none
MSexchangeFrontEndTransport error

    Question

  • Best Technicians,

    Im encountering the same error over and over again.
    I dont have the required knowledge about exchange to troubleshoot it, I'm still learning.

    Anyway I'm getting an error 1035 MSexchangeFrontEndTransport in my event viewer hourly, if not more frequent.

    Inbound authentication failed with error LogonDenied for Receive connector Client Frontend XXXXXX. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [127.0.0.1].

    Is the server trying to authenticate with itself and failing?
    Im sensing it must be some security account with wrong acces rights?

    Does anyone have any idea about where to start troubleshooting/fixing the issue?
    Any help would be greatly appreciated!

    Cheers,

    Monday, March 20, 2017 9:46 AM

All replies

  • You can turn up SMTP protocol logging:

    Set-ReceiveConnector -Identity "SERVER\Connector Name" -ProtocolLoggingLevel Verbose
    and then examine the logs to see what's connecting at that time.  If your network preserves the source IP address, you'll get that at least.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, March 20, 2017 10:43 PM
    Moderator
  • Verbose logging gladly was already enabled. Heres the part where it happens. I have only checked it for 1 event from this morning though.

    2017-03-21T07:15:18.233Z,XXXXX\Client Frontend XXXXX,XXXXX,0,127.0.0.1:587,127.0.0.1:27096,+,,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,1,127.0.0.1:587,127.0.0.1:27096,*,None,Set Session Permissions
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,2,127.0.0.1:587,127.0.0.1:27096,>,"220 mail.XXXXX.com Microsoft ESMTP MAIL Service ready at Tue, 21 Mar 2017 08:15:17 +0100",
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,3,127.0.0.1:587,127.0.0.1:27096,<,EHLO SmtpClientSubmissionProbe,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,4,127.0.0.1:587,127.0.0.1:27096,*,None,Set Session Permissions
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,5,127.0.0.1:587,127.0.0.1:27096,>,250-mail.XXXXX.com Hello [127.0.0.1],
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,6,127.0.0.1:587,127.0.0.1:27096,>,250-SIZE 36700160,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,7,127.0.0.1:587,127.0.0.1:27096,>,250-PIPELINING,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,8,127.0.0.1:587,127.0.0.1:27096,>,250-DSN,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,9,127.0.0.1:587,127.0.0.1:27096,>,250-ENHANCEDSTATUSCODES,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,10,127.0.0.1:587,127.0.0.1:27096,>,250-STARTTLS,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,11,127.0.0.1:587,127.0.0.1:27096,>,250-AUTH GSSAPI NTLM,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,12,127.0.0.1:587,127.0.0.1:27096,>,250-8BITMIME,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,13,127.0.0.1:587,127.0.0.1:27096,>,250-BINARYMIME,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,14,127.0.0.1:587,127.0.0.1:27096,>,250 CHUNKING,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,15,127.0.0.1:587,127.0.0.1:27096,<,STARTTLS,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,16,127.0.0.1:587,127.0.0.1:27096,>,220 2.0.0 SMTP server ready,
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,17,127.0.0.1:587,127.0.0.1:27096,*,,Sending certificate
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,18,127.0.0.1:587,127.0.0.1:27096,*,"CN=mail.XXXXX.com, OU=Unified Communications, OU=XXXXX, O=XXXXX, STREET=XXXXX, L=XXXXX, S=XXXXX, PostalCode=XXXXX, C=XXXXX",Certificate subject
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,19,127.0.0.1:587,127.0.0.1:27096,*,"CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,20,127.0.0.1:587,127.0.0.1:27096,*,XXXXX,Certificate serial number
