Issue connecting Outlook 2007 to Exchange over VPN from Vista

E

Exile_Ken

I have an issue with a laptop running Vista w SP1 that can not connect
Outlook 2007 to our Exchange 2003 server over a VPN connection. The VPN
connection is valid and Windows authentication is working as we can access
mapped drives, and other network resources. Here are the details:
When connected to the network, W2K3 AD native mode domain, Outlook connects
without an issue. Once the user is remote, they login over VPN using
CheckPoint SecureRemote client, Version 6. The firewall successfully
authenticates the VPN connection. When the user opens Internet Explorer, it
goes to the home page which is our Sharepoint Portal. The user is properly
authenticated in Sharepoint as he can only access the sites that he has
permissions for. The user can access mapped drives, (although when
connecting to the drives initially there is a prompt for domain username and
password). When the user opens Outlook 2007, he is not prompted for domain
username and password. Outlook does not connect. It shows attempting to
connect to Microsoft Exchange server, but fails and shows the status as
disconnected.
This appears to be an authentication issue. When I look in the Windows
Logs in Event Viewer there appear the same sequence of Event IDs each time
the user attempts to connect to Exchange. All four are “Warning Eventsâ€
with Event ID 40960 and a source of LsaSrv, which obviously has something to
do with Kerberos authentication. The message details are nearly identical,
with the exception of two or three characters that appear just before a
forward slash, and the name of the server it is trying to connect to. The
first message shows an attempt to connect to the mail server (the names of
the servers it is trying to connect to have been changed, but they are the
correct names):
The Security System detected an authentication error for the server
exchangeRFR/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

The second message shows an attempt to connect to the domain controller.

The Security System detected an authentication error for the server
exchangeAB/abc-dc.mydomain.com. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to service the
logon request.
(0xc000005e)".
The third message shows the same AB reference, but is attempting to connect
to the mail server.
The Security System detected an authentication error for the server
exchangeAB/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".
The last event is an attempt to connect to the mail server with an MDB
reference.
The Security System detected an authentication error for the server
exchangeMDB/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

These 4 event ids appear consistently each time we try to make a connection
form Outlook to Exchange. I can successfully ping both the mail server and
DC by name. I have searched Google Groups and Technet, and looked this up on
EventID.net, and have not found a solution.
Thank you in advance for any assistance you can provide.

Ken Merrigan
 
T

The poster formerly known as 'The Poster Formerly

Exile_Ken said:
I have an issue with a laptop running Vista w SP1 that can not connect
Outlook 2007 to our Exchange 2003 server over a VPN connection. The VPN
connection is valid and Windows authentication is working as we can access
mapped drives, and other network resources. Here are the details:
When connected to the network, W2K3 AD native mode domain, Outlook connects
without an issue. Once the user is remote, they login over VPN using
CheckPoint SecureRemote client, Version 6.

We are running into the same problem. Are you using secure remote, or
secure client?
The firewall successfully
authenticates the VPN connection. When the user opens Internet Explorer, it
goes to the home page which is our Sharepoint Portal. The user is properly
authenticated in Sharepoint as he can only access the sites that he has
permissions for. The user can access mapped drives, (although when
connecting to the drives initially there is a prompt for domain username and
password). When the user opens Outlook 2007, he is not prompted for domain
username and password. Outlook does not connect. It shows attempting to
connect to Microsoft Exchange server, but fails and shows the status as
disconnected.
This appears to be an authentication issue. When I look in the Windows
Logs in Event Viewer there appear the same sequence of Event IDs each time
the user attempts to connect to Exchange. All four are “Warning Eventsâ€
with Event ID 40960 and a source of LsaSrv, which obviously has something to
do with Kerberos authentication. The message details are nearly identical,
with the exception of two or three characters that appear just before a
forward slash, and the name of the server it is trying to connect to. The
first message shows an attempt to connect to the mail server (the names of
the servers it is trying to connect to have been changed, but they are the
correct names):
The Security System detected an authentication error for the server
exchangeRFR/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

The second message shows an attempt to connect to the domain controller.

The Security System detected an authentication error for the server
exchangeAB/abc-dc.mydomain.com. The failure code from authentication protocol
Kerberos was "There are currently no logon servers available to service the
logon request.
(0xc000005e)".
The third message shows the same AB reference, but is attempting to connect
to the mail server.
The Security System detected an authentication error for the server
exchangeAB/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".
The last event is an attempt to connect to the mail server with an MDB
reference.
The Security System detected an authentication error for the server
exchangeMDB/abc-mail.mydomain.com. The failure code from authentication
protocol Kerberos was "There are currently no logon servers available to
service the logon request.
(0xc000005e)".

These 4 event ids appear consistently each time we try to make a connection
form Outlook to Exchange. I can successfully ping both the mail server and
DC by name. I have searched Google Groups and Technet, and looked this up on
EventID.net, and have not found a solution.
Thank you in advance for any assistance you can provide.

