The Mail Source Agent (MSA) is generating the following error:
"Error: -520093651 Error 0xe100002d Failed to bind to QMMConsole (dn=) as user domain\qmmserviceaccount with 4230 authentication type LDAP error 0x31 Invalid Credentials (8009030C: LdapErr: DSID-0C090540, comment: AcceptSecurityContext error, data 52e, vece)"
when trying to connect to the ADAM on the QMM console. Normal fault finding actions such as re-booting the console does not clear up the problem. The utility, ldp.exe is used from source exchange server, same server where MSA resides, but ldp gets the following error:
"res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='svc_qmmtrg'; Pwd= <unavailable>; domain = 'XX'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment: AcceptSecurityContext error, data 52e, vece"
LDP.exe makes a connection to the console but will not BIND. Using ldp.exe from various servers within the target domain there is no problem connecting to and performing a BIND to the console and ADAM. Additional testing from the source DC gave a successful connection and BIND to the console and ADAM using the service account and password.
The LMCompatibilityLevel can be modified or checked by looking at the value in the following registry key on the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
Please refer to the following chart for a description of these settings:
| Value | Setting | Description |
| 0 | Send LM & NTLM responses | Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. |
| 1 | Send LM & NTLM - use NTLMv2 session security if negotiated | Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. |
| 2 | Send NTLM response only | Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. |
| 3 | Send NTLMv2 response only | Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. |
| 4 | Send NTLMv2 response only/refuse LM | Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication). |
| 5 | Send NTLMv2 response only/refuse LM & NTLM | Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (they accept only NTLMv2 authentication). |
For additional details about this setting, please refer to the following Microsoft KB article - 823659 - Client, service, and program incompatibilities that may occur when
you modify security settings and user rights assignments - http://support.microsoft.com/default.aspx?scid=kb;EN-US;823659
