Exchange 2010 SMTP Authentication against AD LDS

Posted on 2012-03-15
Last Modified: 2012-03-27
I've been troubleshooting this for weeks without luck.

I'm currently running a mix of Exchange 2003 mailbox/front end and Exchange 2010 mailbox/client access/hub deployment, all on individual physical or virtual servers (5 total).  I installed the edge transport role on a sixth server in my DMZ.  Following MULTIPLE edge transport install guides, I was able to get my edge transport server up and running.  

As I was moving mailboxes from the 2003 to the 2010 mailbox server, I discovered a problem with a user that is exclusively SMTP/POP.  On the 2003 mailbox/front end it was easy to have that user authenticate before SMTP to prevent relaying.  I am unable to get the edge transport to authenticate any Active Directory users.

I have installed and re-installed the edge transport multiple times.  My current edge test, I've moved to onto my AD network (still stand alone) to rule out any firewall problems.

I've tested extensively using a telnet session along with the AUTH LOGIN command.

What I think the problem is, is that the edge transport is unable to authenticate to the AD LDS instance installed during the Exchange edge transport role install.  I feel this way because if I create a local user on the edge transport role server, SMTP authenticates successfully.  I'm also receiving a monitoring error for the Exchange-installed LDS instance (attached image).

Executing the Exchange Management Shell command "Start-EdgeSynchronization -Server <hub_transport> -TargetServer <edge_transport> -ForceFullSync" doesn't show any errors that I can tell.

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Configuration
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 2
Scanned        : 35
TargetScanned  : 0

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Recipients
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 160
Scanned        : 268
TargetScanned  : 0

However, the command "Test-EdgeSynchronization -VerifyRecipient" returns a mixed message of:

RunspaceId                  : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
SyncStatus                  : Inconclusive
UtcNow                      : 3/15/2012 1:33:16 PM
Name                        : EDGESERVER
LeaseHolder                 : CN=EXCHHUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=My Exchange Server,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=ORG
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 3/15/2012 2:01:57 PM
LastSynchronizedUtc         : 3/15/2012 1:31:57 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

I have checked and double-checked everything I know how to check.  I can telnet to 50389 and 50636.

I'm stuck in a holding pattern until I can get this resolved.

Thanks in advance.
Question by:mlehnertz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 37749110

Expert Comment

ID: 37770000
Edge server is only responsible for Email transportation and for receiving emails from the internet you cannot restrict it for limited IPs and allowing POP/SMTP for every user with the authentication will conflict with the default receive connectors.

Author Comment

ID: 37772906
If I read this correctly, the "by design" behavior for the edge transport role is to NOT enable the ability to authenticate during SMTP.  It is strictly a server-to-server transport device and does not allow interaction between email clients.  This does make sense, but please correct me if I'm wrong.

So if that's the case, why does it matter than AD LDS is installed on the edge transport role?

Also, how would you suggest I authenticate a user before allowing an SMTP relay?  Should I create a private NAT through my firewall to the hub transport server?  I've considered this since my original posting.

The bottom line is that I have external SMTP/POP email clients that require a method of sending email via SMTP through my mail servers.  Any suggestions would be GREATLY appreciated.

Accepted Solution

abdulalikhan earned 500 total points
ID: 37773145
For the first part of your understanding it is similar to mine.

AD LDS role is installed because of Edge Synchronization. It can minimize the email traffic on HUB Transport server which is more critical, as edge synchronization will control recipient filtering easily.

Yes, I have NAT the SMTP / POP users to HUB transport for few of the Customers and it is working fine.

Author Comment

ID: 37773565
I'm not happy with the solution but until I can discover a better one...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question