Exchange 2013: Pop/Imap clients unable to Authenticate
Lets take a look at an issue in E2013 where Pop/Imap clients unable to Authenticate
Environment:
Exchange 2010 SP3: 2 mailbox server in DAG, 2 CAS/HT with windows NLB
Exchange 2013 CU1: 2 mailbox server in DAG, 2 CAS with windows NLB
Issue:
During the co-existence phase during Exchange 2010 to 2013 migration, Pop/Imap clients are unable to authenticate.
In the log file we can see the following message. No other message.
NLB IP:993,ClientIP:55612,,112,27,23,login,Loginid password,”R=””05up NO LOGIN failed.””;Msg=””User:username:2796642b-68aa-49cc-93c0-0414276541fe:SDB1:mailbox server FQDN;Proxy:mailbox server FQDN:143:SSL;NotAuthenticated”””
By default logging is disabled and you need to enable by running the below cmd:
Set-imapsettings -server CASServerName –ProtocolLogEnabled $true
Set-popsettings -server CASServerName –ProtocolLogEnabled $true
Default Imap Log File Location is C:Program FilesMicrosoftExchange ServerV15LoggingImap4
Default Pop Log File Location is C:Program FilesMicrosoftExchange ServerV15LoggingPOP3
You might also see the following events in the system log:
Log Name: System
Source: Schannel
Date: 8/4/2013 1:00:33 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer:
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.
Cause:
This is a bug in Exchange 2013 CU1.
Resolution:
Install Cumulative update 2 for Exchange 2013 on all the Exchange 2013 Servers starting from Mailbox role.
Additional Config:
For sending emails when you use SMTP we will be using the CAS client connector and might need to run the below cmd.
Set-ReceiveConnector “*CASHostnameClient Frontend CASHostname” -AdvertiseClientSettings $True -FQDN NLBUrl
I am using windows NLB so I am used NLBUrl in the cmd to get high availability.
I have asked Microsoft to fix the cmd in the below link:
http://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx#settings
Conclusion:
I would recommend moving to CU2 if you have pop/imap users.
Prabhat Nigam
Microsoft MVP | Exchange Server
team@msexchangeguru
August 6th, 2013 at 2:40 pm
[…] If you have pop/imap user go for CU2: https://msexchangeguru.com/2013/08/04/e2013popimapauth/ […]
March 18th, 2014 at 5:10 pm
We have recently moved to Exchange Server 2013 SP1 (post CU2) and are having this issue. Have you been able to find a resolve for it?
Thanks!
March 18th, 2014 at 5:47 pm
@Kevin
I was able to fix with CU2.
Issue has not repeated since then.
I have not test with SP1.
March 18th, 2014 at 7:57 pm
I have discovered my issue. My TargetProxyAddress in IMAP was set to 143 instead of the IMAPBE port 9933. As soon as I updated the TargetProxyAddress and restarted services I was able to successfully login.
Happy Messaging!
March 18th, 2014 at 8:03 pm
Welcome! So SP1 is good. 🙂
May 6th, 2014 at 4:55 am
Hi,Prabhat!
You miss “S” in cimmandlet. Correct is
set-PopSettings
May 8th, 2014 at 11:50 am
@Dmitry – Thank you, I have updated the blog.
June 24th, 2014 at 3:47 pm
Hi Prabhat,
we have done migration from exchange 2007 to Exchange 2013 CU5. we are having the issue with POP3 account as SMTP 25 is not authenticating. there is no NLB for Exch 2013.
please help me to solve this.
Thanks.
June 24th, 2014 at 4:17 pm
Try port 2525
June 25th, 2014 at 7:47 am
No. it is not working with Port 2525. when I test this on outlook (Pop3 configuration) iam getting error “your E-mail server rejected your login.verify your username and password for this account in account setting.
Thanks.
