Sign in with
Sign up | Sign in
Your question

Exchange not authenticating

Last response: in Windows 2000/NT
Share
Anonymous
January 9, 2005 12:55:55 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

I have a WinXP Prof client trying to authenticate to Exchange through a
Cisco VPN 3.0

I can connect and authenticate to all network resources with the exception
of Exchange...it doesn't utilize the integrated single-sign-on that it
normally used to. What I notice in my services applet is that IPSec service
stops upon authentication of the VPN...could that have something to do with
it?

Any ideas or suggestions would be helpful.

--
_____
DC G
Anonymous
January 9, 2005 12:55:56 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

If you are using the Outlook 2003 client, change authentication security in
Outlook from Kerberos/NTLM to just NTLM.

"DC Gringo" <dcgringo@visiontechnology.net> wrote in message
news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
>I have a WinXP Prof client trying to authenticate to Exchange through a
> Cisco VPN 3.0
>
> I can connect and authenticate to all network resources with the exception
> of Exchange...it doesn't utilize the integrated single-sign-on that it
> normally used to. What I notice in my services applet is that IPSec
> service
> stops upon authentication of the VPN...could that have something to do
> with
> it?
>
> Any ideas or suggestions would be helpful.
>
> --
> _____
> DC G
>
>
Anonymous
January 9, 2005 2:04:56 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

Nope, Outlook 2002...

_____
DC G

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
> If you are using the Outlook 2003 client, change authentication security
in
> Outlook from Kerberos/NTLM to just NTLM.
>
> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
> >I have a WinXP Prof client trying to authenticate to Exchange through a
> > Cisco VPN 3.0
> >
> > I can connect and authenticate to all network resources with the
exception
> > of Exchange...it doesn't utilize the integrated single-sign-on that it
> > normally used to. What I notice in my services applet is that IPSec
> > service
> > stops upon authentication of the VPN...could that have something to do
> > with
> > it?
> >
> > Any ideas or suggestions would be helpful.
> >
> > --
> > _____
> > DC G
> >
> >
>
>
Related resources
Anonymous
January 9, 2005 2:04:57 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

Have you verified that DNS/WINS name resolution is working OK for the VPN
client? (use NSLOOKUP and NBTSTAT to verify each.)

"DC Gringo" <dcgringo@visiontechnology.net> wrote in message
news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
> Nope, Outlook 2002...
>
> _____
> DC G
>
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
>> If you are using the Outlook 2003 client, change authentication security
> in
>> Outlook from Kerberos/NTLM to just NTLM.
>>
>> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
>> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
>> >I have a WinXP Prof client trying to authenticate to Exchange through a
>> > Cisco VPN 3.0
>> >
>> > I can connect and authenticate to all network resources with the
> exception
>> > of Exchange...it doesn't utilize the integrated single-sign-on that it
>> > normally used to. What I notice in my services applet is that IPSec
>> > service
>> > stops upon authentication of the VPN...could that have something to do
>> > with
>> > it?
>> >
>> > Any ideas or suggestions would be helpful.
>> >
>> > --
>> > _____
>> > DC G
>> >
>> >
>>
>>
>
>
Anonymous
January 9, 2005 7:01:56 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

I have had some DNS issues, but only involving a couple of servers that are
co-located through another separate VPN.

What check do you want me to do, specifically with nslookup and nbtstat?

_____
DC G

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:uZJCibm9EHA.2596@tk2msftngp13.phx.gbl...
> Have you verified that DNS/WINS name resolution is working OK for the VPN
> client? (use NSLOOKUP and NBTSTAT to verify each.)
>
> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
> > Nope, Outlook 2002...
> >
> > _____
> > DC G
> >
> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> > news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
> >> If you are using the Outlook 2003 client, change authentication
security
> > in
> >> Outlook from Kerberos/NTLM to just NTLM.
> >>
> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
> >> >I have a WinXP Prof client trying to authenticate to Exchange through
a
> >> > Cisco VPN 3.0
> >> >
> >> > I can connect and authenticate to all network resources with the
> > exception
> >> > of Exchange...it doesn't utilize the integrated single-sign-on that
it
> >> > normally used to. What I notice in my services applet is that IPSec
> >> > service
> >> > stops upon authentication of the VPN...could that have something to
do
> >> > with
> >> > it?
> >> >
> >> > Any ideas or suggestions would be helpful.
> >> >
> >> > --
> >> > _____
> >> > DC G
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
January 9, 2005 7:07:27 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

