• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1068
  • Last Modified:

Exchange 2010 SMTP Authentication against AD LDS

I've been troubleshooting this for weeks without luck.

I'm currently running a mix of Exchange 2003 mailbox/front end and Exchange 2010 mailbox/client access/hub deployment, all on individual physical or virtual servers (5 total).  I installed the edge transport role on a sixth server in my DMZ.  Following MULTIPLE edge transport install guides, I was able to get my edge transport server up and running.  

As I was moving mailboxes from the 2003 to the 2010 mailbox server, I discovered a problem with a user that is exclusively SMTP/POP.  On the 2003 mailbox/front end it was easy to have that user authenticate before SMTP to prevent relaying.  I am unable to get the edge transport to authenticate any Active Directory users.

I have installed and re-installed the edge transport multiple times.  My current edge test, I've moved to onto my AD network (still stand alone) to rule out any firewall problems.

I've tested extensively using a telnet session along with the AUTH LOGIN command.

What I think the problem is, is that the edge transport is unable to authenticate to the AD LDS instance installed during the Exchange edge transport role install.  I feel this way because if I create a local user on the edge transport role server, SMTP authenticates successfully.  I'm also receiving a monitoring error for the Exchange-installed LDS instance (attached image).

Executing the Exchange Management Shell command "Start-EdgeSynchronization -Server <hub_transport> -TargetServer <edge_transport> -ForceFullSync" doesn't show any errors that I can tell.

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Configuration
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 2
Scanned        : 35
TargetScanned  : 0

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Recipients
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 160
Scanned        : 268
TargetScanned  : 0

However, the command "Test-EdgeSynchronization -VerifyRecipient username@domain.com" returns a mixed message of:

RunspaceId                  : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
SyncStatus                  : Inconclusive
UtcNow                      : 3/15/2012 1:33:16 PM
Name                        : EDGESERVER
LeaseHolder                 : CN=EXCHHUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=My Exchange Server,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=ORG
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 3/15/2012 2:01:57 PM
LastSynchronizedUtc         : 3/15/2012 1:31:57 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

I have checked and double-checked everything I know how to check.  I can telnet to 50389 and 50636.

I'm stuck in a holding pattern until I can get this resolved.

Thanks in advance.
Exchange-ADAM.jpg
0
mlehnertz
Asked:
mlehnertz
  • 3
  • 2
1 Solution
 
mlehnertzAuthor Commented:
Anybody?
0
 
abdulalikhanCommented:
Edge server is only responsible for Email transportation and for receiving emails from the internet you cannot restrict it for limited IPs and allowing POP/SMTP for every user with the authentication will conflict with the default receive connectors.
0
 
mlehnertzAuthor Commented:
If I read this correctly, the "by design" behavior for the edge transport role is to NOT enable the ability to authenticate during SMTP.  It is strictly a server-to-server transport device and does not allow interaction between email clients.  This does make sense, but please correct me if I'm wrong.

So if that's the case, why does it matter than AD LDS is installed on the edge transport role?

Also, how would you suggest I authenticate a user before allowing an SMTP relay?  Should I create a private NAT through my firewall to the hub transport server?  I've considered this since my original posting.

The bottom line is that I have external SMTP/POP email clients that require a method of sending email via SMTP through my mail servers.  Any suggestions would be GREATLY appreciated.
0
 
abdulalikhanCommented:
For the first part of your understanding it is similar to mine.

AD LDS role is installed because of Edge Synchronization. It can minimize the email traffic on HUB Transport server which is more critical, as edge synchronization will control recipient filtering easily.

Yes, I have NAT the SMTP / POP users to HUB transport for few of the Customers and it is working fine.
0
 
mlehnertzAuthor Commented:
I'm not happy with the solution but until I can discover a better one...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now