Cannot send email to/from exchange 2003
Hi there, We have an exchange organization with one Exchange 2007 server and a Exchange 2003 server. The emails do not get routed to/from exchange 2003 server, and they get stacked up in the queue. The exchange 2007 server is able to send emails to external recipients, but its queue is full of emails directed to mailboxes on exchange 2003 server. The following error shows up on the exchange 2007 queue: "451 4.4.0 Primary target IP address responded with: "535 5.7.3 Authentication unsuccessful.."Attempted failover to alternate host, but that did not succeed. Either there is no alternate hosts, or delivery failed to all alternate hosts."" I have deleted the default routing connectors and re-created them, and now in the system manager in exchange 2003 I get the following: Name Admin Group Status 2003 -> 2007 First Admin Group Unavailable 2007 -> 2003 Exchange Admin Group Available Exchange 2003 First Admin Group Available Exchange 2007 Exchange Admin Group Unreachable Probably I am missing something in the routing connector settings? I would appreciate you quick response. Thanks, Ojas
June 26th, 2011 8:34pm

How did you create the routing group connectors? Try removing them and creating them with the Exchange 2007 Management Shell using the New-RoutingGroupConnector cmdlet. Let us know how that works and if it doesn't the exact commands you tried.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 2:39am

On Sun, 26 Jun 2011 17:34:50 +0000, ojas.panwar wrote: >We have an exchange organization with one Exchange 2007 server and a Exchange 2003 server. The emails do not get routed to/from exchange 2003 server, and they get stacked up in the queue. The exchange 2007 server is able to send emails to external recipients, but its queue is full of emails directed to mailboxes on exchange 2003 server. The following error shows up on the exchange 2007 queue: > >"451 4.4.0 Primary target IP address responded with: "535 5.7.3 Authentication unsuccessful.."Attempted failover to alternate host, but that did not succeed. Either there is no alternate hosts, or delivery failed to all alternate hosts."" > >I have deleted the default routing connectors and re-created them, and now in the system manager in exchange 2003 I get the following: Name Admin Group Status 2003 -> 2007 First Admin Group Unavailable 2007 -> 2003 Exchange Admin Group Available Exchange 2003 First Admin Group Available Exchange 2007 Exchange Admin Group Unreachable > >Probably I am missing something in the routing connector settings? I would appreciate you quick response. Thanks, Ojas Is there a firewall between the two machines? Authentication between the two servers will use Kerberos and ports 88/tcp and 88/udp must be open. In fact, to be supported, there can be no firewall between the Exchange servers (or, if there is one, it must be working in any-to-any mode). Removing and recreating the RGC should have produced the same error, not some other one. So, yes, I think you're missing something but you haven't shown how you removed the original RGCs nor how you created to two additional RGCs. Without that information, who knows what to tell you> --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
June 27th, 2011 5:40am

Thanks for the response Ed and Rich, we don't have a firewall between the two servers that could be blocking ports. I used the following commands to remove and create the routing group connectors: Remove-RoutingGroupConnector -Identity ConnectorId New-RoutingGroupConnector -Name "2003-2007" -SourceTransportServers 2003Server -TargetTransportServers 2007Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true New-RoutingGroupConnector -Name "2007-2003" -SourceTransportServers 2007Server -TargetTransportServers 2003Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true After restarting the both the servers now the connectors show available, but the Exchange 2007 server still shows unreachable. After some googling around I found that on Exchange 2003 machine the FQDN under Default SMTP server -> Properties -> Delivery -> Advanced should be teh FQDN of Exchange 2007 machine, which I changed but it didn't do anything. Is there anything else that I should be looking at? Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 5:00pm

Check the properties of the Exchange 2007 server's receive connector and see if the authentication settings have been screwed up.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
June 27th, 2011 6:34pm

The authentication tab has the following options checked: Transport Layer Security (TLS), Basic Authentication, Exchange Server Authentication, and Integrated Windows Authentication. Is it supposed to be the same as default SMTP server on 2003 server?
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2011 8:39pm

