locked
exchange 2010 sp2 emc initialization error using "kerberos" authentication failed RRS feed

  • Question

  • We use exchange 2010 SP2.

    We have 2 management stations, both w2k8 R2 SP1.

    I have one mangement station on which the emc and ems works ok.

    On the other management staiton (which is also in another ad site) the emc and ems don't work.

    I get the following error message : The attempt to connect to http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

    I have checked the time on the management station and on the exchange server and this is ok.

    It is not a permissions issue because the user functions ok on the other management station.

    On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.

    What am I doing wrong?

    Anyone any tips?

    Thanks,

    JB 

    Wednesday, September 26, 2012 2:46 PM

Answers

  • Finally found the solution.

    There is a firewall between the emc and exchange server and this was cutting the connection by "microsoft ASP.Net information brute force attempt".

    • Marked as answer by Jurgen2 Tuesday, November 13, 2012 8:37 AM
    Tuesday, November 13, 2012 8:37 AM
  • Finally we all worked out.

    First it was our palo alto firewall who didn't like the traffice and finally we also have a wan accelerator which compresses traffic over the wan link.

    When this compression was set off then al is ok.

    Finally.

    Hope this can help anyone with a kind of same setup.

    • Marked as answer by Jurgen2 Wednesday, November 21, 2012 8:17 AM
    Wednesday, November 21, 2012 8:17 AM

All replies

  • is the Service Pack & Rollup updates on the Exchange Server and Management tools machine the same ?

    # When we browse the powershell virtual Directory on Bad Management station do we get a page 401.0 Access Denied. if we get it then it is fine. if it displays anyother page then could be an issue with Powershell Vdir on the Bad management station;

    Alternatively;

    Open Powershell as Administrator;

    winrm quickconfig

    Press (y) when prompted to add exception to firewall.

    Winrm e winrm/config/listener -> to check if we are able to query port 5985. if this fails get the error code.

    I would prefer you run the EMTShoot.PS1 from the link below which would give us atleast a hint.

    Troubleshoot Management tools startup Failures

    ______________________________________________________

    Pavan ~ ( Exchange Support | 2003/2007/2010) ~Mark this if Helpful


    Thursday, September 27, 2012 3:16 AM
  • Hi

    Perhaps it is due to the time synchronize issue and incorrect Kerberos ticket cache.

    Please synchronize the time between problematic Exchange and DC, and purged all the Kerberos ticket cache using Klist purge.

    For Klist purge, please refer to

    http://technet.microsoft.com/en-us/library/hh134826(v=ws.10).aspx

    Hope that helps

    Cheers


    Zi Feng

    TechNet Community Support

    • Proposed as answer by Luis Olias Monday, August 4, 2014 4:12 PM
    Thursday, September 27, 2012 8:26 AM
    Moderator
  • Hi,

    We don't have any rollup updates installed. It is exchange 2010 SP2 with no extra updates.

    Server and management station are sp2.

    The 401 Access denied is ok. From the bad management station I get the 401.

    ---------------------------------------------------------------

    This is the output from the EMTShoot.ps1:

    Welcome to the Exchange Management Troubleshooter!

    We recommend that you run the troubleshooter after making changes to
    IIS to ensure that connectivity to Exchange Powershell is unaffected.

    Checking IIS Service...

    Checking the Exchange Install Path variable...

    Checking the Powershell Virtual Directory...

    Your Powershell Virtual Directory is M.I.A.

    -------------------------------------------------------

    This is the output from the winrm config:

    PS C:\logging> winrm quickconfig
    WinRM already is set up to receive requests on this machine.
    WinRM is not set up to allow remote access to this machine for management.
    The following changes must be made:

    Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
    Enable the WinRM firewall exception.

    Make these changes [y/n]? y

    WinRM has been updated for remote management.

    Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
    WinRM firewall exception enabled.
    PS C:\logging> winrm e winrm/config/listener
    Listener
        Address = *
        Transport = HTTP
        Port = 5985
        Hostname
        Enabled = true
        URLPrefix = wsman
        CertificateThumbprint
        ListeningOn = x.x.x.x, 127.0.0.1, ::1, fe80::5efe:10.24.2.45%12

    Thanks

    Thursday, September 27, 2012 12:47 PM
  • Hi Zi Feng,

    The time is ok. There are all in sync.

    Purged the kerberos ticket, restarted the emc but no luck.

    In the morning I can start the emc once for let's say 2 minutes and then I get error messages in the emc when trying to change something.

    From then on each time access denied.

    Current LogonId is 0:0x421865a
            Deleting all tickets:
            Ticket(s) purged!

    Thanks

    Thursday, September 27, 2012 12:50 PM
  • Hi

    What is the error message when access denied?

    Cheers


    Zi Feng

    TechNet Community Support

    Friday, September 28, 2012 7:30 AM
    Moderator
  • The following error occurred while attempting to connect to the specified Exchange server 'servername.domain.com':

    The attempt to connect to http://servername.domain.com/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

    Friday, September 28, 2012 7:35 AM
  • Hi

    I found a thread with some suggestion, maybe you can have a try on them

    "Kerberos" authentication failed while trying to access EMC or EMS

    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/12cc53cb-4fff-43a1-a6ff-307d952a9d31

    • adjust the time zone before joining the server to the domain, also if the server is a virtual machine make sure you install the tools (e.g VMWare tools, etc..) and then adjust the time zone.
    • make sure that the WWW Publishing Service is started.
    • the time differed from that of the MDC even though I tried troubleshooting it much nothing had worked so I removed everything and started from scratch.
    • need to fix the bindings on 'Default Web Site' in IIS Mananger

    Hope one of them is working for you

    Cheers


    Zi Feng

    TechNet Community Support

    Monday, October 1, 2012 5:59 AM
    Moderator
  • Reinstalled the console but no luck.

    I goes ok for 1 or 2 minutes and then in the console I get access denied messages.

    From the on also when I start the emc I get the message initialization failed. Access denied.

    Time is ok, www publishing service is running.

    Strange.

    JB

    Monday, October 1, 2012 12:10 PM
  • This is what I get in the eventlog of the bad management station.

    Log Name:      MSExchange Management
    Source:        MSExchange CmdletLogs
    Date:          1/10/2012 11:39:27
    Event ID:      6
    Task Category: (1)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Server.domain.com

    Description:
    The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    Get-ExchangeServer
    {Identity=Servername}
    Domain/ou/ou/ou/ou/username
    Exchange Management Console-Local
    3080
    22
    00:00:00.3593888
    View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
    Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
    Context

    the message resource is present but the message is not found in the string/message table

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSExchange CmdletLogs" />
        <EventID Qualifiers="49152">6</EventID>
        <Level>2</Level>
        <Task>1</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
        <EventRecordID>11</EventRecordID>
        <Channel>MSExchange Management</Channel>
        <Computer>FQDN MGMT STATION</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Get-ExchangeServer</Data>
        <Data>{Identity=MGMT STATION}</Data>
        <Data>domain/ou/ou/ou/ou/username</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>Exchange Management Console-Local</Data>
        <Data>3080</Data>
        <Data>
        </Data>
        <Data>22</Data>
        <Data>00:00:00.3593888</Data>
        <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
        <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
        <Data>Context</Data>
        <Data>
        </Data>
      </EventData>
    </Event>

    Monday, October 1, 2012 1:13 PM
  • Hi

    Please try to instrall one role at a time.

    If installing MBX role it failed, try to delete Discovery search mailbox and rerun setup.

    If installing CAS role it failed, try to delete old virtual directories using Metabase Explorer.