It appears to be working correctly...

nbtstat -r gives me:

Resolved By Broadcast = 0
Resolved By Name Server = 5

Registered by Broadcast = 10
Registered By Name Server = 7

nslookup mymachine gives me:

(on the LAN)
Server: abc-share1.company.net
Address: 10.0.0.65

(on the VPN)
Name: mymachine.company.net
Address: 10.0.2.167

_____
DC G

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:uZJCibm9EHA.2596@tk2msftngp13.phx.gbl...
> Have you verified that DNS/WINS name resolution is working OK for the VPN
> client? (use NSLOOKUP and NBTSTAT to verify each.)
>
> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
> > Nope, Outlook 2002...
> >
> > _____
> > DC G
> >
> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> > news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
> >> If you are using the Outlook 2003 client, change authentication
security
> > in
> >> Outlook from Kerberos/NTLM to just NTLM.
> >>
> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
> >> >I have a WinXP Prof client trying to authenticate to Exchange through
a
> >> > Cisco VPN 3.0
> >> >
> >> > I can connect and authenticate to all network resources with the
> > exception
> >> > of Exchange...it doesn't utilize the integrated single-sign-on that
it
> >> > normally used to. What I notice in my services applet is that IPSec
> >> > service
> >> > stops upon authentication of the VPN...could that have something to
do
> >> > with
> >> > it?
> >> >
> >> > Any ideas or suggestions would be helpful.
> >> >
> >> > --
> >> > _____
> >> > DC G
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
January 9, 2005 8:32:51 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

connect to the network via vpn and then do the following.

nbtstat -a <exchange server name>
nbtstat -A <ip address of exchange server>

nslookup -q=A <exchange server name>
nslookup -q=A <fqdn.exchange.server.name>

basically what we are looking for is to see if anything comes back on a
secondary interface that says not found or slow name resolution. By the
way, you didn't mention what version of Exchange is in use, so if it is
Exchange 200x, then do the same tests above with the name of the global
catalog server(s).

"DC Gringo" <dcgringo@visiontechnology.net> wrote in message
news:%23tHs68o9EHA.1392@tk2msftngp13.phx.gbl...
> It appears to be working correctly...
>
> nbtstat -r gives me:
>
> Resolved By Broadcast = 0
> Resolved By Name Server = 5
>
> Registered by Broadcast = 10
> Registered By Name Server = 7
>
> nslookup mymachine gives me:
>
> (on the LAN)
> Server: abc-share1.company.net
> Address: 10.0.0.65
>
> (on the VPN)
> Name: mymachine.company.net
> Address: 10.0.2.167
>
> _____
> DC G
>
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:uZJCibm9EHA.2596@tk2msftngp13.phx.gbl...
>> Have you verified that DNS/WINS name resolution is working OK for the VPN
>> client? (use NSLOOKUP and NBTSTAT to verify each.)
>>
>> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
>> news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
>> > Nope, Outlook 2002...
>> >
>> > _____
>> > DC G
>> >
>> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
>> > news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
>> >> If you are using the Outlook 2003 client, change authentication
> security
>> > in
>> >> Outlook from Kerberos/NTLM to just NTLM.
>> >>
>> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
>> >> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
>> >> >I have a WinXP Prof client trying to authenticate to Exchange through
> a
>> >> > Cisco VPN 3.0
>> >> >
>> >> > I can connect and authenticate to all network resources with the
>> > exception
>> >> > of Exchange...it doesn't utilize the integrated single-sign-on that
> it
>> >> > normally used to. What I notice in my services applet is that IPSec
>> >> > service
>> >> > stops upon authentication of the VPN...could that have something to
> do
>> >> > with
>> >> > it?
>> >> >
>> >> > Any ideas or suggestions would be helpful.
>> >> >
>> >> > --
>> >> > _____
>> >> > DC G
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
Anonymous
January 10, 2005 2:38:56 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.windowsxp.general (More info?)