On Mon, 27 Jun 2011 14:00:23 +0000, ojas.panwar wrote: > > >Thanks for the response Ed and Rich, we don't have a firewall between the two servers that could be blocking ports. I used the following commands to remove and create the routing group connectors: > >Remove-RoutingGroupConnector -Identity ConnectorId Hmmm . . . try using this instead: get-routinggroupconnector | remove-routinggroupconnector >New-RoutingGroupConnector -Name "2003-2007" -SourceTransportServers 2003Server -TargetTransportServers 2007Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true > >New-RoutingGroupConnector -Name "2007-2003" -SourceTransportServers 2007Server -TargetTransportServers 2003Server -Cost 10 -Bidirectional $false -PublicFolderReferralsEnabled $true Then create the RGC like this (omit the "-cost" parameter, you don't need it): new-routinggroupconnector -name "InterOp RGC" -sourcetransportservers 2007server -targettransportservers 2003server -bidirectional:$true -publicfolderreferralenabled:$true >After restarting the both the servers now the connectors show available, but the Exchange 2007 server still shows unreachable. After some googling around I found that on Exchange 2003 machine the FQDN under Default SMTP server -> Properties -> Delivery -> Advanced should be teh FQDN of Exchange 2007 machine, which I changed but it didn't do anything. Is there anything else that I should be looking at? The FQDN of the virtual machine should be name of the machine. Since authentication is failing, run "setspn -L 2003server". There should be two SPNs for whatever FQDN you have set on the E2K3 SMTP virtual server that's used in that "InterOP RGC". For example: SMTPSVC/2003Server SMTPSVC/2003Server.domain.com SMTP/2003Server SMTP/2003Servern.domain.com Perform the same action using "setspn -L 2007Server". If the FQDN isn't present in the set of SPNs for the machine you can add them using "setspn -A FQDN 200xServer". With the correct SPNs assigned to the machine account, Kerberos should authenticate. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
June 28th, 2011 1:04am

Hi, 1. Run the BPA to see if there are any errors. 2. Check if 2003Server is a member of "ExchangeLegacyInterop" group. 3. FQDN is correct or not? Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2011 10:02am

Hi Rich I deleted and re-created the RGCs without the cost parameter, but still no progress. When I run setspn -L exchange2003, I just get two SMTPSVC connectors, the output is as follows: exchangeRFR/exchange2003.domain exchangeRFR/EXCHANGE2003 exchangeMDB/EXCHANGE2003 exchangeMDB/exchange2003.domain SMTPSVC/EXCHANGE2003 SMTPSVC/exchange2003.domain HOST/EXCHANGE2003 HOST/exchange2003.domain While if I run it for exchange 2007 machine I get all four SMTP connectors as you mentioned above. Is there a way to add just the two SMTP connectors for 2003 server? Also, are the authentication settings under receive connector supposed to be the same as they are on the SMTP virtual server on 2003 machine? Thanks, Ojas Edit: I added SMTP/Exchange2003 and SMTP/Exchange2003.domain by using setspn -A SMTP/Exchange2003 Exchange2003 and setspn -A SMTP/Exchange2003.domain. The error still persists.
June 28th, 2011 4:39pm

Hi Jason, 1. Run the BPA to see if there are any errors. When I run the BPA health check I get an error Missing FQDN in service principal name: The computer account for Exchange server exchange2003.domain does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages between servers. The tool expected to find 'SMTPSVC/exchange2007.domain' in the 'servicePrincipalName'. I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn? 2. Check if 2003Server is a member of "ExchangeLegacyInterop" group. Where do I check it? I didnt find the group under local groups as well as Active directory. 3. FQDN is correct or not? FQDN in exchange 2003 default virtual server(Default SMTP server -> Properties -> Delivery -> Advanced) is exchange2007.domain. Is there anywhere else I should be checking for FQDN settings? Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2011 5:03pm

On Tue, 28 Jun 2011 14:03:00 +0000, ojas.panwar wrote: > > >Hi Jason, > >1. Run the BPA to see if there are any errors. > >When I run the BPA health check I get an error Missing FQDN in service principal name: Well, there you go! If the FQDN isn't a SPN on the computer account Kerberos won't authenticate the connection. >The computer account for Exchange server exchange2003.domain does not appear to contain the fully-qualified domain name of Exchange SMTP virtual server 'Default SMTP Virtual Server'. This may cause Kerberos authentication to fail when sending messages between servers. The tool expected to find 'SMTPSVC/exchange2007.domain' in the 'servicePrincipalName'. > >I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn? >2. Check if 2003Server is a member of "ExchangeLegacyInterop" group. Yes, you do. >Where do I check it? I didnt find the group under local groups as well as Active directory. It's not a group. Use either ADSIEDIT of LDP to see the servicePrincipalName property value on the computer account. >3. FQDN is correct or not? > >FQDN in exchange 2003 default virtual server(Default SMTP server -> Properties -> Delivery -> Advanced) is exchange2007.domain. Is there anywhere else I should be checking for FQDN settings? Is "exchange2007.domain" the FQDN of the server or the one you assigned to the SMTP Virtual Server? If it's the name of the server the SPN should already have been there. If not, then this should do it: setspn -A SMTPSVC/exchange2007.domain <whatever-is-the-server-name> setspn -A SMTPSVC/exchange2007 <whatever-is-the-server-name> setspn -A SMTP/exchange2007.domain <whatever-is-the-server-name> setspn -A SMTP/exchange2007 <whatever-is-the-server-name> --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
June 29th, 2011 3:55am

