Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 979174 - Last Review: February 1, 2010 - Revision: 1.0
Event ID: 1035 is logged when some e-mail messages are stuck in a remote delivery queue in a Microsoft Exchange Server 2007 environment or in a Microsoft Exchange Server 2010 environment
In a Microsoft Exchange Server 2007 environment or in a Microsoft Exchange Server 2010 environment, some
e-mail messages are stuck in a remote delivery queue that should have
been
transferred to another Exchange server in the Exchange organization. If you
open the
Queue Viewer tool from the
Toolbox
node on the Exchange Management Console, the
Last Error field displays
an error message that resembles the following:
451 4.4.0 Primary target IP address responded with: "454 4.7.0 Temporary authentication failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Additionally,
you may find the following error message in the Application log file
on the Exchange server that is receiving the e-mail message:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Description:
Inbound authentication failed with error IllegalMessage for Receive connector Default <Server>. The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [xxx.xxx.xxx.xxx].
This issue occurs
if the Exchange server cannot authenticate with the remote Exchange server. Exchange
servers requires authentication
to
route internal user messages between servers. The issue can be caused by
one of the following reasons:
- The
Exchange server is experiencing Time
synchronization issues
- The
Exchange server is experiencing Service Principle Name
(SPN) issues
- The required TCP/UDP ports for the Kerberos protocol are
blocked by the firewall.
To resolve this issue, follow these steps:
- Check the clock on both servers and domain controllers
that might be used to authenticate the servers. All clocks should be
synchronized to within 5 minutes of one
other.
- Verify that the Service Principle Name (SPN) for SMTPSVC is
registered correctly
on
the target server.
- Verify that the ports required for Kerberos are
enabled.
- If the previous steps do not work,
you can turn
on
logging for Kerberos on the Server that is registering the Event
1035 message, which may provide additional information. To do this, follow
these steps:
- Click Start, click
Run, type Regedit, and then click
OK.
- Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- On the Edit menu, point to
New, and then click DWORD Value.
- In the details pane, input the new value
LogLevel, and then press
Enter.
- Right-click LogLevel, and then click
Modify.
- In the Edit DWORD Value dialog box,
under Base, click Decimal.
- In the Value data box, type the value
1, and then click OK.
- Close Registry Editor.
- Check the Application log for any Kerberos Errors
again.
Microsoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
APPLIES TO
- Microsoft Exchange Server 2007 Standard Edition
- Microsoft Exchange Server 2007 Enterprise Edition
- Microsoft Exchange Server 2010 Enterprise
- Microsoft Exchange Server 2010 Standard
| kbsurveynew kbtshoot kbexpertisebeginner kbexpertiseinter KB979174 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please