MSExchangeGuru.com

Learn Exchange the Guru way !!!

 
«
»

Exchange 2013: Pop/Imap clients unable to Authenticate

Lets take a look at an issue in E2013 where Pop/Imap clients unable to Authenticate

Environment:

Exchange 2010 SP3: 2 mailbox server in DAG, 2 CAS/HT with windows NLB

Exchange 2013 CU1: 2 mailbox server in DAG, 2 CAS with windows NLB

Issue:

During the co-existence phase during Exchange 2010 to 2013 migration, Pop/Imap clients are unable to authenticate.

In the log file we can see the following message. No other message.

NLB IP:993,ClientIP:55612,,112,27,23,login,Loginid password,”R=””05up NO LOGIN failed.””;Msg=””User:username:2796642b-68aa-49cc-93c0-0414276541fe:SDB1:mailbox server FQDN;Proxy:mailbox server FQDN:143:SSL;NotAuthenticated”””

 

By default logging is disabled and you need to enable by running the below cmd:

Set-imapsettings -server CASServerName –ProtocolLogEnabled $true

Set-popsettings -server CASServerName –ProtocolLogEnabled $true

Default Imap Log File Location  is C:Program FilesMicrosoftExchange ServerV15LoggingImap4

Default Pop Log File Location  is C:Program FilesMicrosoftExchange ServerV15LoggingPOP3

 

You might also see the following events in the system log:

Log Name: System
Source: Schannel
Date: 8/4/2013 1:00:33 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer:
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

 

Cause:

This is a bug in Exchange 2013 CU1.

 

Resolution: 

Install Cumulative update 2 for Exchange 2013 on all the Exchange 2013 Servers starting from Mailbox role.

 

Additional Config:

For sending emails when you use SMTP we will be using the CAS client connector and might need to run the below cmd.

Set-ReceiveConnector “*CASHostnameClient Frontend CASHostname” -AdvertiseClientSettings $True -FQDN NLBUrl

I am using windows NLB so I am used NLBUrl in the cmd to get high availability.

 

I have asked Microsoft to fix the cmd in the below link:

http://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx#settings

 

Conclusion:

I would recommend moving to CU2 if you have pop/imap users.

 

 

Prabhat Nigam

Microsoft MVP | Exchange Server

team@msexchangeguru

Posted August 4th, 2013 under CAS, Exchange 2013, Outlook, POP/IMAP. RSS 2.0 feed. Leave a response, or trackback.

23 Responses to “Exchange 2013: Pop/Imap clients unable to Authenticate”

  1. Exchange 2010/2007 to 2013 Migration and Co-existence Guide « MSExchangeGuru.com Says:
    August 6th, 2013 at 2:40 pm

    […] If you have pop/imap user go for CU2: https://msexchangeguru.com/2013/08/04/e2013popimapauth/ […]

  2. Kevin Says:
    March 18th, 2014 at 5:10 pm

    We have recently moved to Exchange Server 2013 SP1 (post CU2) and are having this issue. Have you been able to find a resolve for it?

    Thanks!

  3. Prabhat Nigam Says:
    March 18th, 2014 at 5:47 pm

    @Kevin
    I was able to fix with CU2.
    Issue has not repeated since then.
    I have not test with SP1.

  4. Kevin Williams Says:
    March 18th, 2014 at 7:57 pm

    I have discovered my issue. My TargetProxyAddress in IMAP was set to 143 instead of the IMAPBE port 9933. As soon as I updated the TargetProxyAddress and restarted services I was able to successfully login.

    Happy Messaging!

  5. Prabhat Nigam Says:
    March 18th, 2014 at 8:03 pm

    Welcome! So SP1 is good. 🙂

  6. Dmitry Razbornov Says:
    May 6th, 2014 at 4:55 am

    Hi,Prabhat!
    You miss “S” in cimmandlet. Correct is
    set-PopSettings

  7. Prabhat Nigam Says:
    May 8th, 2014 at 11:50 am

    @Dmitry – Thank you, I have updated the blog.

  8. Murugan.S Says:
    June 24th, 2014 at 3:47 pm

    Hi Prabhat,

    we have done migration from exchange 2007 to Exchange 2013 CU5. we are having the issue with POP3 account as SMTP 25 is not authenticating. there is no NLB for Exch 2013.

    please help me to solve this.

    Thanks.

  9. Prabhat Nigam Says:
    June 24th, 2014 at 4:17 pm

    Try port 2525

  10. Murugan.S Says:
    June 25th, 2014 at 7:47 am

    No. it is not working with Port 2525. when I test this on outlook (Pop3 configuration) iam getting error “your E-mail server rejected your login.verify your username and password for this account in account setting.

