454 4.7.0 Temporary authentication failure in a Microsoft Exchange Server
In an Exchange server environment, some e-mail messages are stuck in a remote delivery queue that should have been transferred to another internal Exchange server in the Exchange organization.
If you open the Queue Viewer tool from the Toolbox node on the Exchange Management Console, the Last Error field displays an error message that resembles the following:
451 4.4.0 Primary target IP address responded with: "454 4.7.0 Temporary authentication failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Additionally, you may find the following error message in the Application log file on the Exchange server that is receiving the e-mail message:
Event Type: ErrorEvent Source: MSExchangeTransportEvent Category: SmtpReceive Event ID: 1035Description:Inbound authentication failed with error IllegalMessage for Receive connector Default <Server>. The authentication mechanism is ExchangeAuth. The source IP address of the client who tried to authenticate to Microsoft Exchange is [xxx.xxx.xxx.xxx].
This issue occurs if the Exchange server cannot authenticate with the remote Exchange server. Exchange servers requires authentication to route internal user messages between servers. The issue can be caused by one of the following reasons:
- The Exchange server is experiencing Time synchronization issues
- There is a replication issue between the domain controllers
- The Exchange server is experiencing Service Principal Name (SPN) issues
- The required TCP/UDP ports for the Kerberos protocol are blocked by the firewall
To resolve this issue, follow these steps:
- Check the clock on both servers and domain controllers that might be used to authenticate the servers. All clocks should be synchronized to within 5 minutes of one other.
- Force replication between domain controllers to see if there is a replication issue.
- Verify that the Service Principal Name (SPN) for SMTPSVC is registered correctly on the target server.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example:SetSPN -L <ExchangeServerName>SMTP/<ExchangeServerName>
- Check for duplicate SPNs by using the SetSPN tool. There should only be one entry of each:SetSPN -x
Processing entry 0
found 0 group of duplicate SPNs.
- Make sure that the SMTP and SMTPSVC entries are added correctly to the machine account by using the SetSPN tool. For example:
- Verify that the ports required for Kerberos are enabled.
- If the previous steps do not work, you can turn on logging for Kerberos on the Server that is registering the Event 1035 message, which may provide additional information. To do this, follow these steps:
- Click Start, click Run, type Regedit, and then click OK.
- Locate the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- On the Edit menu, point to New, and then click DWORD Value.
- In the details pane, input the new value LogLevel, and then press Enter.
- Right-click LogLevel, and then click Modify.
- In the Edit DWORD Value dialog box, under Base, click Decimal.
- In the Value data box, type the value 1, and then click OK.
- Close Registry Editor.
- Again check the System Event log for any Kerberos errors.
- In the destination Exchange Server, check the receive connectors that receive internal e-mail messages and make sure that they have Exchange Authentication enabled.
Article ID: 979174 - Last Review: 10/01/2015 07:15:00 - Revision: 6.0
Microsoft Exchange Server 2007 Standard Edition, Microsoft Exchange Server 2007 Enterprise Edition, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2013 Standard, Microsoft Exchange Server 2013 Enterprise, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition
- kbsurveynew kbtshoot kbexpertisebeginner kbexpertiseinter KB979174