XCCC: Client NTLM and SPA Authentication Is Not Supported with a Front-End Server (306874)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
This article was previously published under Q306874

SYMPTOMS

In a front-end and back-end environment, an Internet Message Access Protocol, Version 4rev1 (IMAP4) or Post Office Protocol version 3 (POP3) client (such as Microsoft Outlook Express) may not be able to authenticate logon credentials with the front-end server by using NTLM (or SPA). The client may prompt for authentication continuously.

CAUSE

Front-end servers do not support NTLM authentication because it requires a persistent connection. The front-end servers reuse connections as necessary. However, basic authentication is supported.

When you use Exchange 2000, this problem can occur because front-end IMAP4 or POP3 servers incorrectly advertise NTLM authentication. Exchange 2000 Service Pack 1 does not advertise NTLM, which allows the client program to indicate that the authentication is not supported or did not work. Installing Exchange 2000 Service Pack 1 does not change this aspect of the behavior of back-end servers.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack

STATUS

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Service Pack 1.

MORE INFORMATION

You can test the behavior difference between an Exchange 2000 server and a server on which Exchange 2000 Service Pack 1 is applied. To do so, use the telnet utility:
  • For IMAP4:

    1. Connect to port 143 of the Exchange 2000 server.
    2. Type the CAPABILITY command.
    With Exchange 2000 SP1 installed on the front-end server, NTLM is not in the response.
  • For POP3:

    1. Connect to port 110 of the Exchange 2000 server.
    2. Type the AUTH command.
    With Exchange 2000 SP1 installed, the front-end server does not have NTLM as its response.
When the client connects to a front-end server that is running Exchange 2000 SP1 or later, the behavior of the client program changes; the client indicates that authentication did not work. For example, Outlook Express displays the following error messages:
  • For POP3 connection:
    Unable to logon to the server using Secure Password Authentication. Account: 'user-account', Server: 'server-name', Protocol: POP3, Server Response: '.', Port: 110, Secure(SSL): No, Error Number: 0x800CCC18
  • For IMAP connection:
    Your 'Inbox' folder was not polled for its unread count. General authentication failed. None of the authentication methods supported by your IMAP server (if any) are supported on this computer. Account: 'user-account', Server: 'server-name', Protocol: IMAP, Server Response: '', Port: 143, Secure(SSL): No, Error Number: 0x800CCCDF
Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kbbug kbfix KB306874
©2004 Microsoft Corporation. All rights reserved.