Jude's Blog

Posts Tagged ‘Temporary authentication failure

Field Report: Edge Fails with “454 4.7.0 Temporary authentication failure”

leave a comment »

Issue


There was a scenario where it was noticed that outbound mails were not getting delivered. The environment had 2 Edge Servers together with 2 CAS/Mailbox servers, both being Exchange 2013. Upon checking the mailbox queue on the internal servers, it was noticed that the mails were stuck in the queue on the Send connector that was responsible for outbound mail delivery with Edge Server.

The Error reported the following.

451 4.4.0 Primary target IP address responded with: “454 4.7.0 Temporary authentication failure.”  Attempted failover to alternate host, but that did not succeed.  Either there are no alternate hosts, or delivery failed to all alternate hosts”

Additionally, the following tests were done.

  • System Clock was checked between all Edge, Mailbox/CAS and domain controllers. They were in the same time.
  • Checked for any replication issues between the domain controllers. No issues were found.
  • Checked for communication related issues between the Edge Server and the Internal Exchange Servers for the below ports. All required ports were open.
Network interface Open port Protocol Note
Inbound from and outbound to the internal network 25/TCP SMTP This port is required for mail flow to and from the Exchange organization.
Local only 50389/TCP LDAP This port is used to make a local connection to AD LDS.
Inbound from the internal network 50636/TCP Secure LDAP This port is required for EdgeSync synchronization.
Inbound from the internal network 3389/TCP RDP Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by letting you use a remote desktop connection to manage the Edge Transport server.
  • Checked the EdgeSync for Edge Server 01: The following results were noted.

    EdgeSync service cannot connect to this subscription because of error “No EdgeSync credentials were found for Edge transport server ED01.contoso.com on the local Hub Transport server. Remove the Edge subscription and re-subscribe the Edge Transport server.”

  • Upon checking the Event viewer, the following errors were thrown;
    • Event ID 1032

      Microsoft Exchange EdgeSync can’t find the replication credential on %1 to synchronize with Edge server %2. This may happen if %1 joined the current Active Directory site after subscription for %2 was established. To have this Hub Transport server participate in EdgeSync, re-subscribe %2 to the current Active Directory site.

Resolution


So basically, we see that the Edge Sync is not working as it should be. At the same time, we see that there’s a certificate issue as well. Upon checking the certificate, we identified that it’s from a local CA. So the next steps we would do is to;

  1. Re-assign Exchange services to the existing certificate
  2. Re run Edge Synchronization
  3. Verify

However, upon doing the service re-assigning to the existing services, the following error was thrown.

The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.

Though it said the problem has been fixed, we were still unable to get Edge Sync working. So the final thought was to;

  1. Generate new Exchange Server certificate
  2. Assign services to new certificate
  3. Re-run Edge-Sync

Viola!!! No more errors!!

Written by judeperera

January 10, 2017 at 11:46 am