Microsoft Exchange Server has detected that NTLM-based authentication is presently being used between this server and server ”. NTLM is still a secure authentication mechanism and protects users’ credentials. However, this indicates that there may be a configuration issue preventing the use of Kerberos authentication. If this condition persists, please verify that server ‘%1’ is properly configured to use Kerberos authentication.After applying any changes it may be necessary to restart Internet InformationServices on both the front-end and back-end servers.

Details
Product: Exchange
Event ID: 1000
Source: EXPROX
Version: 6.5.7638.0
Component: Microsoft Exchange Proxy
Message: Microsoft Exchange Server has detected that NTLM-based authentication is presently being used between this server and server ‘<<%1>>‘. NTLM is still a secure authentication mechanism and protects users’ credentials. However, this indicates that there may be a configuration issue preventing the use of Kerberos authentication. If this condition persists, please verify that server ‘%1’ is properly configured to use Kerberos authentication.After applying any changes it may be necessary to restart Internet InformationServices on both the front-end and back-end servers.
   
Explanation

This event may be logged on an Exchange Server 2003 server configured as a front-end server when both of the following conditions are true:

  • An Exchange Server 2003 front-end server is attempting authentication to a back-end server.
  • The back-end server is running Exchange 2000 Server. Exchange 2000 Server does not support Kerberos authentication.

This event may also be logged by a front-end server that is communicating with a back-end server where either or both servers have Integrated Windows authentication disabled.

   
User Action

If the back-end server is running Exchange 2003, make sure that Integrated Windows authentication is enabled for both the front-end and back-end servers. If the back-end server is running Exchange 2000 Server, this event can be safely ignored. If the attempt to use Kerberos authentication between an Exchange 2003 front-end server and an Exchange 2000 back-end server fails, NTLM authentication will be used.

You can also examine the IIS metabase on the back-end server to verify that the NTAuthenticationProviders value is set to Negotiate,NTLM. This value enables both NTLM and Kerberos. In this scenario, if an Exchange front-end server tries to use Kerberos with the back-end server and fails for any reason, the front-end server can fall back to using NTLM for authentication.

For details, see the following articles in the Microsoft Knowledge Base:

326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS

215383 How To Configure IIS to Support Both Kerberos and NTLM Authentication

Related:

Leave a Reply