On Tue, 28 Jun 2011 13:39:11 +0000, ojas.panwar wrote: >Hi Rich I deleted and re-created the RGCs without the cost parameter, but still no progress. When I run setspn -L exchange2003, I just get two SMTPSVC connectors, the output is as follows: The "cost" isn't part of your problem. It's just unnecessary since you have only one RGC. Keep things simple. :-) >exchangeRFR/exchange2003.domain >exchangeRFR/EXCHANGE2003 >exchangeMDB/EXCHANGE2003 >exchangeMDB/exchange2003.domain >SMTPSVC/EXCHANGE2003 >SMTPSVC/exchange2003.domain >HOST/EXCHANGE2003 >HOST/exchange2003.domain >While if I run it for exchange 2007 machine I get all four SMTP connectors as you mentioned above. Is there a way to add just the two SMTP connectors for 2003 server? Unless I'm misremembering things, there's no place to specify a FQDN on a SMTP Connector, only on a SMTP Virtual Server. >Also, are the authentication settings under receive connector supposed to be the same as they are on the SMTP virtual server on 2003 machine? The Routing Group Connector doesn't really use the any of those. >Thanks, Ojas > > Edit: I added SMTP/Exchange2003 and SMTP/Exchange2003.domain by using setspn -A SMTP/Exchange2003 Exchange2003 and setspn -A SMTP/Exchange2003.domain. The error still persists. "exchange2003.domain" is the name of the server, according to the HOST SPN. What's the FQDN on the 2003 SMTP virtual servers (all of them if you have more than one)? You want SPNs for all of them. If you look at the SMTP send protocol log on your Exchange 2007 server you should see that it sends X-EXPS GSSAPI to the Exchange 2003 server. The Exchange 2003 server expects to find whatever name the 2007 server used in the EHLO command in a SPN on the 2007 server's computer account. On the 2003 server, when it sends to the 2007 server, you should see the EHLO and then a couple of 334 status codes and a 235 status code (authentication successful). The Exchange 2007 server expects to find whatever the 2003 server used in its EHLO command in a SPN on the computer account of the 2003 server. If the SPNs are wrong or incomplete authentication fails. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 4:23am

Hi, 1. I'm confused by the message, does it mean that I have to add a new SPN "SMTPSVC/exchange2007.domain" within exchange 2003 by using setspn? You also need to check if SMTPSVC/exchange2007.domain and SMTPSVC/exchange2007 in Exchange 2007 Server. http://technet.microsoft.com/en-us/library/aa996905(EXCHG.80).aspx 2. Where do I check it? I didnt find the group under local groups as well as Active directory. ADUC -> Microsoft Exchange Security Groups -> ExchangeLegacyInterop -> right click -> properties -> members -> Exchange2003 should be in the list.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 29th, 2011 4:41am

Thanks for your replies Rich and Jason, I think I am getting closer to fixing the issue. I added SMTPSVC\exchange2007.domain to the service principal names for exchange2003 server and now I don't get the SMTP error anymore. When I look at the event viewer for exchange2007, I see the following warning every 15 minutes: Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE2007. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [x.x.x.x]. The IP address is that of exchange 2003 server. On the exchange 2003 machine there are warnings about every hour indicating EXPS is temporarily unable to provide protocol security. The full error is as follows: EXPS is temporarily unable to provide protocol security with "EXCHANGE2007.domain". "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ). After some digging around I found that it is due to kerberos authentication failing. I have checked that the time on both exchange servers are synchronized. Does the FQDN in default virtual server on Exchange 2003 server be exchange2003.domain or exchange2007.domain? Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 6:40pm

