Hi there, We are using an Exchange Server 2016 setup which is working fine. Users are using Outlook on the web (OWA) or Outlook (Exchange protocol) to access their mailboxes. Two problems we experience: Problem 1: some colleagues use Linux on their workstation, and they normally use Outlook on the web to access their Exchange 2016 mailboxes.
For some reason they want to use Thunderbird with the IMAP protocol to view their mail. They are unable to connect to their mailbox with the prompt stating: ' username or password invalid'. Problem 2: Another application we use for our customer e-mail (a custom build CRM) uses POP boxes to extract the e-mail from it. Right now we are using a postfix solution on a Linux host which hosts those POP boxes, but because we want to be able to e-mail directly from Exchange mailboxes to these CRM mailboxes we have decided to configure POP boxes on our Exchange server. This way, the custom CRM can extract the e-mail using POP protocol from the Exchange mailboxes and we are able to e-mail directly to it.
Same problem as with the IMAP connectivity: we can connect using Thunderbird (as means of testing) but we get the same prompt: 'username or password invalid' Because these two problems are similar I've decided to put them in both in one question. I've done a lot of searching on Google but I can't find a similar problem. What we have done so far: By default, POP has been disabled on all mailboxes. IMAP has been enabled on all mailboxes. The POP and IMAP services are running normal on the Exchange server. For Problem 2 I've enabled POP on a specific test account: exchange.otrstest.
Hi, How about run with test user's credential? Moreover, please try to use to test IMAP and POP mail flow. If there's any error message, please post here without sensitive information for further assistance. Moreover, I want to confirm: 1.
Do you have namespace with.local? Is there any certificate warning when access OWA from external? Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]. Allen Wang TechNet Community Support. Aplikasi hack fb lewat hp 2017.
Microsoft Exchange 365
Hi, How about run with test user's credential? Moreover, please try to use to test IMAP and POP mail flow.
![Windows Windows](/uploads/1/2/3/8/123831042/996335812.png)
If there's any error message, please post here without sensitive information for further assistance. Moreover, I want to confirm: 1. Do you have namespace with.local?
Is there any certificate warning when access OWA from external? Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]. Allen Wang TechNet Community Support. Tactics ogre psp save game editor. Hi Allen, Thank you for your reply! I have run the tests but I can confirm that there is an issue with the port numbers. Out network administrators have blocked the IMAP and POP ports on purpose because they do not want to allow the connections from outsite.
But for our CRM application we need the POP connection to work internally, so I have to figure this out with our network colleagues. Do you have namespace with.local? Yes, our pop host is currently servername.hostname.local 2. Is there any certificate warning when access OWA from external? Nope, there isn't. The certificate has been request prior from the Exchange migration earlier this year and has worked fine since then.
This error is about identically named accounts - and appears to be quite popular. My fix was this: Check in DNS for any A records that have identical IP addresses. If you find some, identify which is the current correct A record and IP. Delete the other. Check ADUC for the identical A record machine names, for example if you see ComputerA and ComputerB both on 192.168.1.10 - one of these is out of date, and could be caused by one of the machines no longer existing on your network. Verify if one of the machines no longer exists.
Remove the account from ADUC. Note the error mentions both the DC and a client - this error relates to two clients sharing the same IP and both having valid accounts in AD. One you have done this - i would reccomend to enable DNS Ageing and Scavenging, and to scavenge stale resources records. I would also reccomend to configure your DHCP to dynamically update records, you will need to provide credentials to do this. This should solve your issues. I was experiencing issues with NETLOGON, SPN records, Kerberos, NLTEST, and connections beetwen servers and domain controllers. Randomly we were losing connection with DC and only re-joining in domain solved this issue.
There were also communication problems with Kerberos, SPN (even though the SPN was set correctly in schema) recprds, and NLTEST was always unsuccessful. Renaming and rejoining the domain did not help, neither re-promoting of DCs. I fixed this by: 1. Removing another gateways from the network configuration 2. Inserting only primary and secondary DNS system into network settings of servers 3. Removing DNS systems which were not domain members from NAME Servers settings on domain DNS systems I would recommend that first, install all the patches and hotfixes for the affected systems. I have also implemented the recommendations found at and.
