In an Exchange server environment, some e-mail messages are stuck in a remote delivery queue that should have been transferred to another internal Exchange server in the Exchange organization.
If you open the Queue Viewer tool from the Toolbox node on the Exchange Management Console, the Last Error field displays an error message that resembles the following:
451 4.4.0 Primary target IP address responded with: "454 4.7.0 Temporary authentication failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Additionally, you may find the following error message in the Application log file on the Exchange server that is receiving the e-mail message:
Event Type: ErrorEvent Source: MSExchangeTransportEvent Category: SmtpReceive Event ID: 1035Description:Inbound authentication failed with error IllegalMessage for Receive connector Default <Server>. The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [xxx.xxx.xxx.xxx].
This issue occurs if the Exchange server cannot authenticate with the remote Exchange server. Exchange servers requires authentication to route internal user messages between servers. The issue can be caused by one of the following reasons:
The Exchange server is experiencing Time synchronization issues
There is a replication issue between the domain controllers
The Exchange server is experiencing Service Principal Name (SPN) issues
The required TCP/UDP ports for the Kerberos protocol are blocked by the firewall
To resolve this issue, follow these steps:
Check the clock on both servers and domain controllers that might be used to authenticate the servers. All clocks should be synchronized to within 5 minutes of one other.
Check for duplicate SPNs by using the SetSPN tool. There should only be one entry of each:
SetSPN -x Processing entry 0 found 0 group of duplicate SPNs.
Verify that the ports required for Kerberos are enabled.
If the previous steps do not work, you can turn on logging for Kerberos on the Server that is registering the Event 1035 message, which may provide additional information. To do this, follow these steps:
Click Start, click Run, type Regedit, and then click OK.
Microsoft Exchange Server 2007 Standard Edition, Microsoft Exchange Server 2007 Enterprise Edition, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2013 Standard, Microsoft Exchange Server 2013 Enterprise, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition