Hello everyone, I'm trying to get SMTP Auth working with an Exchange 2010 Edge Server and always get the following result (protocol log from a mailer): >>> Connecting to "edge.company.loc" [13.09.10 10:27] <<< 220 mail.company.com Microsoft ESMTP MAIL Service ready at Mon, 13 Sep 2010 10:26:28 +0200 EHLO [10.0.x.x] 250-mail.keytrade.ch Hello [10.0.x.x] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM LOGIN 250-X-EXPS NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250-XEXCH50 250 XSHADOW AUTH LOGIN 334 VXNlcm5hbWU6 535 5.7.3 Authentication unsuccessful I know that the credentials are valid, because I could login to the POP3 account on the HT server with those. I've followed the suggestions from this thread: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/9602b58e-0d38-4ecd-8ba7-e938edb8e555 already and when I Get-ADPermissions from the Receive Connector I can see that Authenticated Users have the ExtendedRight I set. This threw up the question, if EdgeSync works correctly for the ADAM instance on my Edge Server, so I did some tests: [PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode RunspaceId : 024d1c6c-af3e-4a48-84a7-b870d7a9f581 SyncStatus : Normal UtcNow : 13.09.2010 07:41:45 (...) LeaseType : Option FailureDetail : LeaseExpiryUtc : 13.09.2010 08:41:04 LastSynchronizedUtc : 13.09.2010 07:41:04 TransportServerStatus : Synchronized TransportConfigStatus : Synchronized AcceptedDomainStatus : Synchronized RemoteDomainStatus : Synchronized SendConnectorStatus : Synchronized MessageClassificationStatus : Synchronized RecipientStatus : NotSynchronized CredentialRecords : Number of credentials 3 CookieRecords : Number of cookies 2 Obviously there's something wrong with EdgeSync I thought and tried some other means to test if at least recipients are synced: [PS] C:\Windows\system32>Test-EdgeSynchronization -VerifyRecipient validuser@company.com RunspaceId : 024d1c6c-af3e-4a48-84a7-b870d7a9f581 SyncStatus : Inconclusive UtcNow : 13.09.2010 08:39:41 (...) LeaseType : Option FailureDetail : LeaseExpiryUtc : 13.09.2010 09:37:50 LastSynchronizedUtc : 13.09.2010 08:37:50 TransportServerStatus : Skipped TransportConfigStatus : Skipped AcceptedDomainStatus : Skipped RemoteDomainStatus : Skipped SendConnectorStatus : Skipped MessageClassificationStatus : Skipped RecipientStatus : Synchronized CredentialRecords : Number of credentials 3 CookieRecords : Number of cookies 2 Same goes if I do a telnet test with Recipient Filtering enabled: 220 mail.company.com Microsoft ESMTP MAIL Service ready at Mon, 13 Sep 2010 10:41:10 +0200 ehlo test.ch 250-mail.company.com Hello [10.0.x.x] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM LOGIN 250-X-EXPS NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250-XEXCH50 250 XSHADOW mail from: test@test.ch 250 2.1.0 Sender OK rcpt to: asdf@company.com 550 5.1.1 User unknown quit 221 2.0.0 Service closing transmission channel So we can see, that asdf is an invalid user and thus correctly get's identified as such, while when I send mail to a valid user, it will be accepted. So EdgeSync isn't failing completely, it just won't cache credentials. How can I make EdgeSync caching credentials? Thanks in advance, Jonas

Please remove the edge subscription, add it again, and then check the result again Managing Edge Subscriptions Please increase the diagnostic logging level for the transport component on the edge, and then reproduce the authentication issue again, see if there’s any related event in the application logJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

I did already re-subscribe Edge, with no success, I even removed the subscription first and generated a new subscription file, which I imported again on the Exchange HT/MB/everything Server - it just won't do. I already raised diagnostic levels for Transport authentication - it just says access denied, since it can't find the user, which makes sense, after what I've seen from EdgeSync. Do you have another idea on how to get the credentials synchronization to work or on how to troubleshoot it?

Could you post the events about this access denied?James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Is your edge box domain joined? Otherwise, how would this work? Passwords are not included in edgesync. "This authorization can be done by Edge only if it is in the domain. Since is not be the most common configuration, the Hub role may be more suited for this purpose." src: http://msexchangeteam.com/archive/2007/05/16/439093.aspx Mike Crowley Check out My Blog!

Is your edge box domain joined? Otherwise, how would this work? Passwords are not included in edgesync. "This authorization can be done by Edge only if it is in the domain. Since is not be the most common configuration, the Hub role may be more suited for this purpose. " src: http://msexchangeteam.com/archive/2007/05/16/439093.aspx I'm sorry, I'm not convinced - after all, an ADAM instance on a ISA server can authenticate users very well and EdgeSync is also using ADAM. EdgeSync also states in the Test-EdgeSynchronization output: (...) RecipientStatus : Synchronized CredentialRecords : Number of credentials 3 CookieRecords : Number of cookies 2 So, what are those CredentialRecords then? Are those left-overs from unfinished coding? But if that's really not supported, what's the idea of a secure Exchange environment then? It can't be the idea that a domain-joined HT server is in the DMZ, can it? - The other way round, you would need to open ports directly into the LAN to the internal HT server? WTF!

You can use TMG to publish an internal HT's SMTP server (provided the TMG server has 2 NICs). But in this case it isn't the receive connector on the Edge, but the one on the HT that's actually accepting the mail. Just because TMG is installed on the same box as edge doesn't somehow mean it magically knows to authenticate SMTP connections - which is why the option to publish an SMTP server is present. So while I would think this solves your issue of functionality and security, the "spirit" of Exchange doesn't require users to connect to SMTP anyway. Outlook Anywhere allows users to connect via RPC/MAPI over HTTPS which is more full featured anyway. Mike Crowley Check out My Blog!