    2017-03-21T07:15:18.234Z,XXXXX\Client Frontend XXXXX,XXXXX,21,127.0.0.1:587,127.0.0.1:27096,*,XXXXX,Certificate thumbprint
    2017-03-21T07:15:18.235Z,XXXXX\Client Frontend XXXXX,XXXXX,22,127.0.0.1:587,127.0.0.1:27096,*,mail.XXXXX.com;autodiscover.XXXXX.com,Certificate alternate names
    2017-03-21T07:15:18.236Z,XXXXX\Client Frontend XXXXX,XXXXX,23,127.0.0.1:587,127.0.0.1:27096,*,,"TLS protocol SP_PROT_TLS1_0_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,24,127.0.0.1:587,127.0.0.1:27096,<,EHLO SmtpClientSubmissionProbe,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,25,127.0.0.1:587,127.0.0.1:27096,*,,Client certificate chain validation status: 'EmptyCertificate'
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,26,127.0.0.1:587,127.0.0.1:27096,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,27,127.0.0.1:587,127.0.0.1:27096,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,28,127.0.0.1:587,127.0.0.1:27096,*,None,Set Session Permissions
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,29,127.0.0.1:587,127.0.0.1:27096,>,250-mail.XXXXX.com Hello [127.0.0.1],
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,30,127.0.0.1:587,127.0.0.1:27096,>,250-SIZE 36700160,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,31,127.0.0.1:587,127.0.0.1:27096,>,250-PIPELINING,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,32,127.0.0.1:587,127.0.0.1:27096,>,250-DSN,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,33,127.0.0.1:587,127.0.0.1:27096,>,250-ENHANCEDSTATUSCODES,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,34,127.0.0.1:587,127.0.0.1:27096,>,250-AUTH GSSAPI NTLM LOGIN,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,35,127.0.0.1:587,127.0.0.1:27096,>,250-8BITMIME,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,36,127.0.0.1:587,127.0.0.1:27096,>,250-BINARYMIME,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,37,127.0.0.1:587,127.0.0.1:27096,>,250 CHUNKING,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,38,127.0.0.1:587,127.0.0.1:27096,<,AUTH LOGIN,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,39,127.0.0.1:587,127.0.0.1:27096,>,334 <authentication response>,
    2017-03-21T07:15:18.237Z,XXXXX\Client Frontend XXXXX,XXXXX,40,127.0.0.1:587,127.0.0.1:27096,>,334 <authentication response>,
    2017-03-21T07:15:18.240Z,XXXXX\Client Frontend XXXXX,XXXXX,41,127.0.0.1:587,127.0.0.1:27096,*,,Inbound AUTH LOGIN failed because of LogonDenied
    2017-03-21T07:15:18.240Z,XXXXX\Client Frontend XXXXX,XXXXX,42,127.0.0.1:587,127.0.0.1:27096,*,,User Name: HealthMailboxXXXXX@XXXXX.com
    2017-03-21T07:15:18.240Z,XXXXX\Client Frontend XXXXX,XXXXX,43,127.0.0.1:587,127.0.0.1:27096,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
    2017-03-21T07:15:23.241Z,XXXXX\Client Frontend XXXXX,XXXXX,44,127.0.0.1:587,127.0.0.1:27096,>,535 5.7.3 Authentication unsuccessful,
    2017-03-21T07:15:23.241Z,XXXXX\Client Frontend XXXXX,XXXXX,45,127.0.0.1:587,127.0.0.1:27096,<,QUIT,
    2017-03-21T07:15:23.241Z,XXXXX\Client Frontend XXXXX,XXXXX,46,127.0.0.1:587,127.0.0.1:27096,>,221 2.0.0 Service closing transmission channel,
    2017-03-21T07:15:23.241Z,XXXXX\Client Frontend XXXXX,XXXXX,47,127.0.0.1:587,127.0.0.1:27096,-,,Local
    2017-03-21T07:15:23.899Z,,XXXXX,0,127.0.0.1:25,127.0.0.1:27107,+,,
    2017-03-21T07:15:23.899Z,,XXXXX,1,127.0.0.1:25,127.0.0.1:27107,>,421 4.3.2 Service not available,
    2017-03-21T07:15:23.899Z,,XXXXX,2,127.0.0.1:25,127.0.0.1:27107,-,,Local

    I checked the healthmailbox and its healthmailbox-XXXXXX-001.
    I have no idea what's happening other than that it's trying to authenticate but failing.
    Logon denied, but what is it trying to log in to?

