

  • Select "Add" to specify the program path of Outlook.

    • C:\Program Files\Microsoft Office\root\Office16

  • Select "Do not scan encrypted traffic" in the  “Exclusions for application” window.

  • Click "OK" and afterwards "Save" to save the settings.

Bitdefender

  • Select "Protection" in the navigation menu.
  • In the "Online Threat Prevention" section, click Settings.
  • Click on "Manage exceptions".
  • There, select "Add exception" and then enter "xmail.mwn.de".
  • Click the button next to "Online Threat Prevention".
  • Click Save to save the changes.
  • After that, close Outlook and restart it.


Your client uses NTLMv1

If you have added an exception to your anti-virus software and you continue to receive a password prompt, it is possible that your client is using the deprecated NTLMv1 authentication method. This is insecure and should no longer be used.

Check if the following registry key exists:

Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

Registry value: LmCompatibilityLevel

If the key is not set, the system default is used. If the key is present, the value must be set to at least 3 or higher (preferably set to 5). If the value is less than 3, change the value or delete the key.

For the technically interested:

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

https://learn.microsoft.com/de-de/iis/configuration/system.webserver/security/authentication/windowsauthentication/extendedprotection/