Ok, here goes:


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

H:\>nbtstat -a chq-exchange

Local Area Connection:
Node IpAddress: [10.0.1.108] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
HQ-EXCHANGE <20> UNIQUE Registered
HQ-EXCHANGE <00> UNIQUE Registered

MAC Address = xx-xx-xx-xx-xx-xx


H:\>nbtstat -A 10.0.0.8

Local Area Connection:
Node IpAddress: [10.0.1.108] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
HQ-EXCHANGE <20> UNIQUE Registered
HQ-EXCHANGE <00> UNIQUE Registered

MAC Address = xx-xx-xx-xx-xx-xx


H:\>nslookup -q=A hq-exchange
Server: hq-share1.company.net
Address: 10.0.0.65

Name: hq-exchange.company.net
Address: 10.0.0.8


H:\>nslookup -q=A hq-exchange.company.net
Server: hq-share1.company.net
Address: 10.0.0.65

Name: hq-exchange.company.net
Address: 10.0.0.8


H:\>
"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:eHynNRr9EHA.2876@TK2MSFTNGP12.phx.gbl...
> connect to the network via vpn and then do the following.
>
> nbtstat -a <exchange server name>
> nbtstat -A <ip address of exchange server>
>
> nslookup -q=A <exchange server name>
> nslookup -q=A <fqdn.exchange.server.name>
>
> basically what we are looking for is to see if anything comes back on a
> secondary interface that says not found or slow name resolution. By the
> way, you didn't mention what version of Exchange is in use, so if it is
> Exchange 200x, then do the same tests above with the name of the global
> catalog server(s).
>
> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> news:%23tHs68o9EHA.1392@tk2msftngp13.phx.gbl...
> > It appears to be working correctly...
> >
> > nbtstat -r gives me:
> >
> > Resolved By Broadcast = 0
> > Resolved By Name Server = 5
> >
> > Registered by Broadcast = 10
> > Registered By Name Server = 7
> >
> > nslookup mymachine gives me:
> >
> > (on the LAN)
> > Server: abc-share1.company.net
> > Address: 10.0.0.65
> >
> > (on the VPN)
> > Name: mymachine.company.net
> > Address: 10.0.2.167
> >
> > _____
> > DC G
> >
> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> > news:uZJCibm9EHA.2596@tk2msftngp13.phx.gbl...
> >> Have you verified that DNS/WINS name resolution is working OK for the
VPN
> >> client? (use NSLOOKUP and NBTSTAT to verify each.)
> >>
> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
> >> > Nope, Outlook 2002...
> >> >
> >> > _____
> >> > DC G
> >> >
> >> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> >> > news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
> >> >> If you are using the Outlook 2003 client, change authentication
> > security
> >> > in
> >> >> Outlook from Kerberos/NTLM to just NTLM.
> >> >>
> >> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> >> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
> >> >> >I have a WinXP Prof client trying to authenticate to Exchange
through
> > a
> >> >> > Cisco VPN 3.0
> >> >> >
> >> >> > I can connect and authenticate to all network resources with the
> >> > exception
> >> >> > of Exchange...it doesn't utilize the integrated single-sign-on
that
> > it
> >> >> > normally used to. What I notice in my services applet is that
IPSec
> >> >> > service
> >> >> > stops upon authentication of the VPN...could that have something
to
> > do
> >> >> > with
> >> >> > it?
> >> >> >
> >> >> > Any ideas or suggestions would be helpful.
> >> >> >
> >> >> > --
> >> >> > _____
> >> >> > DC G
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
January 10, 2005 2:51:26 PM

Archived from groups: microsoft.public.exchange2000.general,microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

Neo, here is my netdiag as well:

C:\Program Files\Support Tools>netdiag

....................................^C
C:\Program Files\Support Tools>netdiag

.........................................

Computer Name: CIL-132
DNS Host Name: CIL-132.company.net
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 6 Model 9 Stepping 5, GenuineIntel
List of installed hotfixes :
KB823559
KB828741
KB833407
KB833987
KB835732
KB841533
KB873376
KB887822
Q147222
Q323255
Q329115


Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it
has
not received any packets.
GetStats failed for 'Infrared Port'. [ERROR_NOT_SUPPORTED]
[WARNING] The net card 'SMC IrCC - Fast Infrared Port' may not be
working be
cause it has not received any packets.



