Kerberos disabled on Network Name resource

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine the version of the Microsoft Windows® operating system that is running on the server:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion

A CurrentVersion value of 4.0 indicates the computer is running Windows NT® Server 4.0. A value of 5.0 indicates the computer is running a Windows 2000 Server operating system, and a value of 5.2 indicates the computer is running a Windows Server™ 2003 operating system.

The Exchange Server Analyzer also queries the Active Directory® directory service to determine the value of the serialNumber attribute for all objects with an object class of msExchExchangeServer. If the string value includes "Version 5.5," the computer is running Exchange Server 5.5. If the string value includes "Version 6.0," the computer is running Exchange 2000 Server. If the string value includes "Version 6.5," the computer is running Exchange Server 2003.

Finally, the Exchange Server Analyzer reads the following registry value to determine whether Exchange Server is running in a cluster with a Kerberos-enabled Network Name cluster resource:

HKLM\Cluster\Resources\<Resource GUID for Network Name resource>\Parameters\RequireKerberos

A value of 0 for RequireKerberos indicates that the Network Name resource is not enabled for Kerberos, and a value of 1 indicates that the Network Name resource is enabled for Kerberos.

If the Exchange Server Analyzer finds the value for RequireKerberos set to 0 on an Exchange Server 2003 virtual server that is running in a Windows Server 2003 server-based cluster, a warning is displayed.

This warning indicates that a Kerberos-enabled Network Name cluster resource is not being used for an Exchange Server 2003 virtual server. This is not a supported configuration, and should be corrected as soon as possible.

  1. Open the Cluster Administrator program.

  2. Take the Network Name resource offline. This will also take all resources offline that depend on the Network Name resource, including the Microsoft Exchange System Attendant resource.

  3. Right-click the Network Name resource, and then click Properties.

  4. On the Parameters tab, click the Enable Kerberos Authentication option, and then click OK.

  5. Bring the Network Name resource online, and then bring the remaining offline resources online.

For more information about using Kerberos-enabled Network Name resources on a Windows Server 2003 cluster, see the Microsoft Knowledge Base article 302389, "Description of the Properties of the Cluster Network Name Resource in Windows Server 2003" (

For more information about clustering, see the following topics: