NSPI connection to a Windows-based domain controller causes MAPI client applications to fail and returns a "MAPI_E_LOGON_FAILED" error message
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
A Name Service Provider Interface (NSPI) connection from a MAPI client to a Windows Server 2008 or later version-based domain controller may fail and return the following error message from the server:
In some instances, a credential dialog box may appear in the MAPI client user interface when you encounter this issue.
The affected clients include Microsoft Outlook, Quest Migration Manager for Exchange, and BlackBerry Enterprise Server.
This issue occurs because Windows Server 2008 and later versions allow a default maximum of only 50 concurrent NSPI connections per user. Additional NSPI connections are rejected, and a MAPI_E_LOGON_FAILED error message is returned.
Note Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion.
To resolve this issue, check all NSPI connections that process on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.
Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is intended for use only together with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.
How to modify the registry to allow for additional NSPI connectionsWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
- Click the Parameters key.
- On the Edit menu, point to New, and then click DWORD Value.
- Type NSPI max sessions per user, and then press Enter.
- Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.
Note Although the upper limit of this setting is 0xffffffff (or 4294967295), a server configuration that has a value that is larger than the default value will consume additional memory (one new page per connection) on the server. If this value is set too high, and too many connections are created for each user application instance, the server will run low on memory or become completely unresponsive. The lower default NSPI connection limit in Windows Server 2008 was based on customer experience in which previous operating systems would allow themselves to be overwhelmed by third-party products in what is essentially a denial of service attack. You should use a common sense approach to increase the maximum session setting beyond the default value. For example, start by using decimal 250 (hex 0x000000FA), and then test to see the memory overhead that is created and whether the errors have stopped. Your long-term solution must be to contact the vendor of your NSPI product to ask them to change this behavior. A change in the registry value is only as a workaround to provide error relief.
- Exit Registry Editor.
- Restart the computer or restart Active Directory Domain Services.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
For Windows Server 2008 onlyNote Windows Server 2008 R2 and later versions log this event by default. In Windows Server 2008, this is a verbose level of event logging that may generate many events. This verbose level of event logging includes events that are unrelated to the diagnosis of this issue. We recommend that you restore this setting to the default value after you finish troubleshooting.
To verify in Windows Server 2008 whether you encountered the issue that is described in the "Symptoms" section, enable event logging for NSPI connections. To do this, follow these steps:
- On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.
- Locate and then double-click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events
- In the Value data box, type 5, and then click OK.
Note The default value of this registry entry is 0 (zero).
- On the File menu, click Exit.
Event ID: 2820NSPI max connection limit for the user has reached.You need to do NSPI unbind on old connections before making new connections.Additional DataMax NSPI connections per user: %1User: %2
A network capture of the failure may contain packets that resemble the following.
|ServerIP||ClientIP||NSPI||NspiBind response, Status: MAPI_E_LOGON_FAILED|
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Windows 2008 OL2007 OL2003 multiple prompt prompted prompts repeatedly password GC
Article ID: 949469 - Last Review: 04/29/2014 17:49:00 - Revision: 12.0
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Standard without Hyper-V, Microsoft Office Outlook 2007
- kbtshoot kbexpertiseinter kbprb KB949469