451 5.7.3 Cannot achieve Exchange Server authentication
-
Monday, January 08, 2007 11:23 PM
Hello,
I installed first CAS and HUB into my 2003 organization. Using SMTP to HUB server I try to send a message to myself (my mailbox still resides on 2003). Message never arrives, and when looking at the queue on the hub, the message is sitting there with message "451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." "
Ergo, mail is not flowing from 2007 hub to my legacy exchange mailboxes on 2003.
I have to admit that one strange thing happened: After install the exchange routing group "Exchange Routing Group (DWBGZMFD01QNBJR)" was present, but no routing group connectors where in there, so I created 2 of them with the commands;
New-RoutingGroupConnector -Name e2k7-e2k3 -SourceTransportServers <dnsnameofHubserver> -TargetTransportServers <dnsnameof2k3bridgehead>
and
New-RoutingGroupConnector -Name e2k3-e2k7 -SourceTransportServers <dnsnameofe2k3bridgehead> -TargetTransportServers <dnsnameofe2k7hubserver>
I also made sure that all the members of the e2k3 routinggroup are members of the ExchangeLegacyInterop security group.
I obviously missed something. Any suggestions ?
Thanks, Andre.
Answers
-
Tuesday, January 09, 2007 3:29 PM
The routing group connectors look fine.
On your Exchange 2003 server (MAIL1) can you check the properties of the SMTP virtual server? Under the "Access" tab and then "Authentication" is "Integrated Windows Authentication" checked?
-
Friday, January 12, 2007 7:28 PM
Hao, The pieces of the puzzle are coming together, the "Cannot achieve exchange server authentication" was resolved by checking the "Integrated authentication" option on the 2003 SMTP server, and the StartTLS issue was answered by Scott in the other post by stating that TLS is not supported on the routing groups between 2003 and 2007, so i had to uncheck the "require secure channel" option on the same 2003 SMTP server properties.
Thanks, Andre.
- Marked As Answer by adenhaan Friday, September 10, 2010 5:34 PM
All Replies
-
Tuesday, January 09, 2007 1:56 PM
Can you clarify 'Using SMTP to HUB'? Are you just telneting to port 25 on the hub server and issuing SMTP commands manually or using another program?
That's strange that the RoutingGroupConnectors were not automatically created. This is ex2k7 RTM, right? Can you post the output of Get-RoutingGroupConnector | fl ?
Also, this probably isn't related since it appears the test message is making it into the queue on hub, but within Exchange Management Console > Server Configuration > Hub Transport > Recieve Connectors > Default Servername and then in the Permissions tab what is checked? Anonymous Users? Legacy Exchange Servers?
-
Tuesday, January 09, 2007 2:53 PM
Mitchell,
Using the version from MSDN for my testing.
We have a number of "internal" applications (CRM, serversalive, buildsystem, etc) that use SMTP to send email notifications to people in our organization. I tested with one of these applications by pointing it to SMTP server on HUB (before I take next step of configuring internet mail to flow through hub).
The output of get-RoutingGroupConnector | fl is below (ns1062 is the host of the new hub server, mail1 is the e2k3 bridgehead, 1034 and 1036 are DC's, US is the only routinggroup in E2K3)
TargetRoutingGroup : US
Cost : 1
TargetTransportServers : {MAIL1}
ExchangeLegacyDN : /o=SEAGULL/ou=Exchange Administrative Group (FYD
IBOHF23SPDLT)/cn=Configuration/cn=Connections/cn
=E2K7-E2K3
PublicFolderReferralsEnabled : True
SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers : {NS1062}
HomeMTA : Microsoft MTA
HomeMtaServerId : NS1062
MinAdminVersion : -2147453113
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : E2K7-E2K3
DistinguishedName : CN=E2K7-E2K3,CN=Connections,CN=Exchange Routing
Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exc
hange Administrative Group (FYDIBOHF23SPDLT),CN=
Administrative Groups,CN=SEAGULL,CN=Microsoft Ex
change,CN=Services,CN=Configuration,DC=seagull,D
C=nl
Identity : E2K7-E2K3
Guid : 930eec8b-7f65-45e0-b82f-797fdec3cfbe
ObjectCategory : seagull.nl/Configuration/Schema/ms-Exch-Routing-
Group-Connector
ObjectClass : {top, msExchConnector, msExchRoutingGroupConnect
or}
WhenChanged : 1/8/2007 5:37:36 PM
WhenCreated : 1/8/2007 5:37:21 PM
