Boswell's Q&A
Diagnosing Exchange Symptoms
KerbTray helped this reader figure out what was making his Exchange server sick.
- By Bill Boswell
- 05/25/2004
Bill: Our domain uses Windows 2000 Active Directory in
Native mode. We have Exchange 5.5 running on a Windows 2000 Server and
recently added an Enterprise Exchange 2003 server running on Windows Server
2003. The Windows Server 2003 server is
not a domain controller.
We're migrating mailboxes to Exchange 2003. Everything seems to be working
properly, except...when a user accesses an Exchange 2003 mailbox from
Outlook 2003, the user gets an error that says "Your Microsoft Exchange
Server is unavailable" with options to Retry, Work Offline or Cancel.
If the user clicks Retry, eventually the mailbox opens but works very
slowly. If I change the security settings in the client's Outlook settings
from "Kerberos/NTLM Password Authentication" to "NTLM Password
Authentication," it works properly. The user can access the mailbox
and everything works quickly.
OWA works fine. Accessing Exchange 2003 mailboxes using Outlook 2000
or Outlook XP works fine.
The client's Event Log has two errors:
- Event ID 40960: The Security System detected an attempted downgrade
attack for server exchangeRFR/exchange2k3.cramerdom.com
- Event ID 40961: The Security System could not establish a secured
connection with the server exchangeRFR/exchange2k3.cramerdom.com
If I log in as Administrator, I can open an Exchange 2003 mailbox using
Outlook 2003 and Kerberos security without any problem, and it opens quickly.
Do you know the solution?
—David
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
Readers: I wasn't quite sure what was causing the symptoms
David described, so I asked him to believe his instrumentation and to
focus his detective work on finding out why an average user account would
insist that no logon server was available while an administrator account
could find a logon server with no problem.
Outlook 2003 is the only version of Outlook that uses Kerberos authentication
and, because Outlook 2003 worked fine in NTLM mode, it appeared to me
that the problem might center around the inability on the part of the
user to obtain a Kerberos session ticket to the Exchange server.
I asked David to get a copy of Kerbtray from the Windows 2000 (or Windows
Server 2003) Resource Kit. The Kerbtray utility puts a little green icon
in the Notification Area (used to be called the System Tray). If you click
the icon, a window opens that shows the Kerberos Ticket Granting Tickets
(TGT) and session tickets issued to the user.
If everything works correctly, an Outlook 2003 user should show a set
of Kerberos session tickets for Exchange services, including the Referral
(ExchangeRFR) service listed in the Event Log entry. Also, if you hold
the Ctrl key down and right-click the Outlook icon in the Notification
Area, you can open a Connections window that shows you the names of the
domain controller, the Global Catalog server, the Exchange mailbox server,
and the Exchange public folder server where the user connected.
I also asked David to make absolutely sure that DNS was configured correctly
at the client and at the Exchange 2003 server. A failure to find a suitable
SRV record will cause Kerberos errors. By using Ipconfig
/flushdns to flush the DNS resolver cache, then launching Outlook,
then viewing the resolver cache with Ipconfig /display
DNS, it's possible that he might find No Record Available errors
where he would expect to find SRV resource records.
Also, I asked David to see if the user belonged to a large number of
groups. If a user's group membership gets too large, the paAuth data field
that holds SID information in a Kerberos ticket will not fit in a UDP
datagram. This forces Kerberos to use TCP, and it would not be the first
time that this shift to TCP-based Kerberos transactions caused strange
symptoms to appear.
While experimenting with these tips, David found the cause of the problem.
Apparently he had migrated the users' mailboxes from Exchange 5.5 to Exchange
Server 2003 using an account that did not have sufficient admin rights
in the Exchange organization. The account was able to create the e-mail
attributes in Active Directory and move the mailbox contents, but when
the user logged on with Kerberos rather than NTLM credentials, Exchange
refused to open the mailbox. I don't have a good explanation why an NTLM
logon worked, but when David moved the mailbox back to the Exchange 5.5
server then moved it again to the Exchange 2003 server using an account
with full Exchange Administrator permissions, an Outlook 2003 user was
able to access the mailbox using Kerberos authentication.
Hope this helps.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.