Search the wiki


itrezzo Technical Support Wiki


NSPI connection limits to a Windows 2008 based domain controller (GC) may cause MAPI client connections to fail with the following error code: MAPI_E_LOGON_FAILED. In some instances, a credential dialog box may appear in the MAPI client user interface when you encounter this issue. Microsoft Outlook and BlackBerry Enterprise Server are affected by this issue.

This issue is only known to occur when Global Catalog Servers are running Windows 2008 and the default maximum 50 concurrent NSPI connections per user are allowed. When more than 50 NSPI connections are initiated, an error event MAPI_E_LOGON_FAILED occurs. The NSPI connection limit is set in a Windows 2008 domain controller to protect the domain controller against clients that open too many NSPI connections without tearing down the connections. Too many connections may result in resource depletion.

How to Confirm This Issue

To confirm that NSPI connection limit is causing the issue, you may temporarily enable verbose event logging for NSPI connections. To do that, perform these steps on each Global Catalog Server in the affected site:

  1. On the domain controller, Click on Start menu, click on Run, type regedit and click on OK
  2. Locate and double click on the following registry entry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\4 MAPI Interface Events
  3. The Default value for that DWORD is 0

    Change the default log level to 5 (verbose)

  4. In the Value data box, change it to 5, and then click on 'OK'
  5. Close the registry editor

Logging level will be set in verbose mode and the following event log will appear in the Directory Services event log when this issue occurs

ClientIPServerIPNSPINspiBind request
ServerIPClientIPNSPINspiBind response, Status: MAPI_E_LOGON_FAILED

How to Fix

Modify the registry to allow more additional NSPI connection. To do that, follow these steps:

  1. Click on Start menu, click on Run, type 'regedit', and then click on 'OK'.
  2. Locate and select the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
  3. Expand NTDS and select the Parameters key.
  4. Right-click and create a new DWORD Value.
  5. Type NSPI max sessions per user, and then press ENTER.

    Create a DWORLD and name it NSPI max sessions per user

  6. Double-click NSPI max sessions per user, select Decimal Base and set number of NSPI max sessions per user to any number above 10,000
  7. Click on 'OK' and close the registry editor.

Watch if that error occurs again. Use system monitor tools to see memory overhead in your domain controller. If necessary, switch the NSPI max sessions per user value to higher or lower number.

Note - When your problem is resolved, set back the '4 MAPI Interface Events' value to default DWORD value 0 in Windows registry

Exchange Throttling Policy

Another possible solution is that Exchange Server is denying access because of a throttling policy. If Exchange 2010 Service Pack 2 or higher is installed, please review the following article on Exchange Store Limits.

Here is a sample of a recommended throttling policy for itrezzoAgent which can be created from the Exchange Power Shell:

New-ThrottlingPolicy itrezzoSvcPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null
Set-ThrottlingPolicy itrezzoSvcPolicy -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null 
Set-ThrottlingPolicy itrezzoSvcPolicy -CPAMaxConcurrency $null -CPAPercentTimeInCAS $null -CPAPercentTimeInMailboxRPC $null
Set-Mailbox "itrezzoSvc" -ThrottlingPolicy itrezzoSvcPolicy

If Exchange Server 2010 RTM is installed, you will need to use REGEDIT to increase the Maximum number of sessions allowed per user. The Throttling policy was not fully supported prior to Service Pack 1.

  1. On each Exchange Server that hosts user mailboxes, Click on Start menu, click on Run
  2. Type regedit and click on OK
  3. Locate and double click on the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

  4. If the Maximum Allowed Sessions Per User does not exist:
    • On the Edit menu, point to New, and then click DWORD Value.
    • Type Maximum Allowed Sessions Per User as the entry name, and then press ENTER.

  5. Right Click the Maximum Allowed Sessions Per User entry and choose Modify
  6. Enter a value of 9999 and click OK

This setting will take effect after the Microsoft Exchange Information Store is restarted.
  Name Size
- diag.jpg 69.46 KB
- param.jpg 60.03 KB

itrezzo Support Wiki version See the itrezzo web site or the itrezzo blog site to learn about contact management on your smartphone.

The Trademark RIM® BlackBerry® Smartphone and BlackBerry® Enterprise Solution is owned by Research In Motion Limited and is registered in the United States and may be pending or registered in other countries. The owner of this wiki site is not endorsed, sponsored, affiliated with or otherwise authorized by Research In Motion Limited.

Microsoft Outlook, Microsoft Exchange Server, Microsoft Active Directory, Microsoft Windows Mobile are trademarks of Microsoft.