OriginatingServer : ns1036.seagull.nl
IsValid : TrueTargetRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
Cost : 1
TargetTransportServers : {NS1062}
ExchangeLegacyDN : /O=SEAGULL/OU=seagull/cn=Configuration/cn=Connec
tions/cn=E2K3-E2K7
PublicFolderReferralsEnabled : True
SourceRoutingGroup : US
SourceTransportServers : {MAIL1}
HomeMTA : Microsoft MTA
HomeMtaServerId : MAIL1
MinAdminVersion : -2147453113
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : E2K3-E2K7
DistinguishedName : CN=E2K3-E2K7,CN=Connections,CN=US,CN=Routing Gro
ups,CN=SEAGULL,CN=Administrative Groups,CN=SEAGU
LL,CN=Microsoft Exchange,CN=Services,CN=Configur
ation,DC=seagull,DC=nl
Identity : E2K3-E2K7
Guid : ac1902c1-36a7-41fe-95b5-7f982d7a0b46
ObjectCategory : seagull.nl/Configuration/Schema/ms-Exch-Routing-
Group-Connector
ObjectClass : {top, msExchConnector, msExchRoutingGroupConnect
or}
WhenChanged : 1/8/2007 5:38:16 PM
WhenCreated : 1/8/2007 5:38:01 PM
OriginatingServer : ns1036.seagull.nl
IsValid : TrueI did check the anonymous permission on the default receive connector that is listening on port 25 (so all except partner is checked). I checked it for 2 reasons: 1) Will be needed when I configure it to receive internet mail from our hosted spam and virus filtering service, and 2) I wasn't able to authenticate to the Hub SMTP server using ESMTP commands (not important right now).
Thanks, Andre.
-
Tuesday, January 09, 2007 3:29 PM
The routing group connectors look fine.
On your Exchange 2003 server (MAIL1) can you check the properties of the SMTP virtual server? Under the "Access" tab and then "Authentication" is "Integrated Windows Authentication" checked?
-
Tuesday, January 09, 2007 4:03 PM
Mitchell,
Bingo! That option was not checked. Checking the option and forcing retry on the queue got me past the "451 5.7.3 Cannot achieve Exchange Server authentication" message, only it now gives me a new one : "Primary target IP address responded with: 530 5.7.0 Must issue a STARTTLS command first"
I know why: because the SMTP connector on the E2K3 bridgehead requires secure channel.
The question now becomes : Why does the HUB server not issue STARTTLS when delivering messages to legacy bridgehead ?
AFAIK I did deploy MTLS cert to hub and enabled it for SMTP. When I look at the SMTP Send connector network tab in E2K7 management console hub transport under organization ... I do notice that "Enable domain security (Mutual auth TLS)" Option is not checked, however this definition is from E2K3, and I can not change it in E2K7 management console. Any suggestions on this ?
Thanks a mill for your help so far !
Andre.
-
Tuesday, January 09, 2007 4:29 PM
Hmmm, normally you would configure SMTP to use TLS for a specific domain by using the Set-TransportConfig -TLSSendDomainSecureList domain.com option but that's for securing to domains, not for internal routing. (This is detailed at http://www.microsoft.com/technet/prodtechnol/exchange/e2k7help/851774b8-1867-49df-bc01-33ff8b99a00b.mspx) I'm not sure if this would work for the internal connection to the Exchange 2003 server... maybe if you set the local domain name in the -TLSSendDomainSecureList? Just a guess, I haven't tried that yet.
-Mike
-
Tuesday, January 09, 2007 11:02 PM
Mike,
Haven't figgured it out yet. Will start a new thread for this.
Thanks again, Andre.
-
Friday, January 12, 2007 7:05 PMCan you cut and paste your protocol log between your Hub and Exchange 2003? This is usually because Exchange 2003 did not advertise GSSAPI (you failed to check integrated authentication tab). Also, as I said in another thread, you can not do both TLS and GSSAPI together in Exchange 2003, if that is what is prevent you from advertising GSSAPI.
-
Friday, January 12, 2007 7:28 PM
Hao, The pieces of the puzzle are coming together, the "Cannot achieve exchange server authentication" was resolved by checking the "Integrated authentication" option on the 2003 SMTP server, and the StartTLS issue was answered by Scott in the other post by stating that TLS is not supported on the routing groups between 2003 and 2007, so i had to uncheck the "require secure channel" option on the same 2003 SMTP server properties.
Thanks, Andre.
- Marked As Answer by adenhaan Friday, September 10, 2010 5:34 PM
-
Friday, May 04, 2007 5:26 AM
Hello!
Do you have any other ideas? I checked and the integrated windows authentication was checked on mine but I still do not have mail routing from the internet to my 2003 servers.If I have my mailbox on my 2007 server, I get mail from the internet, but if my mailbox is on a 2003 server, I do not get mail from the internet. I am able to e-mail from my Exchange 2007 server to my Exchange 2003 server without any trouble and I can move mailboxes back and forth, but internet e-mail that goes to my front-end 2007 server will not pass through to my back-end 2003 servers.
Many thanks,
Steve
-
Friday, May 04, 2007 5:35 AM
One more note - my error numbers are different from the ones above, but the symptoms seem to be the same. I get the following under "last error":
451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection Dropped." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Many thanks,
Steve
-
Thursday, June 07, 2007 2:30 PM
Hi at all maybe you can help me, I solved the problem checking "Integrated Windows Authentication" but only for the first CA, on the second one the error still remain...any suggest???
Thanks in advance
-
Saturday, August 11, 2007 1:58 PM
Having same problem - 2007 to 2003 mailbox doesn't work (451 5.7.3 Cannot achieve Exchange Server authentication). Tried adjusting perms w/o luck. Have you figured this out?
Marc
-
Sunday, August 12, 2007 4:22 PM
Never mind- re-looked at previous posts again. I found that I only had Anonymous (access) on the 2003 SMTP Default SMTP Virtual Server so after also checking "Integrated Windows Authentication", all flows both ways.
Marc
-
Friday, December 07, 2007 10:20 AM
DomainSecure is a different new feature within 2007. It basically allows an organization to specify domains for which mutual TLS is a must for transferring inbound/outbound messages.
The reason why hub would not issue TLS is b/c 2003BE smtp does not have a cert. TLS requires an authenticating server to give a client a certificate to start negotiation with an optional client cert option for mutual authentication. Thus, Microsoft elected Integrated Authentication. I feel dumb for not catching that.
-
Monday, January 21, 2008 3:11 PM
Thank you.
This fixed my ability to send from my Exchange 07 server.
-
Tuesday, January 22, 2008 4:58 PM
What is the SMTP Virtual Server? Under IIS I have Exadmin, Exchange and Exchweb. Which one do I change?
Thanks,
-
Tuesday, April 22, 2008 1:55 AM
Hi Sgtpepe,
Could you show me how to resolve the problem ? I get the same error when sending from exchange 2007 to exchange 2003 server, and I tried to check Integrated Windows Authentication on Virtual SMTP server in Exchange 2003. but It does not help.
Thanks in advanced,
HaoNN
-
Tuesday, April 22, 2008 8:46 PM
Checking Integrated Windows Authentication solved my problem.
1. Exchange System Manager>Administrative groups>First Administrative Group>Servers>Server Name>Protocols>SMTP
Right Click your smtp virtual server.
Properties>Access>Authentication
Put a check mark in Integrated Windows Authentication
I know this is what was said before but this is what fixed my issue.
Thanks.
-
Wednesday, April 23, 2008 1:15 AM
Thanks Sgtpepe,
I tried to check this option on my exchange 2003 server but it does not help. I also upgrade my Exchange 2007 SP1, It cannot help too.
If you have any suggestions, please advise me.
Thanks, -
Thursday, September 16, 2010 11:11 AM
This is Exchange 2010/2007 problem with sed-connector configuration. When you configure send connector jo probably marked RequireTLS $true. These is not Exchange 2003 problem.
Sample form :http://technet.microsoft.com/en-us/library/bb123546.aspx
New-SendConnector -Name "Legacy Forest" -SmartHostAuthMechanism BasicAuth -AuthenticationCredential $mycred -AddressSpaces FourthCoffee.com -SmartHosts Bridgehead1.FourthCoffee.com, Bridgehead2.FourthCoffee.com -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -RequireTLS $true -DNSRoutingEnabled $false
First run Get-sendconnector | fl , look for = RequireTLS : True
If it is , then run : Set-SendConnector -Identity "**********" -RequireTLS 0 :-)
-
Monday, May 16, 2011 9:16 AMThanks Mitchell..solved my problem also, I was getting the same error
-
Thursday, September 29, 2011 3:30 PM
Found this today which solved my problem. Related to Exchange Authenticaiton Settings on a receive connector:
Thanks,
M
- Proposed As Answer by Sherlock25 Thursday, February 09, 2012 9:11 PM
.png){kind=spacer}
