|Component:||Microsoft Exchange Transport|
|Message:||EXPS is temporarily unable to provide protocol security with “<host name>“. “<function name>” called “<function name>” which failed with error code <error code> ( <file name>@<line number> ).|
Exchange Server, starting with version 2000 and later, authenticate together when they begin a connection with the Extended Simple Mail Transfer Protocol (ESMTP) X-EXPS authentication verb. If a Simple Mail Transfer Protocol (SMTP) server advertises this verb, Exchange will attempt to issue an X-EXPS command. Authentication will succeed if both servers are members of the “Exchange Domain Servers” Global Security group. All servers in an organization are added to this group by default. This extension (X-EXPS) is implemented as a protocol sink in Exchange 2000, and is a Microsoft proprietary ESMTP verb. This protocol sink uses the initial response from the server to determine whether a computer is local to the Exchange organization or is outside the Exchange organization.
An error is returned from this EXPS authentication function for names that are not Fully Qualified Domain Names or servers that are not in the Exchange organization and in the same Active Directory forest as the local Exchange Server. These events can be logged when the Exchange EXPS sinks cannot authenticate a target server as local. They can be logged under several different conditions and the Error Code in the Description section of the event may provide information as to the underlying cause. Use the ERROR.EXE program that ships on the Exchange Server CD-ROM to decode the error code to a readable text value. A few examples of the error codes that may be seen are as follows:
0x8009030c = SEC_E_LOGON_DENIED 0x8007052e = ERROR_LOGON_FAILURE 0x0000000c = ERROR_INVALID_ACCESS
Also note that this event cannot be logged unless Diagnostics Logging on the MSExchange Transport Service is turned up to maximum for the SMTP Protocol category.
If mail flow is not affected, this event can be ignored. However, it is preferable to investigate it to ensure that someone from outside the organization is not attempting to use known account information to relay off this server. If a successful SMTP authentication is performed, an MSExchange Transport Warning Event 1708 will also be logged that indicates the name of the user who performed the authentication.
If you suspect that this account is being used fraudulently, change the account password immediately using complex passwords. Ensure that the Everyone and Users groups have the “Access this computer from the network” right. If the 1706 event is referring to servers on the Internet, or outside the Exchange organization, check the properties of the SMTP Virtual Server or the SMTP connector and ensure that Outbound Security is set to Anonymous.