My mailboxes are failing Authentication, despite OWA Authentication and mailflow working.
Have tried many many things from all relevant forums I could find... (see more info at end)
From what I can tell, the mailbox exists and details correct, but some or other service isn't looking where it should for the users in order to Authenticate.
Note that this is a Hosted Exchange setup, but I don't believe the problem is specifically linked to that. I have setup several Hosted lab environments where it worked fine. Difference being this is now the production server and all the
roles are split up.
Another note: I am having another issue with DAG creation where it give a Access Deniedfor creating the Witness Folder despite all the permissions/memberships being 100%. Maybe the problem there is the same one causing this issue. I am also worried it might be effecting more things that I don't see yet.
(The environment is managed only via EMS)
______________________________________________________________________
Servers:
2x DC
1x CA
1x HT (internet facing)
2x MB (not in DAG)
______________________________________________________________________
[PS] C:\Windows\system32>Get-ImapSettings |fl
RunspaceId : 371ec7c4-46b4-4977-a978-b43587ceaa75
ProtocolName : IMAP4
Name : 1
MaxCommandSize : 10240
ShowHiddenFoldersEnabled : False
UnencryptedOrTLSBindings : {:::143, 0.0.0.0:143}
SSLBindings : {:::993, 0.0.0.0:993}
InternalConnectionSettings : {ca1.mydomain.com:993:SSL, ca1.mydomain.com:143:TLS}
ExternalConnectionSettings : {mail.mydomain.com:993:SSL}
X509CertificateName : ca1
Banner : The Microsoft Exchange IMAP4 service is ready.
LoginType : PlainTextLogin
AuthenticatedConnectionTimeout : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections : 2147483647
MaxConnectionFromSingleIP : 2147483647
MaxConnectionsPerUser : 16
MessageRetrievalMimeFormat : BestBodyFormat
ProxyTargetPort : 143
CalendarItemRetrievalOption : iCalendar
OwaServerUrl :
EnableExactRFC822Size : False
LiveIdBasicAuthReplacement : False
SuppressReadReceipt : False
ProtocolLogEnabled : False
EnforceCertificateErrors : False
LogFileLocation : C:\Program Files\Microsoft\Exchange Server\V14\Logging\Imap4
LogFileRollOverSettings : Daily
LogPerFileSizeQuota : 0 B (0 bytes)
ExtendedProtectionPolicy : None
EnableGSSAPIAndNTLMAuth : True
Server : CA1
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=CA1,CN=Servers,CN=Exchange Administrative Group (FYDI
BOHF23SPDLT),CN=Administrative Groups,CN=AdeptOrg,CN=Microsoft
Exchange,CN=Services
,CN=Configuration,DC=he,DC=adept,DC=za,DC=net
Identity : CA1\1
Guid : e76e43da-c7cb-4fe1-8bcf-110fce8b52db
ObjectCategory : he.mydomain.com/Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
ObjectClass : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
WhenChanged : 2013/01/03 02:22:17 PM
WhenCreated : 2012/12/14 12:15:05 PM
WhenChangedUTC : 2013/01/03 12:22:17 PM
WhenCreatedUTC : 2012/12/14 10:15:05 AM
OrganizationId :
OriginatingServer : DC2.mydomain.com
IsValid : True
______________________________________________________________________
[PS] C:\Windows\system32>Get-ReceiveConnector |fl
RunspaceId : 371ec7c4-46b4-4977-a978-b43587ceaa75
AuthMechanism : Tls
Banner :
BinaryMimeEnabled : True
Bindings : {0.0.0.0:143, 0.0.0.0:587, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : HT1.mydomain.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : HT1
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : TestAgain
DistinguishedName : CN=TestAgain,CN=SMTP Receive Connectors,CN=Protocols,CN=HT1,CN=Servers,CN=Exc
hange Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Adep
tOrg,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=he,DC=mydomain,DC=co,
DC=za
Identity : HT1\TestAgain
Guid : e97c8a25-1a78-4294-a0c9-15a633c2b03e
ObjectCategory : mydomain.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 2013/01/03 07:15:23 PM
WhenCreated : 2013/01/03 04:55:39 PM
WhenChangedUTC : 2013/01/03 05:15:23 PM
WhenCreatedUTC : 2013/01/03 02:55:39 PM
OrganizationId :
OriginatingServer : DC2.mydomain.com
IsValid : True
______________________________________________________________________
[PS] C:\Windows\system32>Get-CASMailbox -Organization mydomain.co.za |fl