    Tuesday, March 21, 2017 8:26 AM
  • Hi XGKATRJL,

    First, please ensure that the time on Exchange server is the same as DC.

    Then, check if the healthmailbox UPN domain is the same as your default domain:

    Get-Mailbox -Monitoring "Healthmailbox-xxxxx-001"| fl displayname,UserPrincipalName,PrimarySmtpAddress 

    If not the same, run the following command to change it and check again:

    Set-Mailbox -Identity HealthMailbox******@yourdomain.com -UserPrincipalName HealthMailbox******@yourdomain.com
    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 21, 2017 10:24 AM
    Moderator
  • Hello,

    Thanks for your response, as far as i can see it is a .local principal name and .com SMTP address.
    I also checked the correctly working mailboxes and saw that they all are .local and noone .com.

    Is it safe to change the SMTP address to .local so they match?
    Or should i instead change the principal name to .com?
    Our FQDN ends on .local yet our exchange addresses are .com?

    In exchange ECP i can see that every single mailbox has a .com & .local address.

    PS: Time on the DC and exchange are the same because they are both installed on the same physical server. (server 2012R2 & exchange 2013)

    Tuesday, March 21, 2017 2:21 PM
  • Hi XGKATRJL,

    It's recommended to change the SMTP address to .local and check again.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 22, 2017 4:34 AM
    Moderator
  • I changed the smtp address to .local and errors are still showing up in the server events log.
    In about an hour when it has been logged I will inspect the culprit and edit my post.

    (or do i have to restart the Microsoft Exchange Frontend Transport service for this change to get through?)

    ________________________________________________________________________________

    EDIT:

    I checked the SMTP logs and it still shows up with errors authenticating from 127.0.0.1 from healthmailbox[id]@domain.COM and not .local.

    im guessing the change didnt get through yet so i just restarted the Microsoft Exchange Frontend Transport service. I hope the change will get through now.

    • Edited by XGKATRJL Wednesday, March 22, 2017 3:04 PM Extra Information
    Wednesday, March 22, 2017 1:38 PM
  • 2017-03-23T06:31:01.757Z,XXXXXX\Client Frontend XXXXXX,XXXXXX,42,127.0.0.1:587,127.0.0.1:58386,*,,User Name: HealthMailboxXXXXXX@XXXXXX.com

    2017-03-23T06:31:01.757Z,XXXXXX\Client Frontend XXXXXX,XXXXXX,43,127.0.0.1:587,127.0.0.1:58386,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',

    Inbound authentication failed with error LogonDenied for Receive connector Client Frontend XXXXXX. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [127.0.0.1]

    Still the same error over and over again.

    _________________________________________________________________________

    Just noticed exchange has a health manager service, restarted it also.

    Hope for the changes to get trough.

    EDIT:

    Still errors.


    • Edited by XGKATRJL Thursday, March 23, 2017 3:11 PM tested restart service
    Thursday, March 23, 2017 7:33 AM
  • Hi XGKATRJL,

    Please also refer to the following similar thread and check if any helps:

    Event 1035 Logon Denied every 15 minutes

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 29, 2017 2:50 AM
    Moderator
  • I havent tried deleting the healthmailbox yet.

    I'm afraid i'll do something whrong.
    if i got it clear i have to :

    - disable the mailbox naming policy
    - delete the healthmailbox from ADUC
    - restart the server and it will automatically detect if its missing and it will recreate it?

    i just want to make sure our mail server will be down if it fails.

    • Edited by XGKATRJL Wednesday, April 12, 2017 6:09 PM
    Wednesday, April 12, 2017 6:06 PM