    If installing HUB transport role it failed, try to delete the old Receive connector using Adsiedit.msc

    Hope it helps

    Cheers


    Zi Feng

    TechNet Community Support

    Wednesday, October 3, 2012 4:41 AM
    Moderator
  • Thank you for your reply.

    I can not reinstall the roles. The server is in production.

    I have only a problem with an extra emc that is not functioning. In the morning with I start the console I can work with it for 30 seconds, 1 minute and then I get access denied error messages.

    I'm searching what is going wrong.

    The time is not the issue. Maybe an spn issue or so but I wonder why my other management station with emc installed goes ok. No issues at all. With the other management station it has never worked. Something with active directory sites or so.

    Thanks for the help,

    JB

    Wednesday, October 3, 2012 6:58 AM
  • This could be a local profile corruption issue:

    To conclude it:

    1. Create a user by name EmcTest.

    2. Make it a member of Organization Management, Enterprise admins, Domain Admins, Schema Admins, Built-in Administrators, Group policy Creator Owners.

    3. Run the command : Set-User EmcTest -RemotePowerShellEnabled:$True

    4. Log of and login with EmcTest and check if we still get the same error when accessing the EMC.

    5. If we are able to open EMC/EMS without any issues with EmcTest then it is most likely a profile corruption where you can remove the corrupted profile from the Management Workstation from Regedit:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    In case if you are going to remove or rename make sure to take a backup of the key(Folder) by exporting the Registry and rename the folder in the C:\User\CorruptedProfileUserFolder to .old and relogin back with the original account which we removed and it should create a new profile folder.


    Exchangeexperts.in ~ ( Exchange | 2003/2007/2010/E15(2013)) ~Mark this if Helpful My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by PK M Saturday, October 6, 2012 4:37 AM
    Saturday, October 6, 2012 4:24 AM
  • Thank you for taking time helping to solve my problem.

    I created the new account emctest and tried to open the management console but not luck.

    Still the error message:

    The following error occurred when setting up remote Powershell session to 'servername.domain:

    The attempt to connect to http://servername.domain/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.


    • Edited by Jurgen2 Tuesday, October 9, 2012 12:31 PM
    Tuesday, October 9, 2012 12:28 PM
  • On the good management station the emctest user works fine.

    The bad management station is in an other active directory site. What can I check to be sure nothing in that site is causing the issue?

    Thanks.

    JB

    Tuesday, October 9, 2012 12:37 PM
  • Anyone any idea what could be the problem I'm facing?

    Thanks.

    Best regards,

    JB

    Monday, October 15, 2012 11:03 AM
  • Take a close look at your server's time sync settings, if the time is more than 5 seconds off you could be expriencing kerberos problems.

    Regards AZ

    Tuesday, October 16, 2012 7:08 AM
  • The issue for me was the Microsoft Exchange Information Store service stopped.

    Hope this helps someone.

    • Proposed as answer by bfuse Friday, October 19, 2012 3:12 PM
    • Unproposed as answer by Jurgen2 Wednesday, October 24, 2012 12:36 PM
    Friday, October 19, 2012 3:11 PM
  • I checked the time of the exchange servers and also of the dc's (w32tm /monitor) and this is ok.

    It must be something else.

    I also have an emc on another managment station that is working without any problem.

    The emc that isn't working is in another site, another ip subnet. Could this be causing my problem.

    Thanks,

    JB


    • Edited by Jurgen2 Wednesday, October 24, 2012 12:40 PM
    Wednesday, October 24, 2012 12:38 PM
  • Also restarted the exchange servers but nothing.
    Wednesday, October 24, 2012 1:20 PM
  • Finally found the solution.

    There is a firewall between the emc and exchange server and this was cutting the connection by "microsoft ASP.Net information brute force attempt".

    • Marked as answer by Jurgen2 Tuesday, November 13, 2012 8:37 AM
    Tuesday, November 13, 2012 8:37 AM
  • How do you solve?
    Tuesday, November 20, 2012 1:38 PM
  • Our networking team is still looking in to it.

