locked
Exchange 2013 resource forest deployment, auth error with imap/pop3 clients. RRS feed

  • Question

  • Hello Everyone!

    We have an issue with pop/imap clients trying to authenticate.

    Users log on with credentials from Account Forest, security audit shows a succesful log on and impersonation from process Microsoft.Exchange.Pop3.exe, but fails to login to mailbox.

    The following warning appears in the event log:

    Log Name:      Application
    Source:        MSExchangePOP3
    Date:          22/01/2014 11:41:29
    Event ID:      2005
    Task Category: (1)
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      exchangeCAS
    Description:
    User user1@account.forest wasn't found in Active Directory.

    Protocol logs show the same warning.

    Seems that Microsoft.Exchange.Pop3.exe process is unable to determine the linked mailbox of the provided credentials.

    Wednesday, January 22, 2014 10:52 AM

Answers

  • I have found a workaround.

    When the login string its an UPN (like user@domain) then the LDAP query is like that:

    ((proxyAddresses=SMTP:user@domain) ( !  (msExchCU=*) )...

    In my example, the primary SMTP address of the user can't be user@resource.forest, so:

    1. Add a new suffix on the account forest, this suffix must be the domain you want as primary SMTP address.
    2. Validate the trust between the forests (must be a forest trust, not external)
    3. Enable UPN suffix routing on the resource forest.
    4. Change the UPN of the account.forest user to match the email address of his mailbox (on recource.forest).
    5. When login to Exchange with POP/IMAP/SMTP protocols, users must use the UPN (that match his email address) of the account.forest.

    Hope this helps someone :)

    Friday, January 31, 2014 5:00 PM

All replies

  • Hi,

    Do you mean you cannot access an Exchange linked mailbox in Outlook by pop/imap connection?

    According to your posted warning log, it indicates that the user account user1@account.forest is not in Active Directory. Please check whether you can access this mailbox in OWA. if it fails, please run the following command to check the linked mailbox:

    Get-mailbox “linked mailbox” | FL

    If there is any false message or Error logs, please collect them for further analysis.

    Thanks,


    Winnie Liang
    TechNet Community Support

    Friday, January 24, 2014 2:01 AM
  • Thanks for your answer.

    We can access this mailbox with any protocol but pop/imap.

    Anyway, I think that I found something. 
    In an isolated enviroenment, with an Active directory trace (Performance Monitor tool) those are the LDAP querys with some tests:

    Trying to log on with an account in the same forest as the mailbox:
    User string: resource.forest\administrator\userA_linkedMB
    LDAP Query: ( (mailNickname=userA_linkedMB) ( !(msExchCU=*) )  ....
    Success, as expected.

    Trying to log on with an account in the account forest:
    User string: account.forest\userA\userA_linkedMB
    LDAP Query: (  (sAMAccountName=userA) ( !  (msExchCU=*) ) ....
    First, in this case the query seems incorrect, I expect it filtering by mailNickname and with the third part of the logon string. Of course it fails because there isnt any user with this SAM in the resource forests.

    Same test, with resource.forest\userA, sAMAccountName = userA
    User string: account.forest\userA
    LDAP Query: (  (sAMAccountName=userA) ( !  (msExchCU=*) ) ....
    This query returns 1 matching user, but seems that pop3 process checks if its from account.forest (it isn't of course, because query is sent to resource.forest DC) and fails.

    I'm not sure, but seems a bug in the POP3/IMAP login code.


    Saturday, January 25, 2014 10:54 AM
  • I have found a workaround.

    When the login string its an UPN (like user@domain) then the LDAP query is like that:

    ((proxyAddresses=SMTP:user@domain) ( !  (msExchCU=*) )...

    In my example, the primary SMTP address of the user can't be user@resource.forest, so:

    1. Add a new suffix on the account forest, this suffix must be the domain you want as primary SMTP address.
    2. Validate the trust between the forests (must be a forest trust, not external)
    3. Enable UPN suffix routing on the resource forest.
    4. Change the UPN of the account.forest user to match the email address of his mailbox (on recource.forest).
    5. When login to Exchange with POP/IMAP/SMTP protocols, users must use the UPN (that match his email address) of the account.forest.

    Hope this helps someone :)

    Friday, January 31, 2014 5:00 PM
  • Cristian, Thank you for sharing !

    Had the same issue here, and matching UPN with primarySMTP worked immediately.

    ilantz

    Sunday, May 18, 2014 9:11 AM