In a Microsoft Exchange Server 2007 environment or in a Microsoft Exchange Server 2010 environment, some e-mail messages are stuck in a remote delivery queue that should have been transferred to another Exchange server in the Exchange organization. If you open the Queue Viewer tool from the Toolbox node on the Exchange Management Console, the Last Error field displays an error message that resembles the following:
Send connector Intra-Organization SMTP Send Connector has failed to authenticate with 172.18.102.95:25. The response from the remote site is 454 4.7.0 Temporary authentication failure
Event ID: 1035 is logged when some e-mail messages are stuck in a remote delivery queue in a Microsoft Exchange Server 2007 environment or in a Microsoft Exchange Server 2010 environment.
Cause: This issue occurs if the Exchange server cannot authenticate with the remote Exchange server. Exchange servers requires authentication to route internal user messages between servers. The issue can be caused by one of the following reasons:
- The Exchange server is experiencing Time synchronization issues
- The Exchange server is experiencing Service Principle Name (SPN) issues
- The required TCP/UDP ports for the Kerberos protocol are blocked by the firewall.
To resolve this issue, follow these steps:
- Check the clock on both servers and domain controllers that might be used to authenticate the servers. All clocks should be synchronized to within 5 minutes of one other.
- Verify that the Service Principle Name (SPN) for SMTPSVC is registered correctly on the target server.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example: SetSPN -L <ExchangeServerName>SMTP/<ExchangeServerName>
SMTP/<ExchangeServerName>.example.com
SMTPSVC/<ExchangeServerName>
SMTPSVC/<ExchangeServerName>.example.com - Check for duplicate SPNs by using the SetSPN tool. There should only be one entry of each: SetSPN -x
Processing entry 0
found 0 group of duplicate SPNs.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example:
- Verify that the ports required for Kerberos are enabled.
- If the previous steps do not work, you can turn on logging for Kerberos on the Server that is registering the Event 1035 message, which may provide additional information. To do this, follow these steps:
- Click Start, click Run, type Regedit, and then click OK.
- Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters - On the Edit menu, point to New, and then click DWORD Value.
- In the details pane, input the new value LogLevel, and then press Enter.
- Right-click LogLevel, and then click Modify.
- In the Edit DWORD Value dialog box, under Base, click Decimal.
- In the Value data box, type the value 1, and then click OK.
- Close Registry Editor.
- Again check the System Event log for any Kerberos errors.
Please note: Make all Exchange servers and all DCs. All clocks should be synchronized to within 5 minutes of one other.
ref:
No comments:
Post a Comment