    Thanks.

  11. Prabhat Nigam Says:
    June 26th, 2014 at 1:15 am

    what do you see in the log file here – C:\Program Files\Microsoft\Exchange Server\V15\Logging\POP3

  12. Steven Springer Says:
    July 4th, 2015 at 5:27 am

    Unable to Login to Exchange 2013 POP3 Service, there ist no Possility to Login with any user Account of the Domain ( Exchange 2013 CU6) Installed.
    The Message i get is on every Login User OK, -ERR Logon failure: unknown user name or bad Password ( Passwort is right !!) ErrMsg=ProxyNotAuthenticated, ErrMsg=PreAuthTimeout

    Has anyone any Idee to troubleshoot what the reason is !!??

    2015-07-03T19:41:12.242Z,0000000000000028,1,192.168.5.238:110,192.168.5.76:63219,s.springer,1,15,5,user,s.springer,R=ok
    2015-07-03T19:41:18.165Z,0000000000000028,2,192.168.5.238:110,192.168.5.76:63219,s.springer,54,10,56,pass,*****,”R=””-ERR Logon failure: unknown user name or bad password.””;Msg=Proxy:EXCHANGE-01.testdomain.de:1995:SSL;ErrMsg=ProxyNotAuthenticated”
    2015-07-03T19:41:54.390Z,000000000000002A,0,127.0.0.1:995,127.0.0.1:63237,,16,0,51,OpenSession,,
    2015-07-03T19:41:54.390Z,000000000000002A,1,127.0.0.1:995,127.0.0.1:63237,,1,4,37,capa,,R=ok
    2015-07-03T19:41:54.390Z,000000000000002A,2,127.0.0.1:995,127.0.0.1:63237,,0,0,0,CloseSession,,
    2015-07-03T19:42:09.141Z,0000000000000028,3,192.168.5.238:110,192.168.5.76:63219,s.springer,0,0,31,CloseSession,,ErrMsg=PreAuthTimeout

  13. Prabhat Nigam Says:
    July 4th, 2015 at 6:14 am

    Try different user. Make sure pop3 protocol is enabled for the user in the mailbox properties and pop3 url is configured for all servers.

    I would suggest to test in the lab if CU7 or cu8 or Cu9 fixes it.

    If all the settings are correct then open a ticket with Microsoft.

  14. SUHAS PHALKE Says:
    August 4th, 2015 at 12:16 am

    Steven You may check the PreAuthtimeout value defined for POP3 , it is usually 1 minute ..you may try increasing to 5 and check

  15. SUHAS PHALKE Says:
    August 4th, 2015 at 12:19 am

    Hey Prabhat getting the following error for IMAP ..noticed under imap protocol logs

    2015-07-20T07:20:24.193Z,00000000000000F7,1,10.42.1.4:993,10.42.1.6:55194,echo,6466,19,21,login,echo *****,”R=””C1 NO LOGIN failed.””;Msg=Proxy:ABCD.XYZ.COM:9933:SSL;ErrMsg=ProxyNotAuthenticated;Excpt=””Transport Layer Security (TLS) has already been negotiated.-System.InvalidOperationException””

  16. Prabhat Nigam Says:
    August 5th, 2015 at 6:06 am

    I think TLS is being repeated at some place which is not required.

  17. SAM Says:
    October 15th, 2015 at 10:47 pm

    Hi Dear, Since we have coexist exchange 2007 with exchange 2013, client that have mailbox on exchange 2007 was not able to connect to mail server via POP/IMAP thru CAS exchange 2013 CU1. appreciated for your responding.

  18. naji Says:
    February 29th, 2016 at 12:13 am

    Hello all,
    I am having serious issue during coexistence between exchange 2010 and 2013, authentication failed when attempting to connect through IMAP, I will write the environment and the logs in points so that the description of the issue will be clear for everyone.
    • The environment has 2 exchange 2013 servers CU10 SP1, each server has combined (CAS+MBX) installed, and coexist with legacy exchange servers (exchange 2010)
    • Exchange 2013 servers installed on windows 2012 servers
    • No firewall between exchange servers and clients
    • Exchange 2010 mailboxes can connect to their mailboxes through IMAP just fin e without any issue
    • Exchange 2013 mailboxes cannot connect through IMAP (NO LOGON failed)
    • Mailboxes needs to connect to port 143 (not 993)
    • IMAP4 and IMAP4BE services are running in both exchange 2013 servers
    • Get-servercomponentstate shows that ImapProxy is active
    • Get-healthreport shows that IMAP is in Unhealthy state (the reason is NO LOGIN failed)
    • telnet 143
    The Microsoft Exchange IMAP4 service is ready.
    ? login
    NO LOGIN failed

