Exchange Server 2013 CU9 – Watch your IMAP clients
Exchange expert Frank Plawetzki bei Deutschland discusses a breaking issue with Exchange 2013 and IMAP
One of my customers was happily rolling out Exchange Server Cumulative Update 9 (CU9) on their servers, when help desk tickets started to arrive. IMAP clients were constantly prompted for their credentials and could not proceed past the logon prompt to their inboxes, despite correctly entering their credentials.
A quick check using Get-IMAPSettings, specifically the X509CertificateName property, ensured that this property was set to the correct value.
The next logical step was to check the IMAP logs of the Exchange server. The log path location is also listed through the Get-IMAPSettings cmdLet.
For the users, the log was full of entries like this:
This matched the behaviour on the clients, where logon was not possible and clients were not able to get past the credential prompt.
At this point it is important to note, that Exchange server 2013 CU9 includes an update (KB 3006849) with an inconspicuous description:
GSSAPI-based Kerberos authentication protocol is not offered to IMAP clients in Exchange Server 2013
This article states that CU9 introduced GSSAPI authentication protocol for Exchange server 2013. Before CU9, GSSAPI authentication protocol was not supported for POP3/IMAP clients in Exchange server 2013.
Since the parameter EnableGSSAPIAndNTLMAuth is set to $TRUE by default in Exchange 2013, be sure your clients support the GSSAPI/Kerberos authentication method and your environment is setup correctly.
To disable run the following command and restart your IMAP services on the Exchange servers.
Set-IMAPSettings –EnableGSSAPIAndNTLMAuth:$FALSE
Posted by MSPFE editor Rhoderick Milne.
Comments
- Anonymous
September 05, 2016
WORKS FOR ME !!!!!!!!!!!!!!!!!!! - Anonymous
July 04, 2018
(The content was deleted per user request) - Anonymous
July 04, 2018
Great article. Solved my problem.