Support Center > Search Results > SecureKnowledge Details
"connection to Exchange Failed" error when Business Mail (Capsule Workspace Mail) fails to authenticate with Exchange Server using Kerberos Technical Level
Symptoms
  • Authentication to Business Mail (in Capsule Workspace) fails with Error "connection to Exchange Failed".
  • In the trace logs, see the following:
    Connection the Exchange Succeeds on port 443 ad the SSL handshake is successful

    [CPCVPN_INFO/] |14:20:38.817| Connected to XX.XX.XX.XX (XX.XX.XX.XX) port 443
    [CPCVPN_INFO/] |14:20:38.817| SSLv3, TLS handshake, Client hello
    [CPCVPN_INFO/] |14:20:38.820| SSLv3, TLS handshake, Server hello

    The POST/GET request is sent using the IP Address of the Exchange Server:
    [CPCVPN_SENT_HEADERS] |14:20:38.820|
    POST /EWS/Exchange.asmx HTTP/1.1
    Host: XX.XX.XX.XX
  • In the Response from the Exchange Server, see the following entries:
    [/CPCVPN_RECEIVED_HEADERS]
    [CPCVPN_INFO/] |14:20:38.895| gss_init_sec_context() failed: : Server not found in Kerberos database
    [CPCVPN_RECEIVED_HEADERS] |14:20:38.895|
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    WWW-Authenticate: Basic realm="XX.XX.XX.XX"

    The Error ”Server not found in Kerberos” can be caused due to a connection to the KDC or bad DNS resolving

    The Exchange Server closes the HTTP connection:

    [/CPCVPN_RECEIVED_HEADERS]
    [CPCVPN_INFO/] |14:20:38.896| HTTP error before end of send, stop sending
Cause

For Kerberos authentication, the Exchange Server, in the business email application, has to be configured with its DNS name, as Kerberos tickets are issued for the Service Principal Name (SPN) that is made up of the service name (e.g. HTTP) and the DNS name of the host.

The DC does not issue tickets for IP addresses so the IP address of the host can change without breaking Kerberos functionality.


Solution
Note: To view this solution you need to Sign In .