Microsoft KB Archive/295439

= XCON: NTLM Authentication Does Not Work Between Exchange Server 5.5 Internet Mail Service and Windows 2000 SMTP Stack =

Article ID: 295439

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q295439





SYMPTOMS
When you set up NTLM authentication between an Exchange Server 5.5 Internet Mail Service and a Windows 2000 virtual SMTP server, the SMTP communication between the servers may not work in both directions.

If you activate the SMTP Protocol log for Exchange Server 5.5, the log shows that the first authentication is successful, but after the &quot;MAIL FROM&quot; command, the communication stops. Five minutes later (300 seconds) a second attempt is made. This time authentication does not work.



CAUSE
This problem can occur because the NTLM extensions of the Exchange Server 5.5 Internet Mail Service and the Windows 2000 SMTP stack are not compatible. The Exchange Server 5.5 Internet Mail Service supports NTLM authentication and NTLM encryption, but the Windows 2000 SMTP stack supports NTLM authentication and not NTLM encryption. This is also true for NTLM communication between Exchange 2000 Server and the Exchange Server 5.5 Internet Mail Service because Exchange 2000 enhances the Windows 2000 SMTP stack.



WORKAROUND
To work around this problem, use basic or anonymous authentication instead of NTLM authentication. If encryption is required, use Secure Sockets Layer (SSL). You can also work around this problem by upgrading the Exchange Server 5.5 computer to Exchange 2000.



STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.



MORE INFORMATION
This problem is documented in the Exchange 2000 Release Notes.

The protocol logs show that the authentication itself works, but the communication afterward does not work. The SMTP Protocol log of Exchange Server 5.5 contains an output that is similar to the following (for mail flow from Exchange Server 5.5 to Windows 2000):

4/4/01 4:55:59 PM : A connection to xxx.xxx.xxx.xxx was established.

4/4/01 4:55:59 PM : IO: 220 w2k.test.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.1600 ready at Wed, 4 Apr 2001 17:38:21 +0200

4/4/01 4:55:59 PM : 220 w2k.test.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.1600 ready at Wed, 4 Apr 2001 17:38:21 +0200 4/4/01 4:55:59 PM : >>> EHLO e55.dummy.com

4/4/01 4:55:59 PM : IO: 250-w2k.test.com Hello [yyy.yyy.yyy.yyy]

250-AUTH GSSAPI NTLM

250-TURN

250-ATRN

250-SIZE 2097152

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250 OK

4/4/01 4:55:59 PM : 250-w2k.test.com Hello [yyy.yyy.yyy.yyy]

250-AUTH GSSAPI NTLM

250-TURN

250-ATRN

250-SIZE 2097152

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250 OK

4/4/01 4:55:59 PM : AUTH NTLM TlRMTNTUAABAAAt5IAQAcABwAgBAAAAAAAAAAAAAAABELUVYU1JWAAAAAAAAAA==

4/4/01 4:55:59 PM : IO: 334 TlRMTVNTUAACAAAADgAOADAAAAC1goFABpOL40iMvvcAAAAAAAAAJQAlAA+AAAAUwBNAFQAQQBIAE8ARQACQAA4AUwBNAFQAQQBIAE8ARQABABAVwAyAEsAVABBAEgATwBFAFMATQAEACQAdABhAGgAbwBlAHQAZQBzAHQALgZBtAHMAZgB0AC4AYwBvAG0AAwA6AHcAMgBrAHQAYQBoAG8AZQBzAG0ALgB0AGEAaABvAGUAdABlAHMAdAAuAG0AcwBHmAHQALgBjAG8AbQAAAAAA

4/4/01 4:55:59 PM : 334 TlRMTVNTUAACAAAADgAOADAAAAC1goFABpOL40iMvvcAAAAAAAAAAJQAlAA+AAAAUwBNAFQAQQBIAE8ARQCAA4AUwBNAFQAQQBIAE8AARQABABQAVwAyAEsAVABBAEgATwBFAFMATQAEACQAdABhAGgAbwBlAHQAZQBzAHQALgBtAHMAZgB04AC4AYwBvAG0AAwA6AHcAMgBrHQAYQBoAG8AZQBzAG0ALgB0AGEAaABvAGUAdABlAHMAdAAuAG0AcwBQmAHQALgBjAG8AbQAAAAAA

4/4/01 4:55:59 PM : TlRMTVNTUAATDAAZAAGAAYAHYAAAAYABgAjgAAAA4ADgBAAAAAGgAaAE4AAAAOAA4AaAAAABAAEACmAAAAtYKBQFMATQBUAEEASABPAEAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBWAEUAQwBfAE4ABVABFAO8vcWp+tVatUrAF8Hc1nen0i9mUF3HSToedG9e1J/S2h9wNllxIRqn2oTAnFvF6V5VrvRzIxH2n4mxaVdzZ98=

4/4/01 4:55:59 PM : IO: 235 2.7.0 Authentication successfull

4/4/01 4:55:59 PM : 235 2.7.0 Authentication successfull

4/4/01 4:55:59 PM : MAIL FROM: user@dummy.com SIZE=857 RET=FULL

4/4/01 5:01:01 PM : A connection to xxx.xxx.xxx.xxx was established.

4/4/01 5:01:01 PM : IO: 220 w2k.test.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.1600 ready at Wed, 4 Apr 2001 17:43:24 +0200

4/4/01 5:01:01 PM : 220 w2k.test.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.1600 ready at Wed, 4 Apr 2001 17:43:24 +0200

4/4/01 5:01:01 PM : EHLO e55.dummy.com

4/4/01 5:01:01 PM : IO: 250-w2k.test.com Hello [yyy.yyy.yyy.yyy]

250-AUTH GSSAPI NTLM

250-TURN

250-ATRN

250-SIZE 2097152

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250 OK

4/4/01 5:01:01 PM : 250-w2k.test.com Hello [yyy.yyy.yyy.yyy]

250-AUTH GSSAPI NTLM

250-TURN

250-ATRN

250-SIZE 2097152

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250 OK

4/4/01 5:01:01 PM : AUTH NTLM TlRMTVZNTUAZADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABD/////////fw==

4/4/01 5:01:02 PM : IO: 535 5.5.4 Cannot authenticate parameter

4/4/01 5:01:02 PM : 535 5.5.4 Cannot authenticate parameter

4/4/01 5:01:02 PM : QUIT

4/4/01 5:01:02 PM : IO: 221 2.0.0 w2k.test.com Service closing transmission channel

4/4/01 5:01:02 PM : 221 2.0.0 w2k.test.com Service closing transmission channel

For SMTP communication from Exchange Server 5.5 to Exchange 2000, the following entry may be logged in the SMTP Protocol log during the second authentication attempt:

4/5/01 11:16:32 AM : AUTH NTLM TlRMMTVNTUAADAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABD/////AADAAA==

4/5/01 11:16:32 AM : 499 No routing hosts are reachable for test.com. Message subject: &quot;&quot;Test&quot;&quot;. Rescheduling delivery for later.

Additional query words: IMC

Keywords: kbbug kbnofix KB295439

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.