Solved

Exchange 2010: #530 5.7.1 Client was not authenticated

Posted on 2010-09-17
27
7,440 Views
Last Modified: 2012-05-10
Hi everyone,

A couple of months we started the migration from Exchange 2003 to Exchange 2010 at HQ and everything is working perfectly.  A few days back we started installing Exchange 2010 on the 2nd site (non-Internet facing) and I'm facing a problem that I didn't manage to solve after a couple of days fighting.  The users on the remote site cannot send Internet email and they receive the error "#530 5.7.1 Client was not authenticated".  The default receive connector on the remote Exchange Server is as per attached.

After doing a lot of reading on the Internet I also created another Receive Connector on the remote server that I called "Internal" with the following settings.  Also on this connector on the network tab I set the local IP to the IP address of the remote Server and the Receive mail IP to the IP address of the Server on the 2nd site.

When I remove the "Internal" connector in the Queue Viewer I receive a server authentication failure!!

Your help is really appreciated since I'm lost!!!

Kevin





Default-Receive-Remote-Auth.jpg
Default-Receive-Remote-Permissio.jpg
Internal-Receive-Remote-Auth.jpg
Internal-Receive-Remote-Permissi.jpg
0
Comment
Question by:gta156
  • 13
  • 9
  • 4
  • +1
27 Comments
 
LVL 5

Expert Comment

by:smartsid
ID: 33707117
Have you tried enabling Basic Authentication & Exchange Server Authentication on default receive connector ?
0
 

Author Comment

by:gta156
ID: 33707154
Smartsid,
yes I tried to enable Basic Authentication but it didn't help.  BUT I cannot enable Exchange Server Authentication since the FQDN of the connector is the external email domain i.e. mail.yemenlng.com
Please note that with the current setup I can send emails to users with mailboxes on the remote mailbox Server
Thanks
Kevin
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33707336
you need to look at the remote ip ranges associated with each receive connector
make sure the site matches up with the ip range in the appropriate connector
0
 

Author Comment

by:gta156
ID: 33707457
endital1097,

the Default connector is open for all IP ranges and the Internal one is only open for the Hub Transport Server in the 2nd site.  When I removed or disabled the internal connector I still could not send email outside our Domain.

Thanks

Kevin
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33715488
Call your HQ site for Site A,

You got to exchange 2010 succesfully using the exchange on site A.
Now you have a Site B, which is an offline site with exchange server.

How will this exchange server in site B connect to the internet ?
Will it connect directly to the web (in that case you need another external IP addres pointing towards that exchange Server)

If it will connect to the internet thru your exchange server in SITE A you need a routing connector between SITE A Exchange server and SITE B Exchange server.
(in Exchange Management Console -> organization configuration -> Hub Transport -> Send Connectors)

If I have understood everything correctly you want your Exchange Organization to look like the following (correct me if im wrong)

Site A Exchange server (is working fine btw) has the MX record pointed to it and is facing internet with the default send connector.
Site B Exchange server will be in the background of primary exchange server (without a personal external IP address, in that case it should gave a send connector as I said)
After youve done this you should be able to send out emails from your SITE B exchange server, goes the following: Site B exchange server sends mail to Site A exchange server -> which sends it out to the internet.

Now heres where your receive connector comes. When someone replys to a mail that was sent out from Site B exchange server the mail will of course go back to your Site A exchange server (since thats the internet facing one with your external ip address, and which your mx records are pointing towards, I assume)
Site A therefore needs to send/route the email further and thats you need a receive connector (Under Server Configuration -> Hub Transport)

let me know If I missunderstood the whole thing
0
 

Author Comment

by:gta156
ID: 33760077
Dear JuusoConnecta,
sorry for the late reply but I was away from office for a few days...Yes you understood perfectly:)
Exchange on site A is working perfectly and yes it has an MX record pointing to it and using the default Send connector.  The Exchange Server on Site B will not be connected directly to the Internet.
What are the values that I have to put on the routing connector?
And what about the values for the receive connector on the Exchange Server on site B
Thanks
Kevin
 
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33767867
You will need to create a routinggroupconnector in exchange management shell: the following command should do fine.

