Nothing like that early morning 3am call to tell you, “Hey, mail is not working”…
- Inbound SMTP is rejecting messages
- Intra-Organization mail relay is failing. “The response from the remote site is 454 4.7.0 Temporary authentication failure.”
- Launching the EMC or EMS fails with Error: Access Denied. More verbosely, “The attempt to connect to http://yourserverhere.fqdn/PowerShell using “Kerberos” authentication failed: Connecting to remote server failed with the following error message : Access is denied.”
- Verify that Kerberos is properly enabled in IIS. This is required for PowerShell remoting. The default website may have SSL enabled with Anonymous authentication. The Powershell subdirectory should have SSL unchecked and all authentication methods disabled. Modules under the Powershell subdir should have Kerberos listed as NATIVE and Local. The same for WinRM. If they are not listed as Native (Native IIS modules) and Local then you’ve probably found your problem.
- Check for time skew. Since we are dealing with Kerberos, time skew is a big problem. Even more so in large multi-site, timezone diverse WANs. This wound up being the cause of service interruption; three servers were operating with a time skew of >6 minutes.