Event Id 1035

Hammoudeh 346 Reputation points
2020-11-18T05:55:48.673+00:00

Dear all,

i have 6 exchange servers 2016 CU11. i'm getting event id 1035 on all of them:

Inbound authentication failed with error LogonDenied for Receive connector Default Frontend "connector name". The authentication mechanism is Ntlm. The source IP address of the client who tried to authenticate to Microsoft Exchange is [load balancer ip].

I did the following change, but did not work:

ADSI Edit, Configuration -> Services -> Microsoft Exchange -> Domain.com-> Administrative Groups -> Exchange Administrative Group -> Servers -> CAS01-> Protocols -> SMTP Receive Connectors, then go to the properties for the "Client Proxy CAS01" .

on the security tab, go to "Authenticated Users" and make sure "Accept any Sender" and "Accept Authoritative Domain Sender" are Allow

i run: SetSPN -x
Processing entry 3
found 4 group of duplicate SPNs

===========================================

I run: Get-OutlookAnywhere | FL Identity,Host,Auth

Identity : ServerName1\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Identity : ServerName2\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Identity : ServerName3\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Identity : ServerName4\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Identity : ServerName5\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Identity : ServerName6\Rpc (Default Web Site)
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

============================================

I run: Get-AutodiscoverVirtualDirectory | fl server, name, auth, internal, external

Server : ServerName1
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

Server : ServerName2
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

Server : ServerName3
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

Server : ServerName4
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

Server : ServerName5
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

Server : ServerName6
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl :
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalUrl :

============================================================

Time between domain controllers and exchange servers is correct

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,626 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Kael Yao-MSFT 37,646 Reputation points Microsoft Vendor
    2020-11-19T05:59:43.873+00:00

    @HamoudaAlbakri-3924
    Hi,

    Have you enabled protocol logging on the Default Frontend receive connector?
    Please check the log files under this path: \Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
    And find the username who failed to Authenticate.
    If it's a valid account,please confirm with the owner if he had trouble with accessing his mailbox.
    Otherwise it may be someone who is trying to authenticate to attack or use your server as a relay.
    Please also check your load balancer if there are some suspicious ip addresses.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Hammoudeh 346 Reputation points
    2020-11-19T09:59:55.063+00:00

    @Kael Yao-MSFT

    I checked the log, but there is no such inforamtion there, all i got :

    "220 servername.test.com Microsoft ESMTP MAIL Service ready at Thu, 19 Nov 2020 11:59:49 +0300"
    Remote(ConnectionReset)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.