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : CIL-132
IP Address . . . . . . . . : 10.0.1.108
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.0.0.2
Primary WINS Server. . . . : 10.0.0.56
Secondary WINS Server. . . : 10.0.0.65
Dns Servers. . . . . . . . : 10.0.0.65
10.0.0.56


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'company_HQ' is to '\\hq-ADMIN.company.net'.


Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/CIL-132.company.net.


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'hq-share1129a.company.n
et'.
[WARNING] Failed to query SPN registration on DC
'hq-share2.company.net'.

[WARNING] Failed to query SPN registration on DC
'hq-share1.company.net'.

[WARNING] Failed to query SPN registration on DC 'hq-avsms.company.net'.
[WARNING] Failed to query SPN registration on DC
'hq-share1129b.company.n
et'.
[WARNING] Failed to query SPN registration on DC 'hq-ADMIN.company.net'.
[WARNING] Failed to query SPN registration on DC 'hq-dc1.company.net'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information


The command completed successfully

C:\Program Files\Support Tools>


"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:eHynNRr9EHA.2876@TK2MSFTNGP12.phx.gbl...
> connect to the network via vpn and then do the following.
>
> nbtstat -a <exchange server name>
> nbtstat -A <ip address of exchange server>
>
> nslookup -q=A <exchange server name>
> nslookup -q=A <fqdn.exchange.server.name>
>
> basically what we are looking for is to see if anything comes back on a
> secondary interface that says not found or slow name resolution. By the
> way, you didn't mention what version of Exchange is in use, so if it is
> Exchange 200x, then do the same tests above with the name of the global
> catalog server(s).
>
> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> news:%23tHs68o9EHA.1392@tk2msftngp13.phx.gbl...
> > It appears to be working correctly...
> >
> > nbtstat -r gives me:
> >
> > Resolved By Broadcast = 0
> > Resolved By Name Server = 5
> >
> > Registered by Broadcast = 10
> > Registered By Name Server = 7
> >
> > nslookup mymachine gives me:
> >
> > (on the LAN)
> > Server: abc-share1.company.net
> > Address: 10.0.0.65
> >
> > (on the VPN)
> > Name: mymachine.company.net
> > Address: 10.0.2.167
> >
> > _____
> > DC G
> >
> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> > news:uZJCibm9EHA.2596@tk2msftngp13.phx.gbl...
> >> Have you verified that DNS/WINS name resolution is working OK for the
VPN
> >> client? (use NSLOOKUP and NBTSTAT to verify each.)
> >>
> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> news:u%23NS3Tm9EHA.2012@TK2MSFTNGP15.phx.gbl...
> >> > Nope, Outlook 2002...
> >> >
> >> > _____
> >> > DC G
> >> >
> >> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> >> > news:unRH7yl9EHA.1544@TK2MSFTNGP11.phx.gbl...
> >> >> If you are using the Outlook 2003 client, change authentication
> > security
> >> > in
> >> >> Outlook from Kerberos/NTLM to just NTLM.
> >> >>
> >> >> "DC Gringo" <dcgringo@visiontechnology.net> wrote in message
> >> >> news:%23Hp7Ttl9EHA.1408@TK2MSFTNGP10.phx.gbl...
> >> >> >I have a WinXP Prof client trying to authenticate to Exchange
through
> > a
> >> >> > Cisco VPN 3.0
> >> >> >
> >> >> > I can connect and authenticate to all network resources with the
> >> > exception
> >> >> > of Exchange...it doesn't utilize the integrated single-sign-on
that
> > it
> >> >> > normally used to. What I notice in my services applet is that
IPSec
> >> >> > service
> >> >> > stops upon authentication of the VPN...could that have something
to
> > do
> >> >> > with
> >> >> > it?
> >> >> >
> >> >> > Any ideas or suggestions would be helpful.
> >> >> >
> >> >> > --
> >> >> > _____
> >> >> > DC G
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
!