Diagnosing Exchange Symptoms

KerbTray helped this reader figure out what was making his Exchange server sick.

• By Bill Boswell
• 05/25/2004

We're migrating mailboxes to Exchange 2003. Everything seems to be working properly, except...when a user accesses an Exchange 2003 mailbox from Outlook 2003, the user gets an error that says "Your Microsoft Exchange Server is unavailable" with options to Retry, Work Offline or Cancel. If the user clicks Retry, eventually the mailbox opens but works very slowly. If I change the security settings in the client's Outlook settings from "Kerberos/NTLM Password Authentication" to "NTLM Password Authentication," it works properly. The user can access the mailbox and everything works quickly.

OWA works fine. Accessing Exchange 2003 mailboxes using Outlook 2000 or Outlook XP works fine.

The client's Event Log has two errors:

• Event ID 40960: The Security System detected an attempted downgrade attack for server exchangeRFR/exchange2k3.cramerdom.com
• Event ID 40961: The Security System could not establish a secured connection with the server exchangeRFR/exchange2k3.cramerdom.com

If I log in as Administrator, I can open an Exchange 2003 mailbox using Outlook 2003 and Kerberos security without any problem, and it opens quickly.

Do you know the solution?
—David

Readers: I wasn't quite sure what was causing the symptoms David described, so I asked him to believe his instrumentation and to focus his detective work on finding out why an average user account would insist that no logon server was available while an administrator account could find a logon server with no problem.

Outlook 2003 is the only version of Outlook that uses Kerberos authentication and, because Outlook 2003 worked fine in NTLM mode, it appeared to me that the problem might center around the inability on the part of the user to obtain a Kerberos session ticket to the Exchange server.

I asked David to get a copy of Kerbtray from the Windows 2000 (or Windows Server 2003) Resource Kit. The Kerbtray utility puts a little green icon in the Notification Area (used to be called the System Tray). If you click the icon, a window opens that shows the Kerberos Ticket Granting Tickets (TGT) and session tickets issued to the user.

If everything works correctly, an Outlook 2003 user should show a set of Kerberos session tickets for Exchange services, including the Referral (ExchangeRFR) service listed in the Event Log entry. Also, if you hold the Ctrl key down and right-click the Outlook icon in the Notification Area, you can open a Connections window that shows you the names of the domain controller, the Global Catalog server, the Exchange mailbox server, and the Exchange public folder server where the user connected.

I also asked David to make absolutely sure that DNS was configured correctly at the client and at the Exchange 2003 server. A failure to find a suitable SRV record will cause Kerberos errors. By using Ipconfig /flushdns to flush the DNS resolver cache, then launching Outlook, then viewing the resolver cache with Ipconfig /display DNS, it's possible that he might find No Record Available errors where he would expect to find SRV resource records.

Also, I asked David to see if the user belonged to a large number of groups. If a user's group membership gets too large, the paAuth data field that holds SID information in a Kerberos ticket will not fit in a UDP datagram. This forces Kerberos to use TCP, and it would not be the first time that this shift to TCP-based Kerberos transactions caused strange symptoms to appear.

While experimenting with these tips, David found the cause of the problem. Apparently he had migrated the users' mailboxes from Exchange 5.5 to Exchange Server 2003 using an account that did not have sufficient admin rights in the Exchange organization. The account was able to create the e-mail attributes in Active Directory and move the mailbox contents, but when the user logged on with Kerberos rather than NTLM credentials, Exchange refused to open the mailbox. I don't have a good explanation why an NTLM logon worked, but when David moved the mailbox back to the Exchange 5.5 server then moved it again to the Exchange 2003 server using an account with full Exchange Administrator permissions, an Outlook 2003 user was able to access the mailbox using Kerberos authentication.

Hope this helps.