After Upgrade to CU9 is impossible to allow Authenticated Email from FSRM and WSUS

Hello,

the problem happens after you update to CU9 from CU8: authenticated emails from computer running WSUS and File Server Resource Manager (that autenticate using the computer account) are not running anymore. Before they was running.

This is the debug of the SMTP conversation AT THE CU8 -- RUNNING

2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,0,10.0.0.2:25,10.0.0.1:51258,+,,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,1,10.0.0.2:25,10.0.0.1:51258,*,None,Set Session Permissions
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,2,10.0.0.2:25,10.0.0.1:51258,>,"220 ITMILEX999.contoso.com Microsoft ESMTP MAIL Service ready at Tue, 23 Jun 2015 08:11:38 +0200",
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,3,10.0.0.2:25,10.0.0.1:51258,<,EHLO ITMILDC999,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,4,10.0.0.2:25,10.0.0.1:51258,*,None,Set Session Permissions
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,5,10.0.0.2:25,10.0.0.1:51258,>,250-ITMILEX999.contoso.com Hello [10.0.0.1],
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,6,10.0.0.2:25,10.0.0.1:51258,>,250-SIZE,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,7,10.0.0.2:25,10.0.0.1:51258,>,250-PIPELINING,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,8,10.0.0.2:25,10.0.0.1:51258,>,250-DSN,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,9,10.0.0.2:25,10.0.0.1:51258,>,250-ENHANCEDSTATUSCODES,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,10,10.0.0.2:25,10.0.0.1:51258,>,250-AUTH NTLM,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,11,10.0.0.2:25,10.0.0.1:51258,>,250-8BITMIME,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,12,10.0.0.2:25,10.0.0.1:51258,>,250-BINARYMIME,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,13,10.0.0.2:25,10.0.0.1:51258,>,250 CHUNKING,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,14,10.0.0.2:25,10.0.0.1:51258,<,AUTH ntlm,
2015-06-23T06:11:39.435Z,ITMILEX999\Internal,08D27B82C2B20D7C,15,10.0.0.2:25,10.0.0.1:51258,>,334 <authentication response>,
2015-06-23T06:11:39.481Z,ITMILEX999\Internal,08D27B82C2B20D7C,16,10.0.0.2:25,10.0.0.1:51258,*,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
2015-06-23T06:11:39.481Z,ITMILEX999\Internal,08D27B82C2B20D7C,17,10.0.0.2:25,10.0.0.1:51258,*,CONTOSO\ITMILDC999$,authenticated
2015-06-23T06:11:39.513Z,ITMILEX999\Internal,08D27B82C2B20D7C,18,10.0.0.2:25,10.0.0.1:51258,*,,Proxy session was successfully set up. Outbound session will now be proxied
2015-06-23T06:11:39.513Z,ITMILEX999\Internal,08D27B82C2B20D7C,19,10.0.0.2:25,10.0.0.1:51258,>,235 2.7.0 Authentication successful,
2015-06-23T06:11:39.763Z,ITMILEX999\Internal,08D27B82C2B20D7C,20,10.0.0.2:25,10.0.0.1:51258,-,,Local

