Article ID: 18325
Audience:
Product: Windows 2008 DC
Date: 27 September 2008

Title: NSPI connections on a Windows Server 2008-based Domain Controller may fail with an error code: "MAPI_E_LOGON_FAILED"

Symptom(s):

When trying to open the Good Management Console it fails with error 800409b1: Mapi logon failure; Exchange is down. Users are showing paused due to:

1. Reason: Exchange Network Error, UsingProfile:[GoodLink Server]
2. Reason: MAPI Logon, UsingProfile:[GoodLink Server] ExchSrv: ExchVer:unknown,Context: - logon using admin profile failed at OpenMsgStore MSExchange API[[HRESULT:80040111, Err:The information store could not be opened.
3. Reason: Exchange Down
4. When clicking on "Check Name" popups a logon prompt. (A logon prompt is normally NOT needed for "Check Name")

• A Name Service Provider Interface (NSPI) connection from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with the following error code that is returned from the server:
  MAPI_E_LOGON_FAILED
• GMMS failing to create profile for users and erroring out with MAPI_E_NETWORK_ERROR in ConfigureMsgService.
  
• WSE Warn Encountered an error accessing the mailbox for user [user’s OU]. Reason: MAPI call pMsgServiceAdmin-ConfigureMsgService for createProfile failed. (HRESULT:-2147221227)
  

Cause:

2008 Domain Controllers limit concurrent MAPI sessions per user to 50 by default. The GMMS service account makes a separate call for each user. GMMS code does not directly call the NSPI API's, these are all done within the MAPI api's (layer). i.e. GMMS calls MAPILogon to each of the mailboxes to retrieve notifications and playback the data to be sent to the device. If you have 150 users on 1 server, there will be 160 MAPILogon operations. (1 per user + 10 for miscellaneous operations). Roughly a 1 to 1 mapping ration is required to work around the issue.

Remedy:

Modify the registry to allow for additional NSPI connections

Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
   
2. Locate and then click the following registry key:
   
3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
   
4. On the Edit menu, point to New, and then click Key.
   
5. Type Parameters, and then press ENTER.
   
6. Click the Parameters key.
   
7. On the Edit menu, point to New, and then click DWORD Value.
   
8. Type NSPI max sessions per user, and then press ENTER.
   
9. Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.
   
10. Exit Registry Editor.
    

Note: In Step 9, the number of NSPI connections should equal or be greater than the number of GoodMobile Messaging users.

Additional Info:

To confirm that you encountered the issue that is described in the "Symptoms" section, follow these steps:

1. Enable event logging for NSPI connections. To do this, follow these steps:

a. On the domain controller that is targeted for the NspiBind connection, click Start, click Run, type regedit, and then click OK.
b. Locate and then double-click the following registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events

c. In the Value data box, type 5, and then click OK.
Note: The default value of this registry entry is 0.
d. On the File menu, click Exit.
Note: This is a verbose level of event logging and may generate many events. This verbose level of event logging includes events that are unrelated to the diagnosis of this issue. We recommend that you restore this setting to the default value after you finish troubleshooting.

2. After you enable event logging, an event that resembles the following is logged in the Directory Services event log when this issue occurs:

Event ID: 2820
NSPI max connection limit for the user has reached.
You need to do NSPI unbind on old connections before making new connections.
Additional Data
Max NSPI connections per user:
%1
User:
%2

Source	Destination	Protocol	Information
ClientIP	ServerIP	NSPI	NspiBind request
ServerIP	ClientIP	NSPI	NspiBind response, Status: MAPI_E_LOGON_FAILED

Keywords: MAPI_E_LOGON_FAILED, server 2008, 800409b1, MAPI_E_NETWORK_ERROR, HRESULT:-2147221227, demote DC, domain controller,

A network capture of the failure may contain packets that resemble the following:

Source	Destination	Protocol	Information
ClientIP	ServerIP	NSPI	NspiBind request
ServerIP	ClientIP	NSPI	NspiBind response, Status: MAPI_E_LOGON_FAILED

MSFT KB: http://support.microsoft.com/kb/949469/en-us