June 26th, 2014 at 1:15 am
what do you see in the log file here – C:\Program Files\Microsoft\Exchange Server\V15\Logging\POP3
July 4th, 2015 at 5:27 am
Unable to Login to Exchange 2013 POP3 Service, there ist no Possility to Login with any user Account of the Domain ( Exchange 2013 CU6) Installed.
The Message i get is on every Login User OK, -ERR Logon failure: unknown user name or bad Password ( Passwort is right !!) ErrMsg=ProxyNotAuthenticated, ErrMsg=PreAuthTimeout
Has anyone any Idee to troubleshoot what the reason is !!??
2015-07-03T19:41:12.242Z,0000000000000028,1,192.168.5.238:110,192.168.5.76:63219,s.springer,1,15,5,user,s.springer,R=ok
2015-07-03T19:41:18.165Z,0000000000000028,2,192.168.5.238:110,192.168.5.76:63219,s.springer,54,10,56,pass,*****,”R=””-ERR Logon failure: unknown user name or bad password.””;Msg=Proxy:EXCHANGE-01.testdomain.de:1995:SSL;ErrMsg=ProxyNotAuthenticated”
2015-07-03T19:41:54.390Z,000000000000002A,0,127.0.0.1:995,127.0.0.1:63237,,16,0,51,OpenSession,,
2015-07-03T19:41:54.390Z,000000000000002A,1,127.0.0.1:995,127.0.0.1:63237,,1,4,37,capa,,R=ok
2015-07-03T19:41:54.390Z,000000000000002A,2,127.0.0.1:995,127.0.0.1:63237,,0,0,0,CloseSession,,
2015-07-03T19:42:09.141Z,0000000000000028,3,192.168.5.238:110,192.168.5.76:63219,s.springer,0,0,31,CloseSession,,ErrMsg=PreAuthTimeout
July 4th, 2015 at 6:14 am
Try different user. Make sure pop3 protocol is enabled for the user in the mailbox properties and pop3 url is configured for all servers.
I would suggest to test in the lab if CU7 or cu8 or Cu9 fixes it.
If all the settings are correct then open a ticket with Microsoft.
August 4th, 2015 at 12:16 am
Steven You may check the PreAuthtimeout value defined for POP3 , it is usually 1 minute ..you may try increasing to 5 and check
August 4th, 2015 at 12:19 am
Hey Prabhat getting the following error for IMAP ..noticed under imap protocol logs
2015-07-20T07:20:24.193Z,00000000000000F7,1,10.42.1.4:993,10.42.1.6:55194,echo,6466,19,21,login,echo *****,”R=””C1 NO LOGIN failed.””;Msg=Proxy:ABCD.XYZ.COM:9933:SSL;ErrMsg=ProxyNotAuthenticated;Excpt=””Transport Layer Security (TLS) has already been negotiated.-System.InvalidOperationException””
August 5th, 2015 at 6:06 am
I think TLS is being repeated at some place which is not required.
October 15th, 2015 at 10:47 pm
Hi Dear, Since we have coexist exchange 2007 with exchange 2013, client that have mailbox on exchange 2007 was not able to connect to mail server via POP/IMAP thru CAS exchange 2013 CU1. appreciated for your responding.
February 29th, 2016 at 12:13 am
Hello all,
I am having serious issue during coexistence between exchange 2010 and 2013, authentication failed when attempting to connect through IMAP, I will write the environment and the logs in points so that the description of the issue will be clear for everyone.
• The environment has 2 exchange 2013 servers CU10 SP1, each server has combined (CAS+MBX) installed, and coexist with legacy exchange servers (exchange 2010)
• Exchange 2013 servers installed on windows 2012 servers
• No firewall between exchange servers and clients
• Exchange 2010 mailboxes can connect to their mailboxes through IMAP just fin e without any issue
• Exchange 2013 mailboxes cannot connect through IMAP (NO LOGON failed)
• Mailboxes needs to connect to port 143 (not 993)
• IMAP4 and IMAP4BE services are running in both exchange 2013 servers
• Get-servercomponentstate shows that ImapProxy is active
• Get-healthreport shows that IMAP is in Unhealthy state (the reason is NO LOGIN failed)
• telnet 143
The Microsoft Exchange IMAP4 service is ready.