Ken Merrigan

Our setup differs slightly from yours, Vista business 32 bit RTM and
OL2007 on the client machines. Windows server 2003 mixed AD domain and
exchange 2007 is the environment we are trying to connect to. Just like
you, the OL2007 clients work great on the network, but when trying to
connect remotely, they authenticate through the securemote VPN just
fine, access mapped drives and other encrypted 3rd party resources on
the network, but OL/exchange does not connect. We use the securemote
(the free client), not the secure client. Interestingly enough, outlook
2002 connects remotely just fine over the same setup.

I'll check my vista clients to see if they get the same error messages
in the eventlogs.

--
"Fair use is not merely a nice concept--it is a federal law based on
free speech rights under the First Amendment and is a cornerstone of the
creativity and innovation that is a hallmark of this country. Consumer
rights in the digital age are not frivolous."
- Maura Corbett
 
E

Exile_Ken

">
We are running into the same problem. Are you using secure remote, or
secure client?
Thank you for your response. We are using SecureRemote, not SecureClient.
That is interesting that your Outlook 2002 clients connect. Are these
Outlook 2002 on Vista? I didn’t think that was supported.

KM
 
T

The poster formerly known as 'The Poster Formerly

Exile_Ken said:
">
Thank you for your response. We are using SecureRemote, not SecureClient.
That is interesting that your Outlook 2002 clients connect. Are these
Outlook 2002 on Vista? I didn’t think that was supported.

KM

Yes, outlook 2002 on XP or Vista connects remotely. No, OL2002 is not
officially supported on Vista, but I got the 2 to work together, and
that is what we plan to deploy until we get OL2007 to connect over the VPN.

Did you find these events in the system event log?

--
"Fair use is not merely a nice concept--it is a federal law based on
free speech rights under the First Amendment and is a cornerstone of the
creativity and innovation that is a hallmark of this country. Consumer
rights in the digital age are not frivolous."
- Maura Corbett

DRM and unintended consequences:
http://blogs.techrepublic.com.com/security/?p=435&tag=nl.e101
 
E

Exile_Ken

The poster formerly known as 'The Poster said:
Yes, outlook 2002 on XP or Vista connects remotely. No, OL2002 is not
officially supported on Vista, but I got the 2 to work together, and
that is what we plan to deploy until we get OL2007 to connect over the VPN.

Did you find these events in the system event log?

Yes. They appear in the System Log. My apologies for not mentioning that.

KM
 
T

The poster formerly known as 'The Poster Formerly

Exile_Ken said:
Yes. They appear in the System Log. My apologies for not mentioning that.

KM

OK Ken, sorry it took me a while to respond. I was finally able to
revisit this issue and I tried yet again to connect and it failed as I
suspected it would. However, I did not find any of your same event log
entries you mention:

“Warning Events†with Event ID 40960 and a source of LsaSrv, which
obviously has something to do with Kerberos authentication.

The specific version of Securemote we are using is NGX R60 HFA2 Build 044.

Please let me know if you solve this issue for yourself or if you have
any new info, it may help me fix this problem as well. Hope my feedback
is able to help you also. Thanks.

--
"...every non-modular OS SUCKS...Speaking for myself only."
- zachd [MSFT]

DRM and unintended consequences:
http://blogs.techrepublic.com.com/security/?p=435&tag=nl.e101
 
E

Exile_Ken

Thank you for the response. I have been on vacation the past few weeks so I
did not get a chance to respond until today.
The user needed to be able to get Outlook working, so as a short term fix I
uninstalled Office 2007 and installed Office 2003. This fixed the issue.
When the user opens Outlook 2003 with a VPN connection, he is prompted for
his password (domain\user name is saved), and Outlook connects to the
Exchange server. So this confirms that there was something in the
authentication process, for some reason Outlook 2007 was unable to
authenticate the user to the Exchange server. I hope in a few weeks to be
able to reinstall Office 2007 in this machine and continue to troubleshoot
this. I believe that this is the only one of 3 or 4 Vista laptops that had
this issue.
If and when I am able to troubleshoot this further, I will post in this
thread. Thank you.
 
T

The poster formerly known as 'The Poster Formerly

Exile_Ken said:
Thank you for the response. I have been on vacation the past few weeks so I
did not get a chance to respond until today.
The user needed to be able to get Outlook working, so as a short term fix I
uninstalled Office 2007 and installed Office 2003. This fixed the issue.
When the user opens Outlook 2003 with a VPN connection, he is prompted for
his password (domain\user name is saved), and Outlook connects to the
Exchange server. So this confirms that there was something in the
authentication process, for some reason Outlook 2007 was unable to
authenticate the user to the Exchange server. I hope in a few weeks to be
able to reinstall Office 2007 in this machine and continue to troubleshoot
this. I believe that this is the only one of 3 or 4 Vista laptops that had
this issue.
If and when I am able to troubleshoot this further, I will post in this
thread. Thank you.

That would be great! Thanks for your response.

--
"...every non-modular OS SUCKS...Speaking for myself only."
- zachd [MSFT]

DRM and unintended consequences:
http://blogs.techrepublic.com.com/security/?p=435&tag=nl.e101
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top