    I will post it the moment it is ok.

    Regards,

    JB

    Tuesday, November 20, 2012 1:44 PM
  • Solution:

       Go to the following folder and delete the Exchange Management Console file.

       C:\users\<specific user>\AppData\Roaming\Microsoft\MMC\Exchange Management Console

       Close EMC and reopen it.

    • Proposed as answer by Walter1981 Tuesday, January 6, 2015 3:06 PM
    Tuesday, November 20, 2012 1:47 PM
  • Finally we all worked out.

    First it was our palo alto firewall who didn't like the traffice and finally we also have a wan accelerator which compresses traffic over the wan link.

    When this compression was set off then al is ok.

    Finally.

    Hope this can help anyone with a kind of same setup.

    • Marked as answer by Jurgen2 Wednesday, November 21, 2012 8:17 AM
    Wednesday, November 21, 2012 8:17 AM
  • make sure that you have your IIS Bindings for the default website to include http All Unassigned

    • Proposed as answer by Michael Baskin Wednesday, March 13, 2013 2:45 PM
    Wednesday, March 13, 2013 2:45 PM
  • Got a similar message on an SBS 2011 box. It told me that it had exceeded 213456454534 (or such) attempts in 60 seconds and that it would allow a retry in 145546677 milliseconds.

    I saw your suggestion to check the time zone. The clock in the notification area showed an unknown timezone when I clicked on change date and time settings. I clicked on Change time zone... and it showed the proper UTC -5:00 for Eastern Daylight time. I clicked OK and rechecked the EMC and it worked perfectly. Strange...


    MCP SBSC

    Tuesday, April 2, 2013 12:47 AM
  • This fixed it on our Admin Server  2008 (NON R2)  

    Tim Bolton

    Tuesday, December 31, 2013 5:15 PM
  • follow the link below....

    http://blogs.technet.com/b/whats_on_scotts_mind_today/archive/2012/12/07/exchange-2010-unable-to-open-exchange-management-console-initialization-failed.aspx


    NA

    Wednesday, February 12, 2014 2:57 PM
  • Hi All

    I realize this is quite an old thread, but i am posting this on all places i can find people having this issue

    I had this today on an SBS 2011 server. After various pulling of teeth trying to install updates on Exchange and reconfigure IIS it turns out that this post about the firewall was closest to the problem

    Antivirus

    The server had a desktop based antivirus Trend Micro that when disabled completely (services as well as in the AV itself) the Exchange Console magically just worked again!

    Wednesday, October 14, 2015 8:50 PM
  • This could be a local profile corruption issue:

    To conclude it:

    1. Create a user by name EmcTest.

    2. Make it a member of Organization Management, Enterprise admins, Domain Admins, Schema Admins, Built-in Administrators, Group policy Creator Owners.

    3. Run the command : Set-User EmcTest -RemotePowerShellEnabled:$True

    4. Log of and login with EmcTest and check if we still get the same error when accessing the EMC.

    5. If we are able to open EMC/EMS without any issues with EmcTest then it is most likely a profile corruption where you can remove the corrupted profile from the Management Workstation from Regedit:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    In case if you are going to remove or rename make sure to take a backup of the key(Folder) by exporting the Registry and rename the folder in the C:\User\CorruptedProfileUserFolder to .old and relogin back with the original account which we removed and it should create a new profile folder.


    Exchangeexperts.in ~ ( Exchange | 2003/2007/2010/E15(2013)) ~Mark this if Helpful My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    您不能对您自己的帖子投票                    
    0
                

    Greate and Thanks for helping me to resolve my issue! the issue as below,

    initialization error using "kerberos" authentication failed, Access is denied. Sometimes, i can open EMC & EMS; but i fail to open EMC & EMS most of the time.

    after I deleted the user profile and login again. i can open emc & ems.

    Thanks Again.

    Wednesday, November 18, 2015 8:08 AM