RunspaceId : 371ec7c4-46b4-4977-a978-b43587ceaa75
EmailAddresses : {SMTP:myuser@mydomain.com}
LegacyExchangeDN : /o=mydomainOrg/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Ly
don200c8011
LinkedMasterAccount :
PrimarySmtpAddress : myuser@mydomain.com
SamAccountName : myuser
ServerLegacyDN : /o=mydomainOrg/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn
=Servers/cn=MB2
ServerName : mb2
DisplayName : myuser
ActiveSyncAllowedDeviceIDs : {}
ActiveSyncBlockedDeviceIDs : {}
ActiveSyncMailboxPolicy : mydomain\Default
ActiveSyncMailboxPolicyIsDefaulted : True
ActiveSyncDebugLogging :
ActiveSyncEnabled : True
HasActiveSyncDevicePartnership : False
ExternalImapSettings :
InternalImapSettings :
ExternalPopSettings :
InternalPopSettings :
ExternalSmtpSettings :
InternalSmtpSettings :
OwaMailboxPolicy : mydomain\OwaMailboxPolicy-Default
OWAEnabled : True
ECPEnabled : True
EmwsEnabled : False
PopEnabled : True
PopUseProtocolDefaults : True
PopMessagesRetrievalMimeFormat : BestBodyFormat
PopEnableExactRFC822Size : False
PopSuppressReadReceipt : False
ImapEnabled : True
ImapUseProtocolDefaults : True
ImapMessagesRetrievalMimeFormat : BestBodyFormat
ImapEnableExactRFC822Size : False
ImapSuppressReadReceipt : False
MAPIEnabled : True
MAPIBlockOutlookNonCachedMode : False
MAPIBlockOutlookVersions :
MAPIBlockOutlookRpcHttp : False
EwsEnabled : True
EwsAllowOutlook :
EwsAllowMacOutlook :
EwsAllowEntourage :
EwsApplicationAccessPolicy :
EwsAllowList :
EwsBlockList :
ShowGalAsDefaultView : True
IsValid : True
ExchangeVersion : 0.10 (14.0.100.0)
Name : myuser
DistinguishedName : CN=myuser,OU=mydomain,OU=Microsoft Exchange Hosted Organizations,DC=he,DC=mydomain,
DC=za,DC=net
Identity : mydomain.com/Microsoft Exchange Hosted Organizations/mydomain/myuser
Guid : c1796595-54e7-481f-b82c-b50e52049cb3
ObjectCategory : mydomain.com/Configuration/Schema/Person
ObjectClass : {top, person, organizationalPerson, user}
WhenChanged : 2013/01/03 07:25:57 PM
WhenCreated : 2012/12/28 09:54:36 AM
WhenChangedUTC : 2013/01/03 05:25:57 PM
WhenCreatedUTC : 2012/12/28 07:54:36 AM
OrganizationId : mydomain.com/Microsoft Exchange Hosted Organizations/mydomain - he.mydomain.za.
net/Configuration/Services/Microsoft Exchange/ConfigurationUnits/mydomain/Confi
guration
OriginatingServer : dc1.mydomain.com
______________________________________________________________________
[PS] C:\Windows\system32>telnet localhost 110
+OK The Microsoft Exchange POP3 service is ready.
user myuser@mydomain.co.za
+OK
pass Something321
-ERR Logon failure: unknown user name or bad password.
______________________________________________________________________
C:\Program Files\Microsoft\Exchange Server\V14\Logging\Pop3
2013-01-03T17:25:19.097Z,0000000000000002,0,::1:110,::1:59877,,-2147483648,0,51,OpenSession,,
2013-01-03T17:25:32.216Z,0000000000000002,1,::1:110,::1:59877,,78,32,5,user,myuservz@mydomain.co.za,R=ok
2013-01-03T17:25:39.751Z,0000000000000002,2,::1:110,::1:59877,,3198,10,56,pass,*****,"R=""-ERR Logon failure: unknown user name or bad password."";RpcC=7;RpcL=31;LdapC=12;LdapL=32;Msg=""User:myuser van Zyl:72005f71-deaf-4788-94bf-6872dbbd3aaa:mb2db1:MB2.mydomain.za.net"";Excpt=""Cannot
open mailbox /o=AdeptOrg/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=myuservza9e753cc.-AccessDeniedException/MapiExceptionNoAccess"""
2013-01-03T17:26:18.907Z,0000000000000002,3,::1:110,::1:59877,,0,0,31,CloseSession,,
______________________________________________________________________
EventViewer> Windows Logs> Application
*(no other logs that seem relevant )
Warning: Basic authentication is available over plain text connections.
______________________________________________________________________
Other notes:
- as per other forum : http://social.technet.microsoft.com/Forums/da-DK/exchangesvrdeploylegacy/thread/1ad1b55e-8cc6-4676-87ee-0a6216f1b399 , I added the code that was missing in services: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe& Microsoft.Exchange.Imap4Service.exe
- firewall turned off
- tried ticking the box for "Do not require Kerberos Authentication"
- have tried moving mailbox from one DB to another
Cannot think what else might be relevant, really appreciate any ideas or advise..