On Thu, 30 Jun 2011 15:40:19 +0000, ojas.panwar wrote: > > >Thanks for your replies Rich and Jason, I think I am getting closer to fixing the issue. I added SMTPSVC\exchange2007.domain to the service principal names for exchange2003 server and now I don't get the SMTP error anymore. If the name used in the EHLO command from Exchange 2007 is "exchange2007.domain" then the SPNs SMTPSVC\exchange2007.domain, SMTPSVC/exchange2007, SMTP/exchange2007.domain and SMTP/exchange2007 should be on the computer account for the Exchange 2007 server, not the Exchange 2003 server. >When I look at the event viewer for exchange2007, I see the following warning every 15 minutes: >Inbound authentication failed with error LogonDenied for Receive connector Default EXCHANGE2007. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [x.x.x.x]. > >The IP address is that of exchange 2003 server. On the exchange 2003 machine there are warnings about every hour indicating EXPS is temporarily unable to provide protocol security. The full error is as follows: > > > >EXPS is temporarily unable to provide protocol security with "EXCHANGE2007.domain". "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ). After some digging around I found that it is due to kerberos authentication failing. I have checked that the time on both exchange servers are synchronized. Does the FQDN in default virtual server on Exchange 2003 server be exchange2003.domain or exchange2007.domain? Thanks, Ojas It seems that exchange2003.domain would be correct. There should be SPNs on the Exchange 2003 server's computer account for SMTP/exchange2003.domain, SMTP/exchange2003, SMTPSVC/exchange2003.domain, and SMTPSCV/exchange2003. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
July 1st, 2011 3:34am

So it seems like my problem is partially solved. I didn't have SMTP/exchange2003 and SMTP/exchange2003.domain in the service principle name for exchange 2003 which I added. Also I changed the authentication on Exchange 2007 receive connector to be same as authentication options on Default SMTP server on Exchange 2003 (Basic Authentication and Integration Windows authentication checked). Now the mails are flowing from Exchange 2003 to 2007 box, but: i. The mails are not flowing from Exchange 2007 to 2003, and are getting stacked up in the queue. ii. The mails delivered to external recipient from exchange 2003 are bouncing back to the sender with a message: Your message did not reach some or all of the intended recipients. Subject: Test Sent: 7/1/2011 10:33 AM The following recipient(s) could not be reached: valid-email@address on 7/1/2011 10:34 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. <exchange2003.domain #5.7.1 smtp;550 5.7.1 Unable to relay> The relay settings on exchange 2003 allow our local domain and the "Allow all computers which successfully authenticate to relay, regardless of the list above" is checked. The queue on exchange 2007 still shows 535 5.7.3 Authentication unsuccessful. Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 6:42pm

On Fri, 1 Jul 2011 15:42:11 +0000, ojas.panwar wrote: >So it seems like my problem is partially solved. I didn't have SMTP/exchange2003 and SMTP/exchange2003.domain in the service principle name for exchange 2003 which I added. Did you also remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Having the same SPN on multiple computer accounts can be a problem unless they're load balanced and both use the same FQDN in the EHLO commands they send. >Also I changed the authentication on Exchange 2007 receive connector to be same as authentication options on Default SMTP server on Exchange 2003 (Basic Authentication and Integration Windows authentication checked). Now the mails are flowing from Exchange 2003 to 2007 box, but: > >i. The mails are not flowing from Exchange 2007 to 2003, and are getting stacked up in the queue. So what's the reason they're not being delivered? Knowing they're there is one thing, knowing *why* they're there is another. >ii. The mails delivered to external recipient from exchange 2003 are bouncing back to the sender with a message: > >Your message did not reach some or all of the intended recipients. Subject: Test >Sent: 7/1/2011 10:33 AM > > >The following recipient(s) could not be reached: valid-email@address on 7/1/2011 10:34 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. <exchange2003.domain #5.7.1 smtp;550 5.7.1 Unable to relay> >The relay settings on exchange 2003 allow our local domain and the "Allow all computers which successfully authenticate to relay, regardless of the list above" is checked. The queue on exchange 2007 still shows 535 5.7.3 Authentication unsuccessful. Did you remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
July 1st, 2011 9:08pm

