Random Outlook client authentication prompts.

 

Worked on the following issue a while back

 

Environment:

Windows 2008 SP1: With Exchange 2007 Client access server / Hub & Transport server SP1 RU8

Windows 2008 SP1: With Exchange 2007 Mailbox server SP1 RU8

Two Windows 2008 SP1 Domain controllers resided within the same Active directory site.

dnsdcgc.acme.com       

dcgc.acme.com

Outlook 2007 & Outlook 2003 SP3 Clients.

Issue:

 

During normal working hours users randomly got windows authentication prompts similar to:

 

prompt

 

Users typed their domain/username and credentials and were able to continue to work as expected.

 

Troubleshooting:

 

When the user had the authentication prompt.

We checked the connection status.

Hold down CTRL + Right click on the Outlook icon on the tray bar.

OL2

 

Note: The current status of the Directory is Connecting:

Connecting

 

 

Action:

 

We enabled the following diagnostic logging on the Windows 2008 Domain Controllers.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events

Value : 5

(Default Value : 0)

 

Regedit

 

When the diagnostic logging for MAPI Interface Events were turned up.

We noticed the following event id for the user that had the authentication prompt popup. 

Directory Service log

**********************************************************************************************************

Log Name:         Directory Service
Source:             Microsoft-Windows-ActiveDirectory_DomainService
Date:                 2009-11-18 13:28:48
Event ID:           2820
Task Category:   MAPI Interface
Level:                Information
Keywords:         Classic
User:                 acme\username
Computer:         dnsdcgc.acme.com
Description:
NSPI max connection limit for the user has reached. You need to do NSPI unbind on old connections before making new connections.
Additional Data
Max NSPI connections per user:
S-1-5-21-3789412950-2605827310-1803858397-500
User:
%2

**********************************************************************************************************

 

Resolution:

 

How to modify the registry to allow for additional NSPI connections

If more concurrent NSPI connections per user are legitimately required, you can change the default limit.

To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS

5. Click the Parameters key.
6. On the Edit menu, point to New, and then click DWORD Value.
7. Type NSPI max sessions per user, and then press ENTER.
8. Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.

Note:

There is no specific upper-limit to this setting beyond the limits that are imposed by it being a DWORD (that is, 0xffffffff or about 4 billion).
Configuring the server in this manner will make it function similarly to Windows Server 2003 in terms of the maximum number of NSPI connections
that are allowed per user.

9. Exit Registry Editor.

 

More information:

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: "MAPI_E_LOGON_FAILED"

 

This behavior occurs because Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code.

Note:

Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections.

Too many connections such as these can result in resource depletion.

 

NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: "MAPI_E_LOGON_FAILED"
https://support.microsoft.com/default.aspx?scid=kb;EN-US;949469

Comments

  • Anonymous
    August 25, 2011
    Hi, I have a script very simple, send a mail to my mailbox (exchange 2003) and check  this e-mail has been received. The send is ok, but when it try to check, i received the next error: c:script.vbs (174,5) Collaboration data objects: the informatin store could not be opened. [MAPI 1.0 - [MAPI_E_LOGON_FAILED (80040111) Do you know anything about it? Thanks.