Microsoft KB Archive/909094

= Event ID 1000 is logged when you configure Kerberos authentication between front-end and back-end servers that are running Exchange Server 2003 =

Article ID: 909094

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry





SYMPTOMS
You configure Kerberos authentication between the front-end and back-end servers that are running Microsoft Exchange Server 2003. In this configuration, the following event is logged in the Application log on the front-end server: Event Type: Warning

Event Source: EXPROX

Event Category: None

Event ID: 1000

Date:

Time:

User: N/A

Computer:

Description: Microsoft Exchange Server has detected that NTLM-based authentication is presently being used between this server and server ' '. NTLM is still a secure authentication mechanism and protects users' credentials. However, this indicates that there may be a configuration issue preventing the use of Kerberos authentication. If this condition persists, please verify that both this server and server ' ' are properly configured to use Kerberos authentication. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers. As a result the authentication protocol fails back to NTLM.

This event indicates that NTLM authentication is being used instead of Kerberos authentication between the front-end and the back-end servers.

For more information about Event ID 1000, visit the Microsoft Events and Errors Message Center (EEMC) at the following Microsoft Web site:

http://www.microsoft.com/technet/support/ee/ee_advanced.aspx



CAUSE
This problem occurs when you use a disjointed DNS namespace. For example, in a domain that is named &quot;country.domain.com,&quot; you use a fully-qualified domain name (FQDN) for the front-end server that resembles the following name:

Feserver.Region1.country.domain.com

In this case, a request is made for a Kerberos token in the domain &quot;Region1.country.domain.com.&quot; However, this domain does not exist.



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

After you install this hotfix, add the following registry key:

Value name: DisableRealmHint

Data type: REG_DWORD

Value data: 1

Note 0 and 1 are the only valid values. 0 is off, 1 is on.

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
You must install Microsoft Exchange Server 2003 Service Pack 2 (SP2) before you apply the hotfix.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

836993 How to obtain the latest service packs for Exchange Server 2003

Restart requirement
You do not have to restart the computer after you apply the hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The global version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about the terminology that Microsoft uses for software that is corrected after it is released, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

For more information about the naming schema for Exchange software updates, click the following article number to view the article in the Microsoft Knowledge Base:

817903 New naming schema for Exchange Server software update packages

Additional query words: XADM

Keywords: kbhotfixserver kbqfe kbfix kbbug kbpubtypekc KB909094

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.