    • The output of the command (get-imapsettings) is as follow:
    RunspaceId : a63b58c4-7fa3-42cb-a270-cdcf91032853
    ProtocolName : IMAP4
    Name : 1
    MaxCommandSize : 10240
    ShowHiddenFoldersEnabled : False
    UnencryptedOrTLSBindings : {[::]:143, 0.0.0.0:143}
    SSLBindings : {0.0.0.0:993, [::]:993}
    InternalConnectionSettings : {SHUEXCH02.mydomain.com:993:SSL, SHUEXCH02.mydomain.com:143:TLS}
    ExternalConnectionSettings : {}
    X509CertificateName : shuexch02
    Banner : The Microsoft Exchange IMAP4 service is ready.
    LoginType : PlainTextLogin
    AuthenticatedConnectionTimeout : 00:30:00
    PreAuthenticatedConnectionTimeout : 00:01:00
    MaxConnections : 2147483647
    MaxConnectionFromSingleIP : 2147483647
    MaxConnectionsPerUser : 16
    MessageRetrievalMimeFormat : BestBodyFormat
    ProxyTargetPort : 143
    CalendarItemRetrievalOption : iCalendar
    OwaServerUrl :
    EnableExactRFC822Size : False
    LiveIdBasicAuthReplacement : False
    SuppressReadReceipt : False
    ProtocolLogEnabled : True
    EnforceCertificateErrors : False
    LogFileLocation : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4
    LogFileRollOverSettings : Daily
    LogPerFileSizeQuota : 0 B (0 bytes)
    ExtendedProtectionPolicy : None
    EnableGSSAPIAndNTLMAuth : False
    Server : SHUEXCH02
    AdminDisplayName :
    ExchangeVersion : 0.10 (14.0.100.0)
    DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=SHUEXCH02,CN=Servers,CN=Exchange Administrative
    Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=domain,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com, Identity : SHUEXCH02\1
    Guid : d72d0ee4-0711-4769-9174-bb7f76f25316
    ObjectCategory : mydomain.com
    /Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
    ObjectClass : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
    WhenChanged : 2/28/2016 11:20:42 AM
    WhenCreated : 10/26/2015 3:20:34 PM
    WhenChangedUTC : 2/28/2016 8:20:42 AM
    WhenCreatedUTC : 10/26/2015 12:20:34 PM
    OrganizationId :
    Id : SHUEXCH02\1
    OriginatingServer : SHUDC01.mydomain.com
    IsValid : True
    ObjectState : Unchanged

    • IMAP Logs show that :
    16-02-29T00:02:43.161Z,00000000000007AD,2,127.0.0.1:993,127.0.0.1:14599,HealthMailbox7a89f888474b4e78a0e67922c9f73846,43,72,87,login,HealthMailbox7a89f888474b4e78a0e67922c9f73846@mydomain.com *****,”R=””z NO [Error=ProxyNotAuthenticated Proxy=SHUEXCH01.mydomain.com:143:SSL] LOGIN failed.””;Msg=Proxy:SHUEXCH01.mydomain.com:143:SSL;ErrMsg=ProxyNotAuthenticated”
    2016-02-29T00:02:43.161Z,00000000000007AD,3,127.0.0.1:993,127.0.0.1:14599,HealthMailbox7a89f888474b4e78a0e67922c9f73846,0,0,0,CloseSession,,

    Hope these information contains all the informations you need

    Please anyone can help me solving this issue

  19. Thiago Beier Says:
    March 24th, 2016 at 10:02 am

    the file C:\Program Files\Microsoft\Exchange Server\V15\Logging\POP3 is stored in the CAS server? or in the mailbox?

  20. Prabhat Nigam Says:
    March 24th, 2016 at 12:50 pm

    CAS

  21. SAM Says:
    March 29th, 2016 at 3:35 am

    If we set EnableGSSAPIAndNTLMAuth for POP setting to false then the Pop authentication is successfull

  22. Prabhat Nigam Says:
    March 29th, 2016 at 9:02 am

    Great

  23. Prabhat Nigam Says:
    August 12th, 2016 at 2:22 pm

    I hope this issue got resolved in further cumulative updates. Let us know if it was not resolved.

Leave a Reply

Categories

Archives

MSExchangeGuru.com