In my case, after setting up a cluster, I could not add a public store to the virtual node. There was a pre-existing Exchange server that I needed to replicate from but kept getting this error each time I attempted to bring the cluster public folder store online. WINS was ok, however, reverse DNS had several entries for not only the mail virtual server on the cluster, but the other nodes as well due to previous setting of DHCP on the adapters. I removed all duplicate DNS settings and rebooted. All mailbox stores came up afterwards. We had this problem on a newly installed DC that also acts as DHCP Server and was not properly configured. We configured all our DHCP servers to register clients, using a common domain account.
This new DC/DHCP server was not configured with these DHCP credentials, so all the other DHCP servers could not update A records that this new DHCP server had registered. This caused several A records to have the same IP address registered, causing Event ID 4 when the KDC did not know which client was the right one. As per Microsoft: 'Kerberos cannot authenticate the Web program user because the server cannot verify the Kerberos authentication request sent by the client. This usually happens when there is an account in the target domain with the same name as the server in the client's domain.
If so, the ticket is issued for the server in the client's domain and it cannot be decrypted by the recipient server in the target domain'. See and the link to 'Troubleshooting Kerberos Errors' for more details. From a newsgroup post: - Upgrade to the latest SP. There were some Kerberos caching issues fixed in WinXP SP1. The log might indicate an account name collision in your domain.
Look for multiple accounts in the domain with the name SRV1. Possibly even a user account. This event will occur if you present a service ticket to a principal (target computer) which cannot decrypt it. Normally the service ticket is encrypted using the shared secret of the machine account's password as a basis for the encryption used to encrypt the service ticket. Only the KDC (Domain Controllers) and the target machine know the password.
The client presents encrypted session ticket it received from the KDC to the target server. If the server can decrypt the ticket, the server then knows that it was encrypted by a trusted source (the DC) and the presenter (the client) is also trusted. If the target server has a different password than the DC, the session ticket cannot be decrypted and the failure occurs. Here is an example of how this can happen with two identically named machine accounts in separate forests. Suppose there are 2 machine accounts named FOO in DomainA, and DomainB, but the server really lives in DomainB, then users in domain A would get the error. Given the short name FOO, users in DomainA would acquire a service ticket to DomainA FOO, and then present it to the DomainB FOO server.
DomainB FOO does not have the same password as DomainA FOO, so it cannot decrypt the service ticket. There are two fixes for this scenario: 1. Access the server by the FQDN (e.g. Delete the potentially unused server account (e.g.
Delete DomainA Foo). Other problems can cause this error: 1) WINS/DNS bad configuration. The name of the target server is mistakenly resolved to a different machine. To fix verify the resolved IP address actually matches the target machine's IP address.
2) Service bad configuration (server is actually running as DomainB SomeOtherAccount, but the service transport, RPC, CIFS., is trying to authenticate to the service DomainB Foo). 3) Service is running on a cluster, which is not configured to use Kerberos. The same as 2, where you're trying to authenticate to the cluster, but you're actually authenticating to a node in the cluster, resulting in the above error.
To fix this problem, the first step is to identify all machines listed in the error above. Attempt to locate the machines and determine their domain affiliation and current IP address.
If the machine is not in same domain as the client reporting the error, verify that a duplicate computer does not exist in the local domain with the same name as one listed in the error. Next, verify that the client reporting the error can correctly resolve the right IP address for the client in question. Attempt a net use then check the NetBIOS cache (nbstat -c) and the DNS cache (ipconfig /displaydns).
You can use the following method to determine of there are any duplicate machine names registered in the same forest. Run the following command specifying the name of a GC as “GCName”.
Ldifde -f SPNdump.ldf -s GCName -t 3268 -d dc=forest, dc=root –r '(objectclass=computer)' -l servicePrincipalName. Note that the above is one line wrapped for readability. Open the file and search for all occurrences of the name list in the error 4 (omitting the $).
This will catch duplicates in the same forest. However, it will not catch duplicates in different forests. You will need rerun in all forest and search the output from each.
We have seen this event when building new workstations into two separate sites within an Enterprise level AD. A workstaton was named the same in two sites, causing the second machine (when it had finished our automated build) to be tombstoned from the domain (no-one could logon to the station, and attempts to access it from a server via stationname c$ failed with Access Denied).
The Kerberos/4 error message was noted on a working station following the attempt to connect to the tombstoned station again using stationname c$.
Introduction When Exchange 2010 SP1 RTW’d back in August 2010, one of the things that the Exchange Product group had spent a fair amount of resources on getting into the product was a feature that made it possible for MAPI clients (usually internal Outlook clients) to connect to a load balanced CAS array to be able to authenticate with Exchange using Kerberos authentication. Previous versions of Exchange server supported Kerberos authentication since the MAPI clients connected to the mailbox server FQDN and not a FQDN pointing at a load balancer in front of a CAS array. With Exchange 2010 RTM, there was no way for MAPI clients to authenticate using Kerberos authentication. In this article, I’ll provide you with the steps necessary to enable Kerberos authentication for MAPI clients.
I’ll use the lab environment which also was used as the basis for the article series. Some of you will probably wonder why this topic wasn’t included in the series. There’s a good reason for this. It’s because the Exchange Product group just recently stated publically that they recommend all customers that either have a load balanced CAS array or even a non-load balanced CAS array with the CAS array DNS object pointing to the IP address of an Exchange 2010 CAS server to enable Kerberos authentication. The reason for this sudden recommendation is because the Exchange Product group, in some customer environments, has seen some pretty serious performance issues caused by the fact that MAPI clients authenticated using NTLM and not Kerberos. What is Kerberos Authentication and why Enable this Authentication Mechanism?
Since this is already well explained in blog post on the MS Exchange Team blog as well as in the, I won’t spend time explaining this. Instead, I recommend you visit those two references in order to get up to speed on Kerberos authentication. When done, come back here and read on.
Why Enable Kerberos Authentication for MAPI Clients? The reason why this is recommended is because you can hit some rather significant performance issues when using NTLM authentication.
If you haven’t already done so, read blog post on the MS Exchange Team blog and come back to this article when you’re ready to set up Kerberos authentication in your environment. The Environment Used in this Article I know you’re eager to get this Kerberos stuff enabled but before we move on, here's a quick overview of the environment in which we’re going to enable Kerberos authentication. This is important in order to understand which Service Principal Names (SPNs) should be registered and how you should go about enabling Kerberos authentication on the Client Access servers in the environment.
1 Active Directory site (Datacenter-2). 2 Domain Controllers (one acting as alternate witness server). 2 Exchange 2010 Multi-role servers. Zelda spirit tracks train controls patch.
2 physical load balancers. 1 CAS array (outlook-2.exchangeonline.dk) In addition, we have one database availability group (DAG) stretched between the two AD sites. All active users connect to site 1 unless a partial or full switchover occurs for planned or unplanned reasons. The primary namespace is mail.exchangeonline.dk and points to site 1.
The secondary namespace is failover.exchangeonline.dk and points to site 2. The environment is depicted in the diagram shown in Figure 1.
The namespaces used in each site are also included. Figure 1: Environment used in this article The load balancer in each datacenter has been configured as shown in Figure 2. Figure 2: Load Balancer Configuration Creating the Alternate Service Account In order to enable Kerberos authentication for MAPI clients, Exchange 2010 needs to leverage an Alternate Service Account (ASA) credential mechanism. To archive this, the first step is to create a service account in the Active Directory domain. In theory, this can be a user account or a computer account.
For security reasons, the recommendation is to use a computer account. In general, all Client Access servers in a CAS array should share the same service account. If we have two datacenters (each with their own CAS array) we should use the same service account for all CAS servers belonging to one of these CAS arrays. The reason for this has to do with switchover situations where Outlook clients are updated to connect to the CAS array in the failover datacenter. To create the computer account open the “ Active Directory Users and Computers” MMC snap-in. If you already have an (OU) dedicated to service accounts, you might need to create the computer account in this OU. Right-click on the OU and then select New Computer in the context menu.
Figure 3: Creating the Computer Account Give the computer account a meaningful name and leave the defaults. Figure 4: Creating the ASA Computer Account By default the new computer account object will be added to the Domain Computers group which is sufficient.
Microsoft 365
Figure 5: Computer Account is added to the Domain Computers group by default Important: Since the computer account we just created is a critical step for the Kerberos authentication to work, it’s important that it isn’t deleted. A common policy used in customer environments is to implement a policy that that deletes all accounts that haven’t had their password changed within N number of days. Deploying Alternate Service Account Credential to the Client Access Servers It’s time to deploy the Alternate Service Account (ASA) credential to the Client Access Servers member servers in each CAS array. To do so, log on to an Exchange 2010 server and launch the Exchange Management Shell. In the Exchange Management Shell navigate to the Exchange Scripts folder which is located under “C: Program Files Microsoft Exchange Server V14 Scripts”. In this folder, you’ll see a PowerShell script named RollAlternateServiceAccountPassword.ps1. Figure 6: RollAlternateServiceAccountPassword.ps1 Script Depending on whether you have multiple CAS arrays or not, the command we’re going to execute differs.
If you have a single CAS array, you would use the following command:. RollAlternateServiceAccountPassword.ps1 –ToArrayMembers -GenerateNewPasswordFor domain computeraccount$ If I only wanted to enable Kerberos authentication for the CAS array at site 1, I would use this command:.
RollAlternateServiceAccountPassword.ps1 –ToArrayMembers outlook-1.exchangeonline.dk –GenerateNewPasswordFor Exchangeonline.dk ExchangeASA$ As can be seen in Figure 7, this will push the ASA credentials to all the CAS servers in the specified CAS array as well as change the password of the ASA computer account. Figure 7: Running the script against a specific CAS array But since this environment includes two CAS arrays, I would either use the following command:. RollAlternateServiceAccountPassword.ps1 –ToEntireForest –GenerateNewPasswordFor Exchangeonline.dk ExchangeASA$ Or:.
Hi together, I have installed a SBS 2008 on a new HP ML350 Xenon Quad-Core Server with 6GB RAM. I use only the Exchange part with eight Outlook 2007 clients connected via Outlook-Anywhere and two Blackberrys via BPS. The IIS7 now makes me very big headache. Up to 5 times a day for a maximum of 15 minutes, I am not able to connect to the IIS7 with some clients even for a single http request to a single static html file and 50 percent of the connected Outlook-Clients are showing “Verbindungsversuch” (retry to connect) and some of the Outlook clients are crashing with a send Bug-Report. The SBS 2008 is connected via a linux firewall to the Internet and firstly a switched over to a D-Link router, but no change.
I installed a second NIC on the SBS and connected a laptop with a crossover cable directly. The same behavior. I installed an openvpn tunnel on the server and encapsulated the ip traffic in udp packets to the clients.no change. I disabled ipv6 and changed the MTU from 1500 to 1470 with no success. I did set up a simple virtual directory called /nagios to wwwroot on the IIS7 and tried to get /nagios/iisstart.html via http when the error occurred.
With IE7 and Firefox on Windows and on Linux I got a Browser-Timeout after 5 minutes via any external connection to the Server (NIC1, NIC2 and TUN device). Access via IE7 and Firefox directly on the Server to /nagios and any other services (rdp smtp.) from external are always working fine. I installed Wireshark on the Server and did a screen capture from the server-side with an include of a tcpdump on a Linux/Firefox client when the error occurred and one capture when not. (.png files below) After the syn, ack, syn ack, handshake normally a get yxz.html IP package is send by the browser and the server should respond with a http header IP package. But when the error occurred, the IIS7 is only responding with an ack package with no data in.
Any web browser is still waiting for the requested data or an error-code and goes into a timeout after 5 minutes with the message “The Server is not responding”. No heavy load or traffic on the server and after a maximum of 15 minutes everything works fine without any interaction for several hours. What for the hell is going wrong on my IIS7??? I am very familiar with linux and quite familiar with windows and this is my first IIS7. Many Thanks for any hints. Joerg Schneider Screen-Capture when not working: Screen-Capture when working:.
Version 7.3: 19 September 2016 General. The memory consumption and loading speed of the sections 'Recipient Lists', 'Preview', and 'Sending' has been markedly improved. When using large amounts of Quickparts, the loading speed has been drastically improved. (Enterprise Edition only).
The self-repair of the internal database has been improved, problems with old installations or damaged databases have been solved. If an MS Access database is used as internal database, the 'Compress and Repair' function can now be triggered manually. The Quick Navigation is now disabled by default.
The scaling of the user interface has been improved for high monitor resolutions. Other minor errors have been fixed, several improvements have been incorporated. Please note: This version is going to be the last version supporting Windows XP. Profile. New SMTP Sending Profiles are now created with TLS Security by default. Some errors during the manually triggered connection test have been fixed.
An error occurring when displaying the statistics in the 'Profile' section has been fixed. (Enterprise Edition only) Recipient List. The speed and the memory usage when working with large recipient lists has been improved drastically. The column 'Last Sent' is now sorted according to dates. Importing Access Files with Office 2016 is now possible. The 'Search in all Lists' features now has a 'Delete' Button to reset the search results. The speed of Excel exports has been increased.
When sorting a list, SmartSerialMail will now keep entry selections. The recipient list does not scroll anymore when changing the sending status of some entries. Exporting a list does not change the position in the recipient list anymore. The 'Sending Status' statistic now also works for external tables. (Enterprise Edition only).
The import summary now always shows the correct amount of imported entries. Importing a corrupted Access database does not result in a software error anymore. Excel export now also contains the 'Status' information. The Filter 'not equals' is now working correctly. (Enterprise Edition only) Content.
The functions 'Redo' and 'Undo' are now available in the HTML editor. The text floating property for images can now be set via HTML editor (float).
Problems with German umlauts have been fixed. Links containing placeholders are now shown correctly in the link overview. The function 'Delete' in the context menu now always deletes the selected content.
The placeholder-function 'printIfNotEmpty' now also works for attachments. (Enterprise Edition only). The hint dialog when pasting content from MS Word via Clipboard has been improved. Preview. The loading time of the preview when using large recipient lists has been decreased.
The profile’s 'From' address is now used as the default value for the 'Test Email Address'. Under special circumstances SmartSerialMail was not responding anymore when loading the preview.
This has been fixed. Sending. The 'Sending' section is now loaded much faster when using large lists. Resynching the sending status while a sending task is running is now supported by a failsafe mechanism.
This prevents data loss, even when the computer crashes sending. Cc and Bcc recipients of the sender profile are now also used when sending via EWS.
(Enterprise Edition only). Use the profile option 'set all to unsent, before starting a sending task' to use recipient lists not containing any email addresses with the status 'unsent'. (Enterprise Edition only). An error occurring while resyncing the sending status (internal and external tables) has been fixed. (Enterprise Edition only).
The display of the amount of unsent elements for filtered lists has been corrected. (Enterprise Edition only). The link to the tracking statistic for finished sending tasks with activated tracking is now working.
(Enterprise Edition only) List Management. When collecting bounces, cancellations or subscriptions, new lists are only created when needed. (Enterprise Edition only). Bounce emails with the error code '5.2.2 (mailbox full)' are no longer handled as permanent bounces, but as temporary bounces.
(Enterprise Edition only). The correctly selected recipient list is now available in the 'list management' actions.
(Enterprise Edition only). In general settings a 'reply to' address can now be entered. (Enterprise Edition only). 'Collect from Outlook' now works correctly for emails in online mode (not cached). (Enterprise Edition only).
Possible error messages from the POP3 or IMAP servers are now written to the protocol. (Enterprise Edition only) Version 7.2.2: 26 November 2015. An error in HTML processing has been fixed: Apostrophes are no longer replaced by '. An error occuring while viewing the statistics in 'Profile' has been fixed. Version 7.2.1: 11 November 2015. Import and Export of Quickparts has been added. Errors in the Duplicate Search has been fixed.
Imagepaths containing 'Umlauts' are now handled correctly. Pasting text into search fields has been fixed. Subnavigation is collapsable again. Errors blocking the installation of SmartSerialMail in Windows XP have been fixed. Version 7.2: 04 November 2015 Sender Profile and Sending.
New sending mode 'EWS' (Exchange Web Services) enables easy use in combination with Office 365. Users can now send emails 'on behalf of'. Tracking-Statistics for Piwik: A new pie-chart shows the number of conversions in relation to the number of sent emails. (Enterprise Edition only). S/MIME issues fixed: Signed emails are now shown correctly in webmail clients. (Enterprise Edition only).
Placeholders can now also be used in the 'Reply-to' field. (Enterprise Edition only).
The message Id of sent emails no longer contains the local computer name. Users can now customize the email header field 'List Unsubscribe'. The email header field 'List Id' is set automatically and can be customized by the user. The send mode 'Save as file' now uses the recipient’s email address.
(Enterprise Edition only). Autodetection of profile settings has been improved. Exporting a recipient list of a finished sending task now works as expected. Hybernation or Reboot does not cause a paused sending task to restart. Recipients lists and List Management. Subscriptions, cancellations, confirmations, and bounce mails can be processed via Office 365 / EWS (Exchange Web Services). (Enterprise Edition only).
Users can now search for an email-address in all existing lists at once. The speed of the duplicate search in recipient lists has been improved dramatically. The columns of a recipient list can now contain more than 255 characters. 'Soft Bounces' (temporary bounces) can now be processed. (Enterprise Edition only). The processing speed of large lists has been improved.
Erroneous email addresses in the Cc-column are now highlighted. (Enterprise Edition only). Large email accounts (more than 2GB) can now be processed in 'List Management'.
(Enterprise Edition only). Problems when importing from a non-formatted text file have been solved. New Recipient lists contain a new column for 'Bcc'-Recipients. Content and Attachments.
Personalized attachments: Quick parts can now be used to generate personalized PDF or Image attachments. (Enterprise Edition only). User-defined templates: Content can now be saved as a user-defined template.
The column 'LastSent' (date of last sending) is now available as a placeholder. A 'Save as PDF' function has been added in 'Preview'. Filename and filepath wildcards can now be used in attachments. (Enterprise Edition only). New placeholder function: 'Saveas': Emails can be saved as files. Possible file types are: PDF, JPG or HTML.
(Enterprise Edition only). New Placeholder function: 'Include': The contents of files (text files) can now be included in email content. (Enterprise Edition only). New placeholder function 'PrintIfNotEmpty': A Placeholder is only printed if it is not empty. (Enterprise Edition only). New Placeholder Function 'ForEach': An output is created for each element in a list.
(Enterprise Edition only) Graphical User interface. The support for Windows 10 has been added. CPU usage has been dramatically reduced. Flickering of the left column of the 'Sending' view while processing a sending task has been fixed. The behavior of the menu tree has been improved: Folders are no longer closed when saving the content and right-clicking behaves like expected.
The user interface has been improved for larger display resolutions. A lot of other corrections and improvements have been made. Version 7.1: 12 June 2015 Processing speed. SmartSerialMail shows and processes large recipient lists more effectively, delays have been eliminated. Loading a great number of tasks or using a large recipient list no longer prolongs loading times in the dispatch view. Graphical user interface.
Different fonts and a consistent interface design result in a much clearer user interface. Individually configurable user interface: Navigation elements can be toggled under 'File' - 'View'. Profile. Bar charts provide an overview over how many emails were sent at which point in time and how many subscriptions, cancellations, confirmations, or bounces have been collected. (Enterprise Edition only).
A second bar chart shows the tracking campaigns used in the sending tasks. (Enterprise Edition only) Recipient lists. History: The fife most recent versions of the recipient list are saved automatically and can be restored if required. Alias placeholders for recipient lists enable users to define placeholders for entire lists.
This way users can personalize content based on the recipient list. (Enterprise Edition only). Filter (filtered lists) can now be copied to other lists. (Enterprise Edition only). A pie chart view shows the segmentation of used lists. (Enterprise Edition only) Content and quick parts. History: The fife most recent versions of each content are saved and can be restored if required.
This includes the HTML part as well as the text-only part, the subject, and all alias placeholders in the content. Sending operations. A new version of SSL is used for sending emails via a secure connection.
The sending interface has been redesigned: 'New task' is now accessible via the quick navigation; the selection of profile, recipient list, and content has been improved. A diagram provides an overview over the five most recent sending tasks.