The Problem
Lync password prompts when connecting over Edge server : “Lync needs your user name and password to connect for retrieving calendar data from Outlook”

No matter what credentials you type it wont accept. The effect is that your call history and voice mail is un-populated.

Testing this from internally works, looking at the configuration information you see that the EWS connection data is missing as below:

Why is this happening?

When the Lync client signs in, it also attempts to retrieve availability data via Exchange Web Services. It does so via the Autodiscover functionality built into Exchange.

Lync Communicator will issue SOAP requests (over HTTPS) to the published Autodiscover server, who returns the URLs for the Microsoft Exchange Client Access Server(s) that will feed the availability data back to Lync Communicator.

The additional prompt for authentication comes from Communicator being hard-wired to authenticate using NTLM. When IIS (on the Exchange CAS machines) returns it’s WWW-Authenticate headers, it does so in the form of:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

When Communicator attempts to negotiate authentication using your cached credentials (over the Internet), it will fail with a “401.2 Unauthorized”, and subsequently prompt you for authentication as above. 

If we force NTLM from either the client side or the server side, we eliminate these additional prompts for credentials.

How do we do that?

Client side

From Internet Explorer – Tools, Internet Options, Advanced, scroll down to the “Security” section, un-check “Enable Integrated Windows Authentication”, you should no longer receive the additional authentication prompt from Lync

Server Side

I prefer the server side fix as it solves the problem for everyone in a single swoop
In this fix we are instructing IIS on the Exchange CAS server(s) to offer NTLM as the first authentication provider (with Negotiate as the fallback provider) in the WWW-Authenticate header.

On the CAS Server do the following:

  • Open the IISmanager
  • expand the Default Web site
  • Select EWS and Autodicover and click on authentication 
  • Select Windows Authentication
  • on the right hand pane select ” providers”
  • Move the “NTLM” to the top
  • Click ok
  • Close IIS manager
  • open command prompt
  • type “iisreset /noforce”
  • make sure IIS admin service and WWW services are started.
That sorted it for me.
Just a side note about the TMG rules. I have changed the TMG rule for EWS from Basic authentication to “No authentication, but client can authenticate directly” and added “All users” to the users allowed to authenticate.

I did have one final prompt for credentials, probably cause the cache had been altered by my endless testing, but this time adding my credentials was successful.