XADM: Logon Failure Event ID 677 with Exchange Server 5.5 and Active Directory Connector (281431)

MORE INFORMATION

The error is generated when the ADC attempts the contact the Lightweight Directory Access Protocol (LDAP) service on a member server running Exchange Server 5.5. The server running the ADC attempts to authenticate against Exchange service by requesting a Kerberos ticket for LDAP/myexhangesrv.mydomain.com.

The Microsoft Windows 2000 Kerberos Key Distribution Center (KDC) attempts to resolve the Service Principal Name (SPN) to a Windows 2000 server. Exchange Server 5.5 is not Kerberos-aware and does not register an SPN with the Active Directory. Because an SPN that matches does not exist, the KDC returns an error that is logged as the 677 event. The server that is running the ADC falls back to NTLM and is able to connect to the LDAP service on the Exchange Server computer.

Although it is possible to manually add an SPN for the LDAP server by using SETSPN from the Resource Kit, this will cause the ADC to fail.

Manually adding an SPN will cause the 677 events to stop. However, the ADC will no longer be able to authenticate to the LDAP service on the Exchange Server computer. Because the SPN can be resolved to a server, the KDC will return a Kerberos ticket for the target server (the server with the LDAP SPN registered). The server that is running the ADC will attempt to use a Kerberos ticket to authenticate to the Exchange service. Because Exchange 5.5 is not Kerberos-aware, it is not able to validate the user. This occurs even if Exchange Server 5.5 is installed on a Windows 2000 member server.