Exchange Server 2013 CU9 – Watch your IMAP clients

Exchange expert Frank Plawetzki bei Deutschland discusses a breaking issue with Exchange 2013 and IMAP

One of my customers was happily rolling out Exchange Server Cumulative Update 9 (CU9) on their servers, when help desk tickets started to arrive. IMAP clients were constantly prompted for their credentials and could not proceed past the logon prompt to their inboxes, despite correctly entering their credentials.

A quick check using Get-IMAPSettings, specifically the X509CertificateName property, ensured that this property was set to the correct value.

The next logical step was to check the IMAP logs of the Exchange server. The log path location is also listed through the Get-IMAPSettings cmdLet.

For the users, the log was full of entries like this:

Checking Exchange 2013 IMAP Log Contents

This matched the behaviour on the clients, where logon was not possible and clients were not able to get past the credential prompt.


At this point it is important to note, that Exchange server 2013 CU9 includes an update (KB 3006849) with an inconspicuous description:

GSSAPI-based Kerberos authentication protocol is not offered to IMAP clients in Exchange Server 2013


This article states that CU9 introduced GSSAPI authentication protocol for Exchange server 2013. Before CU9, GSSAPI authentication protocol was not supported for POP3/IMAP clients in Exchange server 2013.

Since the parameter EnableGSSAPIAndNTLMAuth is set to $TRUE by default in Exchange 2013, be sure your clients support the GSSAPI/Kerberos authentication method and your environment is setup correctly.

EnableGSSAPIAndNTLMAuth - Set To $True By Default In Exchange 2013


To disable run the following command and restart your IMAP services on the Exchange servers.

Set-IMAPSettings –EnableGSSAPIAndNTLMAuth:$FALSE

Posted by MSPFE editor Rhoderick Milne.