New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "EXCHSource.SubhashTest.com" -TargetTransportServers "EXCH2k3.SubhashTest.com" -Cost 100 -Bidirectional $true -PublicFolderReferralsEnabled $true

once this is done make sure to create a receive connector on your exchange server (on SITE A) to allow your exchange server (on site B) to relay thru your internet facing exchange server (in this case, exchange server on site A)

So the routing will look like following once its configured: A user who resides on site B sends a mail to test@gmail.com -> the mail goes thru your routing connector from site b exchange to site a exchange -> for site A exchange to allow this procedure, a receive connector is created which accepts the ip address of exchange on site B -> once this is done site A Exchange server will send the mail out on the internet "on behalf of" site b exchange.

0
 

Author Comment

by:gta156
ID: 33776516
JuusoConnecta,
This cmdlet is normally used to route emails between Exchange 2010 and 2003 right?  Anyway I tried to execute the cmdlet but I received an error message stating that the target server can't be in the same routing group as the source server.
What do you think?
Please note that Exchange 2003 Servers are still availble in both sites!!
Thanks
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33776909
Check out: http://www.eggheadcafe.com/software/aspnet/35810908/exchange-2007--exchange-2003-routing-group-connector.aspx (its for exchange 2007 but will work for 2010 as well)

How is the old exchange server 2003 in SITE B accessing the internet ?

What is your end plan with this project ? Is it to migrate all users to exchange 2010 ?

In my experience I would do this in another way. I would just give the exchange 2010 server a public ip address itself and configure the MX records on your external DNS to point against that IP (if you do this remember the internal DNS records as well!). And after that configure the connectors to internet (so the exchange 2010 would not have any dependencies of your exchange 2003 servers in your organization, though co-existing will not be affected by this)

Also could you give me the exact command line your trying to create the routing connector with ?
0
 

Author Comment

by:gta156
ID: 33777611
JuusoConnecta,
Thanks a lot for your help
The old Exchange 2003 in site B is accessing Internet via the Front-End Server in site A
The Plan is to remove Exchange 2003 once all users are on Exchange 2010
I wouldn't like to have another Internet facing Server in site B since that would imply that I have to install email antivirus and antispam there too.  The senior IT members are located in site A.
Following is the command that I typed:
New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "ye-boc-vex05" -TargetTransportServers "ye-soc-vex05" -Cost 100 -Bidirectional $true -PublicFolderReferralsEnabled $true
 Please note that currently I have a dedicated Internet connector for Exchange 2010 and in fact I have 2 MX records one for Exchange 2003 and the other for Exchange 2010
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33778171
I understand your point regarding the anti-virus, spam filters etc.

So now Exchange 2003 in site be is accessing internet via the front-end server in site A. Is the site A exchange also behind the same front-end server as Exchange server in Site B.
Or does site A exchange server behind another front-end server ?

Also I noticed that you said that you created a receive connector within the exchange server in SITE B  (the exchange 2010) ?
This allows Exchange 2003 to send mails (forward) mails to your exchange 2010, but have you also created a connector in exchange 2003 that will accept connections from exchange 2010 ?

Can you specifiy what send connector you have under EMC -> Organization Configuration -> Hub Transport -> Send Connector -> and give me the setting details,

Regarding the routinggroupconnector, I was mistaken, it was exchange 2007 that can coexist with 2003 routing connector, in Exchange 2010 you shouldnt
move Exchange 2010 servers out of Exchange Routing Group (DWBGZMFD01QNBJR), and don't rename Exchange Routing Group (DWBGZMFD01QNBJR) by using a low-level directory editor. Neither action is supported. Exchange 2010 must use this routing group for communication with Exchange 2003

What we would need to do here is to set-routinggroupconnector: Set-RoutingGroupConnector -Identity "First Administrative Group\First Routing Group\X2003-CASHTP1" -SourceTransportServers "x2003.e2k7.local" -TargetTransportServers "cashtp1.e2k7.local" <--- for example.


You site A and B are they in the same domain/root domain and connected thru site to site VPN ? Or are they on different domains?
0
 

Author Comment

by:gta156
ID: 33785637
Yes Exchange in Site A is behind the same Front-End Server as the one in Site B
Under Exchange 2003 I didn't create any new connectors since the deployment.
I created a Receive Connector for the Server on Site A
Following are the Send Connectors:
Internal YE-BOC-VEX05 (Transport Server in Site B)
Address Space *; Route mail Through the following smart host: YE-SOC-VEX05; Source Server: YE-BOC-VEX05
Internet Mail connector (Transport Server in Site A)
Adress Space *; Network: Use DNS "MX"; Source Server: YE-SOC-VEX05
Internet Mail SMTP Connector (YE-BOC-EX01) (Exchange 2003 in Site B)
Address Space *; Route mail Through the following smart host: YE-SOC-VEX04; Source Server; empty

Internet Mail SMTP Connector (YE-BOC-VEX04) (Exchange 2003 Front-end Server in Site A)

Address Space *; Network: Use DNS "MX"; Source Server; empty
Basically with the cmdlet Set-RoutingGroupConnector we are modifying the current routing group right?  In your example X2003-CASHTP1 is the name of the routing group, x2003.e2k7.local is the Exch2003 Server in Site B and cashtp1.e2k7.local is the Exch2010 in site A?
There is only one Domain and the 2 sites are connected via a dedicated leased line
Thanks
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33785680
did you make any changes to the "client servername" receive connector
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33786672
Yes your making changes into the current routing group. But considering the built that your exchange structure has. I think that the exchange server in your site A uses the front end server as a "smart host" ?
0
 

Author Comment

by:gta156
ID: 33786769
You mean Exch2010 on Site A? no it is not using the Exch2003 FE Server as a Smart host i.e. the connector "Internet Mail Connector".
endital1097,  The client receve connector on the Server in Site A has the following settings:
Authentication
"Transport Layer Security (TLS)"; "Basic Authentication"; "Exchange Server authentication"; "Integrated Windows authentiation";
Permission Group
"Exchange users"; "Exchange servers"
Thanks
 
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33787971
the client receive connector should not have exchange server authentication or exchange servers enabled
0
 

Author Comment

by:gta156
ID: 33789187
endital1097,
thanks for the update...so what are the options that should be enabled under the Permission Groups?
 
Thanks
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33789624
PermissionGroups : ExchangeUsers
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
0
 

Author Comment

by:gta156
ID: 33797262
endital1097,
I did that but the problem persists....
JuusoConnecta,
If I execute the cmdlet Set-RoutingGroupConnector will I be able to revert back the changes in case I face problems with the part of the setup that is working properly?
Thanks
Kevin
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33894921
gta,

whats the status regarding this ?
0
 

Author Comment

by:gta156
ID: 34008610
Dear JuusoConnecta,
The problem is still there...I didn't try your suggestion yet i.e. to use the set-routinggroupconnector cmdlet because I don't know how to roll back in case the change will break somewhere else in the setup.
Anything else I tried to solve the problem failed.
Thanks
 
Kevin
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34008720
Hi gta,

Been a time, let me take a quick recap =]

Exchange 2003 with exchange 2010 at HQ <-- All mail flow here works, external internal, ex2003 to ex2010 and vice versa ?

Exchange 2010 at your second site that is not internet facing is unable to get any messages and send any messages with the error message that you provided in the topic ?
Is this bouth from ex2003 and ex2010 at HQ ?

Also is this new exchange 2010 in the same domain or is it a subdomain ?


cheers
0
 

Author Comment

by:gta156
ID: 34017109
Hi JuusoConnecta,

Correct at HQ mailflow works perfectly...external internal, ex2003 to ex 2010 and vice versa.

On the 2nd site that we called site B, mailflow for Exch 2003 is working perfectly only for Exch 2010 it is not working and only from internal to external. So I can receive external emails but I cannot reply, also I can send emails to users on Exchange Servers in HQ without any problems.

For example I just did a test and following is the error that I received back
Diagnostic information for administrators:
Generating server: YE-BOC-VEX05.yemenlng.corp.local
kevindebono@hotmail.com
YE-SOC-VEX05.yemenlng.corp.local #530 5.7.1 Client was not authenticated ##
Original message headers:
Received: from YE-BOC-VEX02.yemenlng.corp.local ([fe80::2d43:dc53:633a:414e])
by YE-BOC-VEX05.yemenlng.corp.local ([fe80::e17e:df6d:e946:786a%13]) with
mapi; Fri, 29 Oct 2010 06:55:18 +0300
From: Exch Test4
To: Kevin Debono , Exch Test1

Subject: RE: test 29/10
Thread-Topic: test 29/10
Thread-Index: AQHLdxzJVocMDJDL6U2K+nq3LQmWIJNXS/Dz
Date: Fri, 29 Oct 2010 03:55:10 +0000
Message-ID:
References:
In-Reply-To:
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
boundary="_000_B250A566ACABD442AE8B8BFD4CD3036A4EEBBEYEBOCVEX02yemenln_"
MIME-Version: 1.0


I have only one domain...

There must be some setting somewhere that solves this problem!!!

Thanks

Kevin
0
 
LVL 11

Accepted Solution

by:
JuusoConnecta earned 500 total points
ID: 34018161
The since the exchange 2010 is not an internetfacing one, all mail route goes thru your exchange 2003.
Your exchange 2010 does not have permissions to "relay" thru your exchange 2003.

When you installed exchange 2010 you should've had an option where you pinpointed that you had already had exchange 2003 in your organization, thusforth they should be in the same routinggroupconnector, which looked ok If i remember correctly =].

can you check the posts ive written here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26560636.html


Ive double checked a bounch of settings in the routinggroupconnector and the SMTP virtual server, (though this is for exchange 2007 same pricips applies to your exchange 2010)

Can you also try to add exchange 2010 servers internal IP to the relay list of exchange 2003 ?


cheers
0
 

Author Comment

by:gta156
ID: 34025186
Dear JuusoConnecta,
Thanks a lot for your help...
I think that external emails are going via the receive connector on the Hub Transport Server at HQ.  In the NDR that I mentioned yesterday there is the following too:
Delivery has failed to these recipients or groups: kevindebono@hotmail.com (kevindebono@hotmail.com)
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.

The following organization rejected your message: YE-SOC-VEX05.yemenlng.corp.local

I included the IP address of the Hub Transport in Site B in the relay list of the Exchange 2003 Server but it didn't help.
Yes during the installation of the first Hub Transport Server I was asked regarding the Exchange 2003 and I pointed it to the Exchange 2003 FE at HQ.  When I look at Routing group created by the Exchange 2010 setup I have a connected between YE-SOC-VEX05 (Hub Transport Server at HQ) and YE-SOC-VEX04 (FE Server at HQ).
I'm really lost...with my limited knowledge on Exchange 2010 it seems that it is not possible to create a single Receive connector on the Exchange Internet-Facing Server to handle external emails from both site....
Thanks
0
 

Author Comment

by:gta156
ID: 34027672
JuusoConnecta,
The problem is finally solved and it is mainly thanks to the link that you've sent me because through it I followed a lot of other articles and did a lot of reading.  For the benefit of others that might read the post I will explain what I did.
So on the Hub Transport Server at HQ I have 2 receive Connectors, the Default one and another one that I created and called Internal.
The Default one is taking care of external emails and have the following settings:
  • FQDN: mail.yemenlng.com
  • Can receive emails from amy remote Servers
  • Authentication: TLS
  • Permission Groups: Anonymous users, Exchange users, Exchange Servers, Legacy Servers
The connector called Internal has the following settings:
  • FQDN: ye-soc-vex05
  • Local IP 10.56.40.188
  • Receive emails: 10.56.25.26/32
  • Authentication: Exchange Server authentication
  • Permission Groups: Anonymous users
For the Internal connector I have executed the following from EMS:
Get-ReceiveConnector "YE-SOC-VEX05.yemenlng.corp.local\Internal" | Add-ADPermission -User "NT Authority\Anonymous LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Thanks a lot for helping me so much you deserve all the points:)
Kevin
 
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34029396
Kevin, thanks for sharing the resolution, glad that you were able to solve it!

cheers
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now