Topic Last Modified: 2005-12-13
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service and maintains a count of Microsoft Exchange Information Store objects, with object class of msExchPrivateMDB. If the Exchange Server Analyzer determines that there are more than 1,000 mailbox stores in an organization, a warning is displayed.
A warning is displayed because a known issue exists where users accessing mailboxes from Microsoft Office Outlook® Web Access 2003 through front-end servers in organizations with more than 1,000 mailbox stores, cannot access their mailboxes. This issue is caused by how the front-end Exchange server proxies the authentication request to the back-end Exchange server.
If you have users who are accessing their mailbox stores from front-end Exchange servers and you are getting this warning, you must do one of the following:
- Obtain and install the Exchange Server hotfix that is described
in the Microsoft Knowledge Base article 899902, "Users receive a
401 error message when they try to access a mailbox that is in an
Exchange Server 2003 front-end server by using Outlook Web Access"
- If you can, consolidate mailboxes onto fewer mailbox
- Set the front-end servers to authenticate to the back-end
servers with Basic authentication. The rest of this article
describes this option.
By default, Exchange Server 2003 front-end servers will use Kerberos authentication to help protect user credentials between the front-end and back-end servers. If Kerberos authentication fails, a Warning event will be logged and the front-end server will try NTLM instead. If NTLM fails, an error will be logged. Kerberos authentication is re-tried in 30 minutes. When Exchange 2000 Server or Exchange Server 2003 front-end computers authenticate with Exchange 2000 Server back-end computers, NTLM is used. There is no user interface in either Internet Information Services (IIS) or Exchange System Manager to select authentication mechanisms.
Configuring the front-end Exchange server to use Basic authentication requires that you set a registry key on all front-end servers in your organization. The following procedure explains how to manually set the key.
|This article contains information about editing the registry. Before you edit the registry, make sure that you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.|
To configure Exchange front-end servers to use Basic authentication against Exchange back-end servers
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to:= HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\MSExchangeWeb
Right-click MSExchangeWeb, point to New, and then click Key. Name the new key Dav.
Right-click the new Dav key, point to New, and then click DWORD Value.
Name the new value UseBasicAuthToBE and then set the value to 1.
Open the Services Microsoft Management Console (MMC) snap-in, right-click IIS Admin Service, and then click Restart.
Before you edit the registry, and for information about how to edit the registry, see the Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows Registry" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).