Un petit cas Exchange 2007 à ce jour entre deux serveurs Exchange 2007
Inbound authentication failed with error IllegalMessage for Receive connector Default MYEXSERVER.The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [172.16.18.126].
En regardant les SPN nous pouvons voir que tout est correct
Registered ServicePrincipalNames for CN=MYEXSERVER,OU=Domain Controllers,DC=UNIFIEDIT,DC=local:
POP3/MYEXSERVER
POP3/MYEXSERVER.unifiedit.local
exchangeMDB/MYEXSERVER.unifiedit.local
exchangeMDB/MYEXSERVER
exchangeRFR/MYEXSERVER.unifiedit.local
exchangeRFR/MYEXSERVER
SMTP/MYEXSERVER
SMTP/MYEXSERVER.unifiedit.local
SmtpSvc/MYEXSERVER
SmtpSvc/MYEXSERVER.unifiedit.local
exchangeAB/MYEXSERVER
exchangeAB/MYEXSERVER.unifiedit.local
ldap/MYEXSERVER.unifiedit.local/ForestDnsZones.unifiedit.local
ldap/MYEXSERVER.unifiedit.local/DomainDnsZones.unifiedit.local
DNS/MYEXSERVER.unifiedit.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MYEXSERVER.unifiedit.local
GC/MYEXSERVER.unifiedit.local/unifiedit.local
HOST/MYEXSERVER.unifiedit.local/unifiedit.local
HOST/MYEXSERVER.unifiedit.local/UNIFIEDIT
ldap/1d6d7ff2-b3a3-45c1-b737-41788d0d59b6._msdcs.unifiedit.local
ldap/MYEXSERVER.unifiedit.local/UNIFIEDIT
ldap/MYEXSERVER
ldap/MYEXSERVER.unifiedit.local
ldap/MYEXSERVER.unifiedit.local/unifiedit.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/1d6d7ff2-b3a3-45c1-b737-41788d0d59b6/unifiedit.local
WSMAN/MYEXSERVER.unifiedit.local
WSMAN/MYEXSERVER
HOST/MYEXSERVER
HOST/MYEXSERVER.unifiedit.local |
En modifiant les clefs de registre suivantes
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- Dans le menu Edition, pointez sur Nouveau et cliquez sur Valeur DWORD.
- Dans le volet de détails, entrer la nouvelle valeur LogLevel et appuyez sur entrée.
- Cliquez avec le bouton droit sur LogLevel, puis cliquez sur Modifier.
- Dans la boîte de dialogue Modifier la valeur DWORD, sous base, cliquez sur décimale.
- Dans la zone données de la valeur, tapez la valeur 1, puis cliquez sur OK.
- Fermez l’Éditeur du Registre.
Puis en redemarrant le service KDC nous avons obtenu l’erreur suivante
Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: 4/3/2012
Time: 9:56:00 AM
User: N/A
Computer: MYEXSERVER
Description:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain’s public key infrastructure. The chain status is in the error data.
Puis
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 4/3/2012
Time: 9:57:21 AM
User: N/A
Computer: MYEXSERVER
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 7:57:21.0000 4/3/2012 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: UNIFIEDIT.LOCAL
Server Name: host/MyExServer.unifiedit.local
Target Name: host/MyExServer.unifiedit.local@UNIFIEDIT.LOCAL
Error Text:
File: 9
Line: b22
Error Data is in record data.
En purgeant les tickets Kerberos et en redémarrant les services KDC de part et d’autre le problème a été résolu.
Documents additionnels
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820
Cordialement
Laurent Teruin