locked
dc rejecting ntlmssp challenge outlook unable to find exchange server RRS feed

  • Question

  • we have a 2003 domain; exchange 2003 sp2 running; outlook 2007 clients; 2008 domain controllers; xppro sp2 clients.  for several years now periodically outlook clients will not be able to find the exchange server. the number of clients having this problem is random in a domain of 4500 pcs; can be upwards of 100 out of the 4500; from the pc dns & wins resolution is fine; ad replicaton is fine; pinging & browsing from pc to exchange server is fine.

     a trace with wire shark monitoring traffic from pc to exchange server shows an error from a specific domain controller. shutting down this domain controller allows the clients to connect to the exchange server fine. exchange is configured to automaitcally setup directory access when this occurs.

     I manually changed directory access removing the offending domain controller from the exchange server directory list === did not fix the problem.  set directory access on exchange server back to automatic configuration.

    demoting the offending dc, removing from domain, changing name to new name, adding back to domain, promoting to dc again === did not solve the problem. outlook clients still tried to connect to same dc with new name and same error in trace.

    error in trace ===
    dcerpc bind_ack: call_id:1, NTLMSSP_CHALLENGE PROVIDER rejeection, reason: abstract syntax not supported. 

    in the packet information from this error appears the name fqdn name of the domain controller. shutting down dc and/or demoting causes outlook clients to function again.
    dcs are vms running in blade array on esx hosts; this problem did occur on physical dcs also. I have not been able to find out what is happening that is causing the dc to reject these requests; a reimage of the pc OS will fix the problem also.  however reimaing 100 pcs every time this happens is not a reasonalbe course of action. 


    Brian P Collins
    Thursday, August 11, 2011 1:46 PM

All replies

  • Hi 
       1. Please DST setting of client and GC. If they are difference, you will meet “NTLMSSP_CHALLENGE Provider rejection, reason: Abstract syntax not supported”
       2.
    If outlook 2007 repeatedly requires account and password, you can read this KB. http://support.microsoft.com/kb/927612

              3.We added the registry key on the client machine to point Outlook to a specific domain controller.   HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider

    Value name: DS Server

    Data type: REG_SZ (string)

    Value data: FQDN of the global catalog server
               
    4. Do you try to create new profile of outlook 2007?http://support.microsoft.com/kb/829918
    Friday, August 12, 2011 6:33 AM
  • terence,

    thanks for the reply.

    for number 1: what do you mean by dst?  the error shows up on the xp pc in a wireshark packet going to email server, so problem is between pc and dc?  or between exchange server and dc?

    for number 2: outlook just gives error message can not connect to exchange server

    for number 3:  great tip, I will look into it. thanks.

    for number 4:  I was not able to add a new profile as the pc would stop at can not find exchange server

    thanks again for your time.  this has been a problem now at least 4 times, where the only solution has been to run wireshark, look at packets for offending dc, and then kill the dc.

    thanks Brian


    Brian P Collins
    Friday, August 12, 2011 2:12 PM
  • DST is Daylight Saving Time, I believe

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    Friday, August 12, 2011 11:35 PM
  • thanks for the clarification.  I will be investigating the dst question. there is the possiblity the dst patch is not up to date.  also am learning about ds server settings, and how mapi profiles work and where they are stored in the registry. the info shared is at least something to look at.  problem is over now, as i have killed the offending dc.  however I do not want to stop chasing this one as it has happened 4 times now and I suspect is lurking again.  looking into what you have suggested may shed some light.  thanks for your time and comments.
    Brian P Collins
    Sunday, August 14, 2011 5:09 AM
  • Hi
      Do you have anything to update your thread
    Friday, August 19, 2011 7:36 AM
  • not at this time.  problem has not occured again.  i am keeping this post for when it does. hoping some of the things suggested might shed some light.

    I appreciate everyones time, info and insight and this forum.

    will update post in the future if/when the event occurs again.


    Brian P Collins
    Friday, September 9, 2011 12:46 PM
  • update:

    over the weekend I patched all our servers to prevent recent Microsoft RDP security exploit

    restarted the servers

    today it happened again.

    dc would not respond correctly to outook client on xp pro pc.

    ran wire shark found same problem as before listed above

    further expansion of the packet that contained the error showed the following:

    unknown type: 0x0007

    target item type:  Client Time (0x0007)

    Target item length: 8

    target item Content: ????

    this was a conversation from pc to offending domain controller

    i did some research on techs having problems with outlook 2007 connecting to exchange 2003:

    found one talking about changing security settings on client to ntlm instead of negoiation --- did this no help same error

    ran day light savings fix on xp pro & restarted === no help same error

    started and stopped time service on xp pro pc and dc and checked event logs to verify == no help

    compared time on xp pro pc and dc == were off by seconds, which was basically the time it took me to refresh screen

    soooooo...

    since this continued on at least 12 to 24 pcs thru out the entire school district

    did the only thing I could find to make it work for my clients:

    demoted problem dc and removed completely from domain and destroyed it.

    not the real answer, but at least it allowed outlook to work.

    the last time this happened was when I started this thread


    Brian P Collins

    Tuesday, March 20, 2012 12:13 AM