Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

NSPI connection to a Windows-based domain controller causes MAPI client applications to fail and returns a "MAPI_E_LOGON_FAILED" error message


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

↑ Back to the top


Symptoms

A Name Service Provider Interface (NSPI) connection from a MAPI client to a Windows Server 2008 or later version-based domain controller may fail and return the following error message from the server:

MAPI_E_LOGON_FAILED
In some instances, a credential dialog box may appear in the MAPI client user interface when you encounter this issue.

The affected clients include Microsoft Outlook, Quest Migration Manager for Exchange, and BlackBerry Enterprise Server.

↑ Back to the top


Cause

This issue occurs because Windows Server 2008 and later versions allow a default maximum of only 50 concurrent NSPI connections per user. Additional NSPI connections are rejected, and a MAPI_E_LOGON_FAILED error message is returned.

Note Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 and later versions is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion.

↑ Back to the top


Resolution

To resolve this issue, check all NSPI connections that process on the client create for connection leaks. For example, a call to the NspiBind function must have a corresponding call to the NspiUnbind function when an NSPI connection is no longer required. This operation may require that you debug any custom scripts or applications that are using NSPI. If this issue affects external applications, contact the software vendors for updates.

Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is intended for use only with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.

How to modify the registry to allow for additional NSPI connections

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
     
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
  3. Right-click the Parameters key.
  4. In the popup menu, select New, and then click DWORD Value.
  5. Type NSPI max sessions per user, and then press Enter.
  6. Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.

    Note Although the upper limit of this setting is 0xffffffff (or 4294967295), a server configuration that has a value that is larger than the default value will consume additional memory (one new page per connection) on the server. If this value is set too high, and too many connections are created for each user application instance, the server will run low on memory or become completely unresponsive.

    The lower default NSPI connection limit in Windows Server 2008 was based on customer experience in which previous operating systems would allow themselves to be overwhelmed by third-party products in what is essentially a denial of service attack.

    You should use a common sense approach to increase the maximum session setting beyond the default value. For example, start by using decimal 250 (hex 0x000000FA), and then test to see the memory overhead that is created and whether the errors have stopped. Your long-term solution must be to contact the vendor of your NSPI product to ask them to change this behavior. A change in the registry value is only as a workaround to provide error relief.
  7. Exit Registry Editor.
  8. Restart the computer or restart Active Directory Domain Services.

Alternatively, you can do this by runing the following command in a Command Prompt window with administrator permission:

reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /v "NSPI max sessions per user" /t REG_DWORD /d 250 /f

 

↑ Back to the top


More Information

An event that resembles the following is logged in the Directory Services event log when this issue occurs:
Event ID: 2820
NSPI max connection limit for the user has reached.
You need to do NSPI unbind on old connections before making new connections.
Additional Data
Max NSPI connections per user: 
%1
User: 
%2 

The “User:” information will have the Sid of the user. You can use “psgetsid” for example to retrieve the logon name of the user.

A network capture of the failure may contain packets that resemble the following.

Source Destination Protocol Information
ClientIP ServerIP NSPI NspiBind request
ServerIP ClientIP NSPI NspiBind response, Status: MAPI_E_LOGON_FAILED

↑ Back to the top


References

For more information, see the following articles:
314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
 
Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

↑ Back to the top


Keywords: kbtshoot, kbexpertiseinter, kbprb, kb

↑ Back to the top

Article Info
Article ID : 949469
Revision : 5
Created on : 1/3/2020
Published on : 1/3/2020
Exists online : False
Views : 2483