Unable to send email from SharePoint

You have configured your SharePoint Outgoing Email but even the configuration correct you could not able to send emails from SharePoint.
For more information about how to configure outgoing emails on SharePoint please check following article:
http://technet.microsoft.com/en-us/library/cc263462.aspx

So what you can do;

First Check the ULS Logs ; You may facing following error;

Failed attempt 1 sending mail to recipients: bugra@contoso.com . Mail Subject: System Account has invited you “Blog Members”.
Error: SmtpException while sending
email: System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1
Client was not authenticated
at System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode,
String response)     at
System.Net.Mail.SmtpTransport.SendMail(MailAddress sender,
MailAddressCollection recipients, String deliveryNotify, Boolean allowUnicode,
SmtpFailedRecipientException&

 

Usually this problem not caused by SharePoint it self, It is happening when SharePoint connects to Exchange server but Exchange is not authorize SharePoint to send emails. Why ? Because by design SharePoint use anonymous authentication to connect Exchange and OOB you can not configure SharePoint for any other authentication for using SMTP emails . If the recieve connector of the Exchange will require authentication that would be the problem .

You can test your stmp server by telnet client for anonymous authentication. or may collect Network Monitor logs that what is the communication and what is the authentication when SharePoint is trying to send emails.

For Telnet test;
1) Start a command prompt with administrator priviledges.
2) type following command:
telnet <Your SMTP server IP> 25
type EHLO

250-SIZE 15360000
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM ***** Server requires NTLM .
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOW

 

In network trace you can detect as

Frame: Number = 1087, Captured Frame Length = 316, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-B3-16-5A],SourceAddress:[38-22-D6-D4-49-80]
+ Ipv4: Src = 10.10.100.20, Dest = 10.20.100.59, Next Protocol = TCP, Packet ID = 9437, Total IP Length = 302
+ Tcp: Flags=…AP…, SrcPort=SMTP(25), DstPort=46805, PayloadLen=262, Seq=41429760 – 41430022, Ack=1350847993, Win=256 (scale factor 0x8) = 65536
– Smtp: Rsp 250 -<server> Hello [10.20.100.59], 262 bytes
– Response: 250 -<server> Hello [10.20.100.59]
ReplyCode: 250, OK, queuing for node node started, or Requested mail action okay, completed
+ ReplyMessage: -<server>  Hello [10.20.100.59] —-> Sharepoint opens session with 10.20.100.59
ReplyMessage: 250-SIZE
ReplyMessage: 250-PIPELINING
ReplyMessage: 250-DSN
ReplyMessage: 250-ENHANCEDSTATUSCODES
ReplyMessage: 250-STARTTLS
ReplyMessage: 250-X-ANONYMOUSTLS
ReplyMessage: 250-AUTH NTLM —-> Exchange providing NTLM.
     ReplyMessage: 250-X-EXPS GSSAPI NTLM
ReplyMessage: 250-8BITMIME
ReplyMessage: 250-BINARYMIME
ReplyMessage: 250-CHUNKING
ReplyMessage: 250-XEXCH50
ReplyMessage: 250-XRDST
ReplyMessage: 250 XSHADOW

For Resolution:
You can
1) Giving SharePoint Computer account mail submit priviledges
2) Creating a new Recieve Connector on Exchange for SharePoint and provide only anonymous auth.

 

Advertisements

Multiple application pool identity senario when using NLB with kerberos auth for Sharepoint

First of all i assume that your farm is running behind a NLB cluster and configured using kerberos authentication successfully.

Here is the scenario:

Sharepoint 2010 WFE1 :
->IP: 192.168.10.5  FQDN : wfeserver1.contoso.com  , Windows 2008 server SP2 x64 , IIS 7.0

Sharepoint 2010 WFE2:
->IP: 192.168.10.7  FQDN : wfeserver2.contoso.com , Windows 2008 server SP2 x64 , IIS 7.0

NLB:
NLB Cluster IP : 192.168.10.200   FQDN: nlb1.contoso.com

We have 2 sharepoint application running on port 80:
App1: already configured using Kerberos Auth  :
Host Header : http://istanbul.contoso.com  AppPool account : Contoso\bugra

App2 : is using NTLM (just now)
Host Header : http://ankara.contoso.com  AppPool account Contoso\postman

In order for Kerberos authentication to work we configured:
When you run IIS in a clustered environment or in a load-balanced environment, you access applications by using the cluster name instead of by using a node name. This scenario includes network load balancing. In cluster technology, a node refers to one computer that is a member of the cluster. To use Kerberos as the authentication protocol in this scenario, the application pool identity on each IIS node must be configured to use the same domain user account. To configure each IIS node to use the same domain user account, use the following command:
Setspn –A HTTP/CLUSTER_NAME domain\username
http://support.microsoft.com/kb/929650

(Note: I could able to manage kerberos authentication without defining any SPN to NLB cluster on Windows Server 2008 R2. )

Defined SPN’s:

According to  KB  : SPN for the NLB cluster name: ***
SetSPN -A HTTP/nlb1.contoso.com     Contoso\bugra
SetSPN -A HTTP/nlb1     Contoso\bugra

SPN for the cluster node:
SetSPN -A HTTP/istanbul.contoso.com    Contoso\bugra
SetSPN -A HTTP/istanbul    Contoso\bugra

What happens if I want to configure an additional web application “ankara.contoso.com” , running under a different application pool “Contoso\postman”  also running Kerberos authentication ?

What about the NLB SPNs – they have a different account. This should be a problem of a duplicate SPN for NLB .Sure it is not able to do it like this way.

Solution:
1) Create another DNS A record on NLB Cluster ip:
ex:  host  A  newnlbrecord.contoso.com 192.168.10.200

2) Create SPN for this FQDN:
SetSPN -A HTTP/newnlbrecord.contoso.com     Contoso\postman
SetSPN -A HTTP/newnlbrecord Contoso\postman

And dont forget to create for your app:
SetSPN -A HTTP/ankara.contoso.com    Contoso\postman
SetSPN -A HTTP/ankara Contoso\postman

end of article.