>Did you also remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Having the same SPN on multiple computer accounts can be a problem unless they're load balanced and both use the same FQDN in the EHLO commands they send. Yes, the service principle names in Exchange 2003 and 2007 only have their respective records. The output of setspn for both is as follows: Exchange 2003: SMTP/exchange2003.domain SMTP/exchange2003 exchangeMDB/exchange2003.domain exchangeMDB/EXCHANGE2003 exchangeRFR/exchange2003.domain exchangeRFR/EXCHANGE2003 SMTPSVC/exchange2003.domain SMTPSVC/EXCHANGE2003 HOST/EXCHANGE2003 HOST/exchange2003.domain Exchange 2007: IMAP4/exchange2007.domain IMAP4/exchange2007 IMAP/exchange2007.domain IMAP/exchange2007 exchangeRFR/exchange2007 exchangeRFR/exchange2007.domain exchangeMDB/exchange2007 exchangeMDB/exchange2007.domain SmtpSvc/exchange2007.domain SmtpSvc/exchange2007 SMTP/exchange2007.domain SMTP/exchange2007 WSMAN/exchange2007 WSMAN/exchange2007.domain TERMSRV/exchange2007 TERMSRV/exchange2007.domain RestrictedKrbHost/exchange2007 HOST/exchange2007 RestrictedKrbHost/exchange2007.domain HOST/exchange2007.domain >Did you remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Yes When I check the status under Monitoring and Status in Exchange 2003 system manager, I see exchange 2007 as unreachable. When I try to see properties, I get an error "unable to connect to WMI service". I checked on exchange 2007 server that WMI service is running, and I am able to remotely connect to Exchange 2007 via wmimgmt.msc from exchange 2003. Could this be causing an issue? Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 5:52pm

On Wed, 6 Jul 2011 14:52:20 +0000, ojas.panwar wrote: >>Did you also remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Having the same SPN on multiple computer accounts can be a problem unless they're load balanced and both use the same FQDN in the EHLO commands they send. Yes, the service principle names in Exchange 2003 and 2007 only have their respective records. The output of setspn for both is as follows: Exchange 2003: SMTP/exchange2003.domain SMTP/exchange2003 exchangeMDB/exchange2003.domain exchangeMDB/EXCHANGE2003 exchangeRFR/exchange2003.domain exchangeRFR/EXCHANGE2003 SMTPSVC/exchange2003.domain SMTPSVC/EXCHANGE2003 HOST/EXCHANGE2003 HOST/exchange2003.domain Exchange 2007: IMAP4/exchange2007.domain IMAP4/exchange2007 IMAP/exchange2007.domain IMAP/exchange2007 exchangeRFR/exchange2007 exchangeRFR/exchange2007.domain exchangeMDB/exchange2007 exchangeMDB/exchange2007.domain SmtpSvc/exchange2007.domain SmtpSvc/exchange2007 SMTP/exchange2007.domain SMTP/exchange2007 WSMAN/exchange2007 >WSMAN/exchange2007.domain TERMSRV/exchange2007 TERMSRV/exchange2007.domain RestrictedKrbHost/exchange2007 HOST/exchange2007 RestrictedKrbHost/exchange2007.domain HOST/exchange2007.domain >Did you remove the SPNs for the Exchange 2007 server from the Exchange 2003 server's computer account? Yes When I check the status under Monitoring and Status in Exchange 2003 system manager, I see exchange 2007 as unreachable. When I try to see properties, I get an error "unable to connect to WMI service". I checked on exchange 2007 server that WMI service is running, and I am able to remotely connect to Exchange 2007 via wmimgmt.msc from exchange 2003. Could this be causing an issue? Thanks, Ojas If Exchange 2007 says "535 5.7.3 Authentication unsuccessful" then you're probably having a problem with Kerberos. Is port 88/tcp and 88/udp open in both directions between the machines and your DCs? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
July 7th, 2011 12:55am

Hi Rich, The firewalls are disabled on both the hosts. I enabled Kerberos logging, and found the following errors on exchange 2007: Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 7/7/2011 10:25:00 AM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: exchange2007.domain Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 14:25:0.0000 7/7/2011 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: domain Server Name: exchange2007$@domain Target Name: ow-exchange2007$@domain@domain Error Text: File: 9 Line: f09 Error Data is in record data. Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 7/7/2011 10:49:41 AM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: exchange2007.domain Description: A Kerberos Error Message was received: on logon session 2007test@domain Client Time: Server Time: 14:49:41.0000 7/7/2011 Z Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED Extended Error: Client Realm: Client Name: Server Realm: NY.FSVS.COM Server Name: krbtgt/domain Target Name: krbtgt/domain@domain Error Text: File: e Line: 9fe Error Data is in record data. I am also getting KDC_ERR_BADOPTION errors on Exchange 2003 every 15-odd minutes after enabling kerberos authentication. Do I have to change something on the servers? Thanks, Ojas
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 6:36pm

On Thu, 7 Jul 2011 15:36:59 +0000, ojas.panwar wrote: >Hi Rich, > >The firewalls are disabled on both the hosts. I enabled Kerberos logging, and found the following errors on exchange 2007: Start here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820 > Target Name: ow-exchange2007$@domain@domain Is OW-exchange2007$ the name of some machine in your organization? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
July 8th, 2011 5:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics