If you open the Queue Viewer tool from the Toolbox node on the Exchange Management Console, the Last Error field displays an error message that resembles the following:
451 4.4.0 Primary target IP address responded with: "454 4.7.0 Temporary authentication failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Additionally, you may find the following error message in the Application log file on the Exchange server that is receiving the e-mail message:
Event Type: Error Event Source: MSExchangeTransport Event Category: SmtpReceive Event ID: 1035 Description: Inbound authentication failed with error IllegalMessage for Receive connector Default <Server> . The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [xxx.xxx.xxx.xxx].
- The Exchange server is experiencing Time synchronization issues
- There is a replication issue between the domain controllers
- The Exchange server is experiencing Service Principal Name (SPN) issues
- The required TCP/UDP ports for the Kerberos protocol are blocked by the firewall
- Check the clock on both servers and domain controllers that might be used to authenticate the servers. All clocks should be synchronized to within 5 minutes of one other.
- Force replication between domain controllers to see if there is a replication issue.
- Verify that the Service Principal Name (SPN) for SMTPSVC is registered correctly on the target server.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example:SetSPN -L <ExchangeServerName>SMTP/<ExchangeServerName>
- Check for duplicate SPNs by using the SetSPN tool. There should only be one entry of each:SetSPN -x
Processing entry 0
found 0 group of duplicate SPNs.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example:
- Verify that the ports required for Kerberos are enabled.
- If the previous steps do not work, you can turn on logging for Kerberos on the Server that is registering the Event 1035 message, which may provide additional information. To do this, follow these steps:
- Click Start, click
Run, type Regedit, and then click
- Locate the following registry key:
- On the Edit menu, point to
New, and then click DWORD Value.
- In the details pane, input the new value
LogLevel, and then press
- Right-click LogLevel, and then click
- In the Edit DWORD Value dialog box, under Base, click Decimal.
- In the Value data box, type the value
1, and then click OK.
- Close Registry Editor.
- Again check the System Event log for any Kerberos errors.
- Click Start, click
- In the destination Exchange Server, check the receive connectors that receive internal e-mail messages and make sure that they have Exchange Authentication enabled.
Article ID: 979174 - Last Review: Oct 1, 2015 - Revision: 1