Exchange not authenticating

D

DC Gringo

I have a WinXP Prof client trying to authenticate to Exchange through a
Cisco VPN 3.0

I can connect and authenticate to all network resources with the exception
of Exchange...it doesn't utilize the integrated single-sign-on that it
normally used to. What I notice in my services applet is that IPSec service
stops upon authentication of the VPN...could that have something to do with
it?

Any ideas or suggestions would be helpful.
 
N

neo [mvp outlook]

If you are using the Outlook 2003 client, change authentication security in
Outlook from Kerberos/NTLM to just NTLM.
 
D

DC Gringo

Nope, Outlook 2002...

_____
DC G

neo said:
If you are using the Outlook 2003 client, change authentication security in
Outlook from Kerberos/NTLM to just NTLM.
Click to expand...
 
N

neo [mvp outlook]

Have you verified that DNS/WINS name resolution is working OK for the VPN
client? (use NSLOOKUP and NBTSTAT to verify each.)
 
D

DC Gringo

I have had some DNS issues, but only involving a couple of servers that are
co-located through another separate VPN.

What check do you want me to do, specifically with nslookup and nbtstat?

_____
DC G
 
D

DC Gringo

It appears to be working correctly...

nbtstat -r gives me:

Resolved By Broadcast = 0
Resolved By Name Server = 5

Registered by Broadcast = 10
Registered By Name Server = 7

nslookup mymachine gives me:

(on the LAN)
Server: abc-share1.company.net
Address: 10.0.0.65

(on the VPN)
Name: mymachine.company.net
Address: 10.0.2.167

_____
DC G
 
N

neo [mvp outlook]

connect to the network via vpn and then do the following.

nbtstat -a <exchange server name>
nbtstat -A <ip address of exchange server>

nslookup -q=A <exchange server name>
nslookup -q=A <fqdn.exchange.server.name>

basically what we are looking for is to see if anything comes back on a
secondary interface that says not found or slow name resolution. By the
way, you didn't mention what version of Exchange is in use, so if it is
Exchange 200x, then do the same tests above with the name of the global
catalog server(s).
 
D

DC Gringo

Ok, here goes:


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

H:\>nbtstat -a chq-exchange

Local Area Connection:
Node IpAddress: [10.0.1.108] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
HQ-EXCHANGE <20> UNIQUE Registered
HQ-EXCHANGE <00> UNIQUE Registered

MAC Address = xx-xx-xx-xx-xx-xx


H:\>nbtstat -A 10.0.0.8

Local Area Connection:
Node IpAddress: [10.0.1.108] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
HQ-EXCHANGE <20> UNIQUE Registered
HQ-EXCHANGE <00> UNIQUE Registered

MAC Address = xx-xx-xx-xx-xx-xx


H:\>nslookup -q=A hq-exchange
Server: hq-share1.company.net
Address: 10.0.0.65

Name: hq-exchange.company.net
Address: 10.0.0.8


H:\>nslookup -q=A hq-exchange.company.net
Server: hq-share1.company.net
Address: 10.0.0.65

Name: hq-exchange.company.net
Address: 10.0.0.8


H:\>
 
D

DC Gringo

Neo, here is my netdiag as well:

C:\Program Files\Support Tools>netdiag

....................................^C
C:\Program Files\Support Tools>netdiag

.........................................

Computer Name: CIL-132
DNS Host Name: CIL-132.company.net
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 6 Model 9 Stepping 5, GenuineIntel
List of installed hotfixes :
KB823559
KB828741
KB833407
KB833987
KB835732
KB841533
KB873376
KB887822
Q147222
Q323255
Q329115


Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it
has
not received any packets.
GetStats failed for 'Infrared Port'. [ERROR_NOT_SUPPORTED]
[WARNING] The net card 'SMC IrCC - Fast Infrared Port' may not be
working be
cause it has not received any packets.



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : CIL-132
IP Address . . . . . . . . : 10.0.1.108
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.0.0.2
Primary WINS Server. . . . : 10.0.0.56
Secondary WINS Server. . . : 10.0.0.65
Dns Servers. . . . . . . . : 10.0.0.65
10.0.0.56


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{835C0C29-41D5-4784-80B8-FC860CFF960C}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'company_HQ' is to '\\hq-ADMIN.company.net'.


Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/CIL-132.company.net.


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'hq-share1129a.company.n
et'.
[WARNING] Failed to query SPN registration on DC
'hq-share2.company.net'.

[WARNING] Failed to query SPN registration on DC
'hq-share1.company.net'.

[WARNING] Failed to query SPN registration on DC 'hq-avsms.company.net'.
[WARNING] Failed to query SPN registration on DC
'hq-share1129b.company.n
et'.
[WARNING] Failed to query SPN registration on DC 'hq-ADMIN.company.net'.
[WARNING] Failed to query SPN registration on DC 'hq-dc1.company.net'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information


The command completed successfully

C:\Program Files\Support Tools>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN Authenticates, but not Outlook 3
VPN users not prompted to change their domain passwords 2
W2K vpn client to Cisco 3005 VPN concentrator 3
The client could not connect to the remote computer... 5
Connection to Microsoft Exchange Unavailable 3
RRAS not authenticating VPN Clients since SP Install 2
Authenticating XP Pro over a VPN to a NT 4.0 PDC 4
Outlook 2003, XP, over IPSec VPN 1

Top