New Exchange 2013 on Windows Server 2008 R2, in coexistence with Exchange 2007 on Windows Server 2003.

Except for one test mailbox, all mailboxes are still on Exchange 2007.

Virtual directories are redirected to Exchange 2013, with legacy dns name directed to Exchange 2007, and OWA/ActiveSync are working fine.

Mail flow from the internet is still directed to Exchange 2007 and is fine.

But mail flow is not working on Exchange 2013. Using OWA with the test mailbox, emails are stuck in the drafts folder. Emails from a mailbox on Exchange 2007 are received by the frontend transport service, but fails on the transport service with this error (192.168.1.76 is the address of Exchange 2013 server, and HV-SRV-EXCH-02 is its name):

MSExchangeTransport - 1035 - SmtpReceive

Inbound authentication failed with error UnexpectedExchangeAuthBlob for Receive connector Default HV-SRV-EXCH-02. The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [192.168.1.76].

Certificate is signed by an enterprise CA, and contains public domain names, with the NetBIOS and fqdn names :

CN=owa.example.com, OU=xxx.......",Certificate subject
"CN=vsg-HV-SRV-CA-02-CA, DC=vsg, DC=qc, DC=ca",Certificate issuer name
owa.example.com;hv-srv-exch-02.vsg.qc.ca;AutoDiscover.vsg.qc.ca;AutoDiscover.example.net;AutoDiscover.example.com;HV-SRV-EXCH-02,Certificate alternate names

Clocks are in sync (both Exchange servers, and domain controllers)

SPNs seem ok :

setspn -L hv-srv-exch-02 | find /I "smtp"
        SmtpSvc/HV-SRV-EXCH-02.vsg.qc.ca
        SmtpSvc/HV-SRV-EXCH-02
        SMTP/HV-SRV-EXCH-02.vsg.qc.ca
        SMTP/HV-SRV-EXCH-02

DNS servers are set manually in ECP, and on the TransportService and FrontEndTransportService. I also added the IP and hostnames (NetBIOS and fqdn) of both Exchange servers in the hosts file

I used Kerberos debug log to check for errors, and all I got is this, which seems fine :

A Kerberos Error Message was received:
 on logon session VSG.QC.CA\hv-srv-exch-02$
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED

Example logs for the same session, sending an email from a mailbox in Exchange 2007, to the test mailbox in Exchange 2013

From the FrontEnd receive log (hv-srv-exch-01 is the Exchange 2007 server) :

2015-05-06T12:25:40.535Z,HV-SRV-EXCH-02\Default Frontend HV-SRV-EXCH-02,08D2555C60FC73C7,46,192.168.1.76:25,192.168.1.23:15456,<,X-EXPS EXCHANGEAUTH,
2015-05-06T12:25:40.535Z,HV-SRV-EXCH-02\Default Frontend HV-SRV-EXCH-02,08D2555C60FC73C7,47,192.168.1.76:25,192.168.1.23:15456,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe,Set Session Permissions
2015-05-06T12:25:40.535Z,HV-SRV-EXCH-02\Default Frontend HV-SRV-EXCH-02,08D2555C60FC73C7,48,192.168.1.76:25,192.168.1.23:15456,*,VSTGEORGES\HV-SRV-EXCH-01$,authenticated
2015-05-06T12:25:40.535Z,HV-SRV-EXCH-02\Default Frontend HV-SRV-EXCH-02,08D2555C60FC73C7,49,192.168.1.76:25,192.168.1.23:15456,>,235 <authentication response>,

From the FrontEnd Send log :

2015-05-06T12:25:45.558Z,Inbound Proxy Internal Send Connector,08D2555C60FC73C8,51,192.168.1.76:42824,192.168.1.76:2525,>,X-EXPS EXCHANGEAUTH SHA256 ,
2015-05-06T12:25:45.558Z,Inbound Proxy Internal Send Connector,08D2555C60FC73C8,52,192.168.1.76:42824,192.168.1.76:2525,>,<Binary Data>,
2015-05-06T12:25:50.566Z,Inbound Proxy Internal Send Connector,08D2555C60FC73C8,53,192.168.1.76:42824,192.168.1.76:2525,<,454 4.7.0 Temporary authentication failure,
2015-05-06T12:25:50.566Z,Inbound Proxy Internal Send Connector,08D2555C60FC73C8,54,192.168.1.76:42824,192.168.1.76:2525,>,QUIT,

And from the Hub Receive log :

2015-05-06T12:25:45.558Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,51,192.168.1.76:2525,192.168.1.76:42824,<,X-EXPS EXCHANGEAUTH,
2015-05-06T12:25:45.558Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,52,192.168.1.76:2525,192.168.1.76:42824,*,,Inbound ExchangeAuth negotiation failed because of UnexpectedExchangeAuthBlob
2015-05-06T12:25:45.558Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,53,192.168.1.76:2525,192.168.1.76:42824,*,,User Name: NULL
2015-05-06T12:25:45.558Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,54,192.168.1.76:2525,192.168.1.76:42824,*,Tarpit for '0.00:00:05' due to '454 4.7.0 Temporary authentication failure',
2015-05-06T12:25:50.566Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,55,192.168.1.76:2525,192.168.1.76:42824,>,454 4.7.0 Temporary authentication failure,
2015-05-06T12:25:50.566Z,HV-SRV-EXCH-02\Default HV-SRV-EXCH-02,08D2555EA1F7C246,56,192.168.1.76:2525,192.168.1.76:42824,-,,Local

I don't have an answer to your problem, but you should post your cumulative update level of Exchange 2013.

