Exchange 2010 Error 451 5.7.3
‘451 5.7.3 Cannot achieve Exchange Server authentication' Home » Exchange » Mail Routing Issue ‘451 5.7.3 Cannot achieve Exchange Server authentication' KB ID 0000791 Dtd 21/03/13 Problem While putting in a New Exchange 2010 server today, I test moved a mailbox to this new site, and could not get mail to flow to the Exchange 2010 server at the clients main site. 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host , but that did not succeed. Either there are no alternative hosts, or delivery failed to all alternative hosts. Mail flowed from the main site to this new site, and internal mail at the new site was fine, but any mail destined for the main site, or going external (because the main site has the only server that can use the Exchange organization send connector) would fail with this error. Solution I did a lot of trawling to try and find the answer to this, and discovered lots of reasons for this to happen, so rather than just posting what fixed mine, from the most popular to the most obscure try these in order, and attempt to send mail after each step. Note: Any change on an Exchange Server's Receive Connectors should be followed by you restarting the Microsoft Exchange Transport Service (on the server you made the change on) before you try again. 1. On the server you are trying to send TO, check the properties of the Default receive connector and ensure 'Exchange Server authentication' is selected. 2. On the server you are trying to send TO, If you have a connector configured to 'relay' mail, make sure that the server(s) or network specified DOES NOT include the IP address of the server you cannot send FROM. Also Make sure on the authentication tab 'Exchange Server authentication' is NOT selected. 3. If you have Cisco PIX Firewalls between these two mail servers (running version 6 or earlier) make sure smtp fixup is disabled. Petes-PIX> Petes-PIX> enable Password: ******* Petes-PIX# configure terminal Petes-PIX(config)# no fixup protocol smtp 25 Petes-PIX(config)# write mem Building configuration... Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f 1049 bytes copied in 0.430 secs [OK] 4. If you have Cisco ASA Firewalls between these two mail servers, then remove esmtp from the default inspection map. Cisco ASA Disable ESMTP Inspection At this poin
some steps to do so… 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." After an Exchange 2013 Install I found myself having issues with sending emails between two Exchange Servers; 2010 and 2013. The messages on both server seem to be stuck in the mail Queue. Full message reads: 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. This issue existed because the Exchange servers http://www.petenetlive.com/KB/Article/0000791 could not authenticate with one another. This type of authentication is required for Exchange to route email internally. The respective servers use the X-EXPS command to authenticate. This error will happen when servers don’t have this method of authentication enabled. In my case this wasn't true, however there was another issue preventing the X-EXPS command from being passed and that was our Cisco security appliance/router. In fact the Extended SMTP http://jermsmit.com/primary-target-ip-address-responded-with-451-5-7-3-cannot-achieve-exchange-server-authentication/ verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass. I will get to this a bit later… In my adventure to troubleshoot this issue the following was done (thank you Microsoft for providing details. While useful did not directly solve the overall issue. These steps are below Step 1 - Enable Exchange Authentication on Receive Connectors For Microsoft Exchange Server 2013 remote servers: Go to the following website to access the Exchange Administration Center (EAC): https://
authentication While planning to decommission our old Exchange 2010 environment wehad to http://exchangeitup.blogspot.com/2015/11/exchange-error-451-573-cannot-achieve.html change the CAS/Hub Transport IPs because we needed to reuse them for some of our new SMTP relays - we have quite http://serverfault.com/questions/301542/exchange-2010-hub-cannot-deliver-to-exchange-2007-hub-451-5-7-3-cannot-achiev a few (way too many) relaying servers that use IP instead of SMTP hostname. After changing the IPs, the Transport Queues exchange 2010 filled up with the following error: 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host , but that did not succeed. Either there are no alternative hosts, or delivery failed to all alternative exchange 2010 error hosts. Thisaffected all internal mail, because the Exchange 2010 serversare still routing to our 2013 environment. The problem was easily overlooked, but the fix was simple as well: On your new environment (the servers you are sending to)check your relayconnectors andmake surethey do not include the IP address or subnetof your old environment (the servers you're sending from). You might have to restart the Transport Service on the old servers, but the queues should now start emptying out. Posted by Stacey Branham at 7:26:00 PM Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: Exchange No comments: Post a Comment Newer Post Older Post Home Search This Blog Loading... Stacey Branham Tag Cloud EAC (15) Exchange (118) Lync (20) Outlook (14) OWA (3) PowerShell (67) Powered by Blogger.
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Exchange 2010 Hub cannot deliver to Exchange 2007 Hub - “451 5.7.3 Cannot achieve Exchange Server authentication” up vote 2 down vote favorite We have an existing Exchange 2007 server in Site A (exch07). I've installed an Exchange 2010 server in Site B (exch10). Both servers have the CAS, Mailbox and Hub roles. Messages sent via SMTP on exch10 which are destined for mailboxes on exch07 are queued with the "Last Error" reported in Queue Viewer as '451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.' I've found that some people have resolved this by creating new Receive Connectors which are scoped specifically to apply to connections from the remote hub/s, but I have had no luck doing this. Specifically I created new receive connectors on both servers with the following settings: Remote IP = IP/s of remote server Authentication = "Transport Layer Security (TLS)" and "Exchange Server authentication" Permission Groups = "Exchange servers" and "Legacy Exchange Servers" This made no difference, I see the same error message. What am I missing? Update: We noticed that the Application log had this error message from MSExchangeTransportService: Microsoft Exchange could not find a certificate that contains the domain name exch07.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector exch10 with a FQDN parameter of exch07.domain.local. If the connector's FQDN is not specified, the computer'