Exchange Authentication Issues Following a Switchover or Failover



This Knowledgebase article provides information about authentication issues following the switchover or failover of an Exchange solution being protected with Neverfail ClusterProtector.

More Information

Authentication issues may occur following the switchover or failover of an Exchange solution protected by Neverfail ClusterProtector.


Following a switchover or failover, users may experience an authentication issue when attempting to connect to the Exchange server using either Outlook or Outlook Web Access (OWA).  The user will be prompted for a username and password, however the credentials will not be accepted, and the user will therefore be unable to access Outlook or OWA.


This issue is caused by an invalid Global Unique Identifier (GUID) being applied to the computer account object within Active Directory for the Exchange virtual server name.  During a switchover to the Disaster Recovery (DR) cluster, the computer account for the virtual Exchange server name within Active Directory is updated with a GUID relating to the DR cluster node. When a switchback to the production cluster is performed, the computer account for the virtual Exchange server name must be reset to allow a GUID update. In the event that the reset fails, the GUID update cannot be completed and therefore Kerberos authentication is unable to complete user authentication requests via Outlook or OWA.

Note:  This will occur when the dsmod command fails to run within the Stop Script on the DR cluster node or when the production Exchange resources are still online during the account reset process.


  1. Take the production exchange group offline.
  2. Remove the Exchange virtual server computer account from all domain controllers within Active Directory.
  3. Clear the 'Enable Kerberos' option on the Parameters tab of the Exchange computer name resource within the Exchange resource group.
  4. Bring online the Exchange IP and Exchange Name resources.
  5. Take the Exchange Name resource offline.
  6. Select the 'Enable Kerberos' option on the Parameters tab of the Exchange Name resource.
  7. Bring the Exchange Name resource back online.
  8. Check each domain controller to ensure that a new computer account for the Exchange virtual server name has been created.
  9. Bring all remaining Exchange resources online.
  10. Verify that client access is working correctly.

Applies To

Neverfail ClusterProtector for Exchange All Versions

Related Information



0 out of 0 found this helpful



Please sign in to leave a comment.