? login
NO LOGIN failed
• The output of the command (get-imapsettings) is as follow:
RunspaceId : a63b58c4-7fa3-42cb-a270-cdcf91032853
ProtocolName : IMAP4
Name : 1
MaxCommandSize : 10240
ShowHiddenFoldersEnabled : False
UnencryptedOrTLSBindings : {[::]:143, 0.0.0.0:143}
SSLBindings : {0.0.0.0:993, [::]:993}
InternalConnectionSettings : {SHUEXCH02.mydomain.com:993:SSL, SHUEXCH02.mydomain.com:143:TLS}
ExternalConnectionSettings : {}
X509CertificateName : shuexch02
Banner : The Microsoft Exchange IMAP4 service is ready.
LoginType : PlainTextLogin
AuthenticatedConnectionTimeout : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections : 2147483647
MaxConnectionFromSingleIP : 2147483647
MaxConnectionsPerUser : 16
MessageRetrievalMimeFormat : BestBodyFormat
ProxyTargetPort : 143
CalendarItemRetrievalOption : iCalendar
OwaServerUrl :
EnableExactRFC822Size : False
LiveIdBasicAuthReplacement : False
SuppressReadReceipt : False
ProtocolLogEnabled : True
EnforceCertificateErrors : False
LogFileLocation : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4
LogFileRollOverSettings : Daily
LogPerFileSizeQuota : 0 B (0 bytes)
ExtendedProtectionPolicy : None
EnableGSSAPIAndNTLMAuth : False
Server : SHUEXCH02
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=SHUEXCH02,CN=Servers,CN=Exchange Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=domain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com, Identity : SHUEXCH02\1
Guid : d72d0ee4-0711-4769-9174-bb7f76f25316
ObjectCategory : mydomain.com
/Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
ObjectClass : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
WhenChanged : 2/28/2016 11:20:42 AM
WhenCreated : 10/26/2015 3:20:34 PM
WhenChangedUTC : 2/28/2016 8:20:42 AM
WhenCreatedUTC : 10/26/2015 12:20:34 PM
OrganizationId :
Id : SHUEXCH02\1
OriginatingServer : SHUDC01.mydomain.com
IsValid : True
ObjectState : Unchanged
• IMAP Logs show that :
16-02-29T00:02:43.161Z,00000000000007AD,2,127.0.0.1:993,127.0.0.1:14599,HealthMailbox7a89f888474b4e78a0e67922c9f73846,43,72,87,login,HealthMailbox7a89f888474b4e78a0e67922c9f73846@mydomain.com *****,”R=””z NO [Error=ProxyNotAuthenticated Proxy=SHUEXCH01.mydomain.com:143:SSL] LOGIN failed.””;Msg=Proxy:SHUEXCH01.mydomain.com:143:SSL;ErrMsg=ProxyNotAuthenticated”
2016-02-29T00:02:43.161Z,00000000000007AD,3,127.0.0.1:993,127.0.0.1:14599,HealthMailbox7a89f888474b4e78a0e67922c9f73846,0,0,0,CloseSession,,
Hope these information contains all the informations you need
Please anyone can help me solving this issue
March 24th, 2016 at 10:02 am
the file C:\Program Files\Microsoft\Exchange Server\V15\Logging\POP3 is stored in the CAS server? or in the mailbox?
March 24th, 2016 at 12:50 pm
CAS
March 29th, 2016 at 3:35 am
If we set EnableGSSAPIAndNTLMAuth for POP setting to false then the Pop authentication is successfull
March 29th, 2016 at 9:02 am
Great
August 12th, 2016 at 2:22 pm
I hope this issue got resolved in further cumulative updates. Let us know if it was not resolved.