Sorry, it's CU8

Hi,

From your description, the issue should be related to the receive connector, I recommend you check if the authentication you set is right in the Exchange 2013 receive connector. What's more, you can create new receive connector and send connector for Exchange 2007 and Exchange 2013 communication.

Hope this can be helpful to you.

Best regards,

Hi ,

For the messages stuck up in drafts we need to follow the below mentioned article.

http://thoughtsofanidlemind.com/2013/03/25/exchange-2013-dns-stuck-messages/

Then for the mail flow issue between exchange 2007 to exchange 2013 i need to clarify few things.

Did you made any changes on the Default receive connector in exchange 2013 CAS server ?

Hi,

I completely uninstalled Exchange 2013 yesterday, deleted all files, the backend site in IIS, and application pools.

I then reinstalled, and left most settings by default (just changed external virtual folders, added the new server to the send connector, and moved a test mailbox to the new server)

The permissions for the "Default HV-SRV-EXCH-02" receive connectors are :

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Bindings                                : {0.0.0.0:2525, [::]:2525}
Fqdn                                    : hv-srv-exch-02
Enabled                                 : True
PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole                           : HubTransport

Before reinstalling, I also tried setting the binding address to the IP of the server (192.168.1.76 and 127.0.0.1, both on port 2525), but it did not change the result.

An important detail is that the communication (and exchange auth) is ok from 2007 to 2013, with the default frontend connector.  It's only from the default frontend (frontend transport) to the default (hub transport) on the same server that the exchange authentication is not working correctly...

Hi,

I originally tried to change things in the default receive connector, but yesterday I completely uninstalled Exchange 2013 (see my post above), and did not change anything in the receive connectors after the new installation.

Originally, I tried setting manually the DNS servers (see my original post), in ECP, and also with set-transportservice and set-frontendtransportservice.

I just tested disabling the default hub transport connector, and created a new one, with only tls and and exchange authentication, listening only on 192.168.1.76 and 127.0.0.1 port 2525, and scoped to just 192.168.1.76 and 127.0.01

I got the same results :

2015-05-08T12:36:16.078Z,hv-srv-exch-02\test-hub,08D257A172EE3BE3,49,192.168.1.76:2525,192.168.1.76:8635,<,X-EXPS EXCHANGEAUTH,
2015-05-08T12:36:16.078Z,hv-srv-exch-02\test-hub,08D257A172EE3BE3,50,192.168.1.76:2525,192.168.1.76:8635,*,,Inbound ExchangeAuth negotiation failed because of UnexpectedExchangeAuthBlob
2015-05-08T12:36:16.078Z,hv-srv-exch-02\test-hub,08D257A172EE3BE3,51,192.168.1.76:2525,192.168.1.76:8635,*,,User Name: NULL

Username is NULL, compared to the ExchangeAuth on the default frontend connector, which indicates the computer account of the Exchange 2007 server :

2015-05-08T12:55:36.676Z,hv-srv-exch-02\Default Frontend HV-SRV-EXCH-02,08D257A124ACF973,46,192.168.1.76:25,192.168.1.23:38029,<,X-EXPS EXCHANGEAUTH,
2015-05-08T12:55:36.676Z,hv-srv-exch-02\Default Frontend HV-SRV-EXCH-02,08D257A124ACF973,47,192.168.1.76:25,192.168.1.23:38029,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe,Set Session Permissions
2015-05-08T12:55:36.676Z,hv-srv-exch-02\Default Frontend HV-SRV-EXCH-02,08D257A124ACF973,48,192.168.1.76:25,192.168.1.23:38029,*,VSTGEORGES\HV-SRV-EXCH-01$,authenticated
2015-05-08T12:55:36.676Z,hv-srv-exch-02\Default Frontend HV-SRV-EXCH-02,08D257A124ACF973,49,192.168.1.76:25,192.168.1.23:38029,>,235 <authentication response>,

Finally found the problem :

When we first introduced Windows Server 2008 R2 and Windows 7, we still had Windows Server 2003 domain controllers, and had to add this registry key :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"DefaultEncryptionType"=0x17

While inspecting kerberos traffic on the Exchange 2013 server, I noticed that there were PREAUTH_REQUIRED errors, but no retries...

After removing this registry key and rebooting the Exchange 2013 server, mail flow is restored.

• Marked as answer by Sebastien Leclerc 17 hours 25 minutes ago