More Issues With MAPI and IPv6

I had another issue recently where MAPI wasn’t able to connect via NSPI to the Exchange server or DC. The customer had a CDO application, running on an Exchange 2007 server on Windows 2008, using the Exchange MAPI download. In other environments, the application worked, but in this one environment, they were getting MAPI_E_LOGON_FAILED. This is the symptom and the sort of environment where the IPv6 issue occur, but they were running Exchange 2007 SP1 Rollup 5, where the IPv6 issue is supposed to be fixed. Additionally, the customer insisted IPv6 was not even present in the environment. Just to be sure, I had them get an ipconfig and it showed only IPv4 was in use, so I dismissed IPv6 as a possibility for a while.

Debugging their application as it tried to connect showed that NSPIBind to the Exchange server was succeeding, but no data was being returned. So we debugged the Exchange System Attendant, which hosts DSProxy, the component that handles the NSPIBind call. This component is supposed to take the bind request and proxy it over to the DC. I could find where DSProxy received the NSPIBind request, but when it consulted it’s list of available DCs, it found the list was empty. That’s when I noticed something – the NSPIBind request had come in over IPv6, which was supposed to be disabled! The list DSProxy consulted was of DCs that supported IPv6, and none did. Had the request come in over IPv4, it would have consulted a list that had active DCs in it.

So – we went back to the Exchange server and took a closer look. Network properties showed IPv6 was available, but unchecked:

Network Settings: TCP/IPv6 is unchecked, TCP/IPv6 is checked

When we looked in the registry, however, we got a different story:

Regedit: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6 does not have a DisabledComponents value set

IPv6 wasn’t disabled. As noted on other sites, in order to truly disable IPv6 you have to set the DisabledComponents value under the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters key to something like 0xFF. If you don’t do this, IPv6 is still available.

We set this reg value on the customer’s Exchange server, rebooted for it to take effect, and now their MAPI application works like a charm.

In short, the problem happened here because IPv6 had been only partially disabled in the customer’s environment. If you’re running Exchange 2007 and wish to disable IPv6 in your environment without breaking MAPI, you must follow these steps on your Exchange server (swiped from the Ehlo blog post):

  1. Unselect IPv6 from the properties of your NIC
  2. Under the regkey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add a 32 bit DWORD with the name DisabledComponents and value 0xFF
  3. Reboot the machine

[Edit - 2/2/2010] According to https://support.microsoft.com/kb/929852, we should set DisabledComponents to 0xFFFFFFFF if we really, really want to disable IPv6.