Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange 2010 SMTP Authentication against AD LDS

Posted on 2012-03-15
Medium Priority
Last Modified: 2012-03-27
I've been troubleshooting this for weeks without luck.

I'm currently running a mix of Exchange 2003 mailbox/front end and Exchange 2010 mailbox/client access/hub deployment, all on individual physical or virtual servers (5 total).  I installed the edge transport role on a sixth server in my DMZ.  Following MULTIPLE edge transport install guides, I was able to get my edge transport server up and running.  

As I was moving mailboxes from the 2003 to the 2010 mailbox server, I discovered a problem with a user that is exclusively SMTP/POP.  On the 2003 mailbox/front end it was easy to have that user authenticate before SMTP to prevent relaying.  I am unable to get the edge transport to authenticate any Active Directory users.

I have installed and re-installed the edge transport multiple times.  My current edge test, I've moved to onto my AD network (still stand alone) to rule out any firewall problems.

I've tested extensively using a telnet session along with the AUTH LOGIN command.

What I think the problem is, is that the edge transport is unable to authenticate to the AD LDS instance installed during the Exchange edge transport role install.  I feel this way because if I create a local user on the edge transport role server, SMTP authenticates successfully.  I'm also receiving a monitoring error for the Exchange-installed LDS instance (attached image).

Executing the Exchange Management Shell command "Start-EdgeSynchronization -Server <hub_transport> -TargetServer <edge_transport> -ForceFullSync" doesn't show any errors that I can tell.

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Configuration
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 2
Scanned        : 35
TargetScanned  : 0

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Recipients
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 160
Scanned        : 268
TargetScanned  : 0

However, the command "Test-EdgeSynchronization -VerifyRecipient" returns a mixed message of:

RunspaceId                  : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
SyncStatus                  : Inconclusive
UtcNow                      : 3/15/2012 1:33:16 PM
Name                        : EDGESERVER
LeaseHolder                 : CN=EXCHHUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=My Exchange Server,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=ORG
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 3/15/2012 2:01:57 PM
LastSynchronizedUtc         : 3/15/2012 1:31:57 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

I have checked and double-checked everything I know how to check.  I can telnet to 50389 and 50636.

I'm stuck in a holding pattern until I can get this resolved.

Thanks in advance.
Question by:mlehnertz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 37749110

Expert Comment

ID: 37770000
Edge server is only responsible for Email transportation and for receiving emails from the internet you cannot restrict it for limited IPs and allowing POP/SMTP for every user with the authentication will conflict with the default receive connectors.

Author Comment

ID: 37772906
If I read this correctly, the "by design" behavior for the edge transport role is to NOT enable the ability to authenticate during SMTP.  It is strictly a server-to-server transport device and does not allow interaction between email clients.  This does make sense, but please correct me if I'm wrong.

So if that's the case, why does it matter than AD LDS is installed on the edge transport role?

Also, how would you suggest I authenticate a user before allowing an SMTP relay?  Should I create a private NAT through my firewall to the hub transport server?  I've considered this since my original posting.

The bottom line is that I have external SMTP/POP email clients that require a method of sending email via SMTP through my mail servers.  Any suggestions would be GREATLY appreciated.

Accepted Solution

abdulalikhan earned 1500 total points
ID: 37773145
For the first part of your understanding it is similar to mine.

AD LDS role is installed because of Edge Synchronization. It can minimize the email traffic on HUB Transport server which is more critical, as edge synchronization will control recipient filtering easily.

Yes, I have NAT the SMTP / POP users to HUB transport for few of the Customers and it is working fine.

Author Comment

ID: 37773565
I'm not happy with the solution but until I can discover a better one...

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question