Event ID 1000 is logged when you configure Kerberos authentication between front-end and back-end servers that are running Exchange Server 2003 (909094)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

You configure Kerberos authentication between the front-end and back-end servers that are running Microsoft Exchange Server 2003. In this configuration, the following event is logged in the Application log on the front-end server:Event Type: Warning
Event Source: EXPROX
Event Category: None
Event ID: 1000
Date: Date
Time: Time
User: N/A
Computer: Front-end_Server_Name
Description: Microsoft Exchange Server has detected that NTLM-based authentication is presently being used between this server and server 'Back-end_Server_Name'. NTLM is still a secure authentication mechanism and protects users' credentials. However, this indicates that there may be a configuration issue preventing the use of Kerberos authentication. If this condition persists, please verify that both this server and server 'Back-end_Server_Name' are properly configured to use Kerberos authentication. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers. As a result the authentication protocol fails back to NTLM.This event indicates that NTLM authentication is being used instead of Kerberos authentication between the front-end and the back-end servers.

For more information about Event ID 1000, visit the Microsoft Events and Errors Message Center (EEMC) at the following Microsoft Web site:

http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

CAUSE

This problem occurs when you use a disjointed DNS namespace. For example, in a domain that is named "country.domain.com," you use a fully-qualified domain name (FQDN) for the front-end server that resembles the following name:

Feserver.Region1.country.domain.com

In this case, a request is made for a Kerberos token in the domain "Region1.country.domain.com." However, this domain does not exist.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

After you install this hotfix, add the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\DAV
Value name: DisableRealmHint
Data type: REG_DWORD
Value data: 1

Note 0 and 1 are the only valid values. 0 is off, 1 is on.

Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Exchange Server 2003 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

You must install Microsoft Exchange Server 2003 Service Pack 2 (SP2) before you apply the hotfix.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

836993 How to obtain the latest service packs for Exchange Server 2003

Restart requirement

You do not have to restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The global version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File nameFile versionFile sizeDateTimePlatform
Exprox.dll6.5.7651.19415,23222-Apr-200605:01x86

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about the terminology that Microsoft uses for software that is corrected after it is released, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

For more information about the naming schema for Exchange software updates, click the following article number to view the article in the Microsoft Knowledge Base:

817903 New naming schema for Exchange Server software update packages

Modification Type:MajorLast Reviewed:9/6/2006
Keywords:kbQFE kbfix kbBug kbhotfixserver kbpubtypekc KB909094 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.