The Lync client mysteriously prompts for Network Credentials, this had never happened and Proxy Server exceptions had been configured for all required URLs that Lync uses to connect to the Lync Server and Exchange Server.
After some investigation the popup only appears on Lync 2010 clients that have been updated to the latest cumulative update.
Lync Version 4.0.7577.4384 (No Authentication Popup)
Description of the cumulative update package for Lync 2010: April 2013
http://support.microsoft.com/kb/2815347/en-us
Lync Version 4.0.7577.4398 (Authentication prompt)
Description of the cumulative update package for Lync 2010: July 2013
http://support.microsoft.com/kb/2842627/en-us
Looking at the Support article shows there has been some updates to the Lync Client and some of the proxy authentication options
2861312 Can't join a meeting when proxy authentication is required in Lync 2010
2861319 Can’t join an audio or video conference when basic authentication for a proxy server is required in Lync 2010
2861325 Proxy authentication fails when you join a meeting created in a non-federated organization in Lync 2010
However this is unrelated to what the customer is experiencing, the popup is shown during Lync Signin process.
Using Fiddler we actually see a request going to the email domain which is something similar to this : email.contoso.com
If you know the process Lync uses to discover Exchange Web Services this would make sense, however we see no Authentication prompts for autodiscover.email.contoso.com which is the next URL that is tried in the Exchange Autodiscover process.
Why is the behavior different for both URLs?
email.contoso.com has the proxy authentication problem
autodiscover.email.contoso.com does not have the proxy authentication problem.
*.contoso.com has been configured as exceptions in the Proxy Configuration for Internet Explorer so it should have the same effect on both URLs
Doing further investigation shows that email.contoso.com does not resolve to an IP Address but autodiscover.email.contoso.com does resolve to an IP Address. So this makes me conclude that whenever there is no resolving of the URL it is forwarded to the Proxy and then Authentication must be performed.
Configuring email.constoso.com to a valid IP in the HOSTS file on the Client Machine proves my conclusion and the Client no longer prompts for authentication.
I wonder in how many organizations that the email domain resolves to an IP Address?
In my oppinion the Exchange Autodiscover process is broken in Lync because it also ignores to check the Service Connection Point (SCP) in Active Directory like Outlook does and in most cases the customers have to make changes to either DNS or Certificates on Exchange when adding Lync to their application stack.
Solution:
Make sure you understand the autodiscover process Lync uses for Exchange Web Services and make sure that all requests made by the lync client resolve to an IP address in order to avoid forwarding the a Proxy Server.
Update 25/10/2013: The latest update (Okt 2013) still has the Authentication Popup issue
Lync Version 4.0.7577.4409 (No Authentication Popup)
Description of the cumulative update package for Lync 2010: October 2013
http://support.microsoft.com/kb/2884632/en-us
