Article ID: 949469 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
A Name Service Provider Interface (NSPI) connection from a MAPI client to a Windows Server 2008 or later version-based domain controller may fail and return the following error message from the server:
In some instances, a credential dialog box may appear in the MAPI client user interface when you encounter this issue.
The affected clients include Microsoft Outlook, Quest Migration Manager for Exchange, and BlackBerry Enterprise Server.
This issue occurs because Windows Server 2008 and later versions allow a default maximum of only 50 concurrent NSPI connections per user. Additional NSPI connections are rejected, and a MAPI_E_LOGON_FAILED error message is returned.
Note Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion.
To resolve this issue, check all NSPI connections that process on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.
Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is intended for use only together with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.
How to modify the registry to allow for additional NSPI connectionsWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
For Windows Server 2008 onlyNote Windows Server 2008 R2 and later versions log this event by default. In Windows Server 2008, this is a verbose level of event logging that may generate many events. This verbose level of event logging includes events that are unrelated to the diagnosis of this issue. We recommend that you restore this setting to the default value after you finish troubleshooting.
To verify in Windows Server 2008 whether you encountered the issue that is described in the "Symptoms" section, enable event logging for NSPI connections. To do this, follow these steps:
Event ID: 2820 NSPI max connection limit for the user has reached. You need to do NSPI unbind on old connections before making new connections. Additional Data Max NSPI connections per user: %1 User: %2
A network capture of the failure may contain packets that resemble the following.
Collapse this tableExpand this table
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/314980/ )How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Collapse this imageExpand this image
Collapse this imageExpand this image
Article ID: 949469 - Last Review: April 29, 2014 - Revision: 12.0