This is the debug after upgrading to CU9 -- BROKEN

2015-06-23T07:34:12.165Z,ITMILEX999\Internal,08D27B9E1BAF1B57,0,10.0.0.2:25,10.0.0.1:51489,+,,
2015-06-23T07:34:12.165Z,ITMILEX999\Internal,08D27B9E1BAF1B57,1,10.0.0.2:25,10.0.0.1:51489,*,None,Set Session Permissions
2015-06-23T07:34:12.196Z,ITMILEX999\Internal,08D27B9E1BAF1B57,2,10.0.0.2:25,10.0.0.1:51489,>,"220 ITMILEX999.contoso.com Microsoft ESMTP MAIL Service ready at Tue, 23 Jun 2015 09:34:11 +0200",
2015-06-23T07:34:12.462Z,ITMILEX999\Internal,08D27B9E1BAF1B57,3,10.0.0.2:25,10.0.0.1:51489,<,EHLO ITMILDC999,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,4,10.0.0.2:25,10.0.0.1:51489,*,None,Set Session Permissions
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,5,10.0.0.2:25,10.0.0.1:51489,>,250-ITMILEX999.contoso.com Hello [10.0.0.1],
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,6,10.0.0.2:25,10.0.0.1:51489,>,250-SIZE,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,7,10.0.0.2:25,10.0.0.1:51489,>,250-PIPELINING,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,8,10.0.0.2:25,10.0.0.1:51489,>,250-DSN,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,9,10.0.0.2:25,10.0.0.1:51489,>,250-ENHANCEDSTATUSCODES,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,10,10.0.0.2:25,10.0.0.1:51489,>,250-AUTH NTLM,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,11,10.0.0.2:25,10.0.0.1:51489,>,250-8BITMIME,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,12,10.0.0.2:25,10.0.0.1:51489,>,250-BINARYMIME,
2015-06-23T07:34:12.619Z,ITMILEX999\Internal,08D27B9E1BAF1B57,13,10.0.0.2:25,10.0.0.1:51489,>,250 CHUNKING,
2015-06-23T07:34:12.744Z,ITMILEX999\Internal,08D27B9E1BAF1B57,14,10.0.0.2:25,10.0.0.1:51489,<,AUTH ntlm,
2015-06-23T07:34:12.791Z,ITMILEX999\Internal,08D27B9E1BAF1B57,15,10.0.0.2:25,10.0.0.1:51489,>,334 <authentication response>,
2015-06-23T07:34:13.682Z,ITMILEX999\Internal,08D27B9E1BAF1B57,16,10.0.0.2:25,10.0.0.1:51489,*,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
2015-06-23T07:34:13.682Z,ITMILEX999\Internal,08D27B9E1BAF1B57,17,10.0.0.2:25,10.0.0.1:51489,*,CONTOSO\ITMILDC999$,authenticated
2015-06-23T07:34:26.949Z,ITMILEX999\Internal,08D27B9E1BAF1B57,18,10.0.0.2:25,10.0.0.1:51489,*,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
2015-06-23T07:34:26.949Z,ITMILEX999\Internal,08D27B9E1BAF1B57,19,10.0.0.2:25,10.0.0.1:51489,*,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 10.0.0.2:465"
2015-06-23T07:34:26.949Z,ITMILEX999\Internal,08D27B9E1BAF1B57,20,10.0.0.2:25,10.0.0.1:51489,*,None,Set Session Permissions
2015-06-23T07:34:26.965Z,ITMILEX999\Internal,08D27B9E1BAF1B57,21,10.0.0.2:25,10.0.0.1:51489,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user',
2015-06-23T07:34:32.282Z,ITMILEX999\Internal,08D27B9E1BAF1B57,22,10.0.0.2:25,10.0.0.1:51489,>,535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user,
2015-06-23T07:34:32.314Z,ITMILEX999\Internal,08D27B9E1BAF1B57,23,10.0.0.2:25,10.0.0.1:51489,<MAIL FROM:<FSRM @ contoso.com>,
2015-06-23T07:34:32.314Z,ITMILEX999\Internal,08D27B9E1BAF1B57,24,10.0.0.2:25,10.0.0.1:51489,*,Tarpit for '0.00:00:05' due to '530 5.7.1 Client was not authenticated',
2015-06-23T07:34:37.334Z,ITMILEX999\Internal,08D27B9E1BAF1B57,25,10.0.0.2:25,10.0.0.1:51489,>,530 5.7.1 Client was not authenticated,
2015-06-23T07:34:37.334Z,ITMILEX999\Internal,08D27B9E1BAF1B57,26,10.0.0.2:25,10.0.0.1:51489,-,,Local

Ciao,

Luca

June 23rd, 2015 8:22am

Hi Luca,

According to the debug logs, we found '530 5.7.1 Client was not authenticated' error, it shows that these users do not have permission on default frontend receive connector.

I recommend you use telnet to test SMTP communication on your WSUS and FSRM servers :

Telnet to Port 25 to Test SMTP Communication

In addition, try to run the following command and check if AnonymousUsers has been selected:

Get-Receiveconnector "ServerName\Default Frontend connector" |fl permiss*

Best regards,

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2015 4:20am

Hello Niko,

the problem is not with the Default Frontend because I setup a dedicated connector ("Internal" in this example) targeted for the servers and using Integrated Windows Authentication, because FSRM and WSUS send email using computer account credentials. (so Kerberos or NTLM)

Please note that with Exchange CU8 the setup was working, as you can see in the preceding post

2015-06-23T06:11:39.481Z,ITMILEX999\Internal,08D27B82C2B20D7C,17,10.0.0.2:25,10.0.0.1:51258,*,CONTOSO\ITMILDC999$,authenticated
2015-06-23T06:11:39.513Z,ITMILEX999\Internal,08D27B82C2B20D7C,18,10.0.0.2:25,10.0.0.1:51258,*,,Proxy session was successfully set up. Outbound session will now be proxied
2015-06-23T06:11:39.513Z,ITMILEX999\Internal,08D27B82C2B20D7C,19,10.0.0.2:25,10.0.0.1:51258,>,235 2.7.0 Authentication successful

This instead is what happens after upgrading to CU9

2015-06-23T07:34:13.682Z,ITMILEX999\Internal,08D27B9E1BAF1B57,17,10.0.0.2:25,10.0.0.1:51489,*,CONTOSO\ITMILDC999$,authenticated
2015-06-23T07:34:26.949Z,ITMILEX999\Internal,08D27B9E1BAF1B57,18,10.0.0.2:25,10.0.0.1:51489,*,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it
 or failed to resolve the user
2015-06-23T07:34:26.965Z,ITMILEX999\Internal,08D27B9E1BAF1B57,21,10.0.0.2:25,10.0.0.1:51489,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve
 the user',
2015-06-23T07:34:37.334Z,ITMILEX999\Internal,08D27B9E1BAF1B57,25,10.0.0.2:25,10.0.0.1:51489,>,530 5.7.1 Client was not authenticated,

So I agree with you that it ends with "Client was not autheticated" but this is clearly not the case, not at least on the receive connector.
I want to stress that before the upgrade to CU9 the setup was working perfectly (there is also a mail contact with SendAs privileges for the computer account)


June 25th, 2015 4:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics