A problem that I’ve run across during multiple SCOM and SCSM engagements is one having to do with email notifications. Specifically, SCOM and SCSM will register that emails have been sent and, if those emails are sent to specific users, they are received. However, distribution groups will fail to receive email notifications, leaving the local admins in charge of SCOM and SCSM baffled as everything appears to be configured correctly on their end.
Fortunately, this is a common problem with a very easy fix. The issue comes down to the mail configuration and the Exchange settings for those distribution groups. The problem arises when the following conditions align:
- The notification channels in SCOM or SCSM are set to use Anonymous authentication rather than Windows Integrated when communicating with the SMTP server
- The SMTP server is an Exchange server, version 2010 or later
- The distribution groups in Exchange are configured to require all senders be authenticated
The real kicker is that third bullet – the setting that requires all senders be authenticated. This setting is enabled by default in Exchange 2010 and later, so unless the Exchange admins have changed it, any emails sent from an anonymous source will be dropped by the Exchange server and as a result, the distribution groups fail to receive email notifications.
One way to get around the issue is to simply not use Anonymous authentication, but instead ensuring the SMTP server is configured to use Windows Integrated authentication and configuring SCOM and SCSM appropriately. Unfortunately, for many organizations, that is a change that cannot be made. In that case, the only solution is to ensure that those distribution groups are allowed to receive email from anonymous senders. This is the less secure option, but if emails need to be sent and Windows Integrated isn’t an option, here are the two ways to do it.
Option 1: Inside the Exchange GUI
This setting can be disabled on a DL-by-DL basis inside the Exchange Management Console. First, search for the distribution groups which needs to receive the emails. Once found, open up the message delivery restrictions window from the distribution group’s properties. There will be an checkbox in the middle of the window labeled, “Require that all senders are authenticated”. Uncheck that box, then save, to enable emails to reach that group. Here’s an image of the Message Delivery Restrictions window:
Option 2: PowerShell
This setting can also be disabled via PowerShell and the Exchange PowerShell module. As is the nature of PowerShell, this method can disable the setting for a single distribution group or for multiple distribution groups simultaneously. If you know the name of a specific distribution group you wish to update, use this method:
Set-DistributionGroup "<Distribution Group Name>" -RequireSenderAuthenticationEnabled $False
Alternatively, if you want to change this setting in bulk for multiple distribution groups, you can use this method:
$Groups = Get-DistributionGroup <#enter criteria here#>
$Groups | Set-DistributionGroup -RequireSenderAuthenticationEnabled $False
Refer to the Technet page for the Get-DistributionGroup cmdlet for reference on how to structure the criteria to select your groups: Technet
Once you’ve confirmed that the setting has been updated, attempt the email notification again. The distribution groups should no longer fail to receive email notifications.
Hopefully this will help if you ever run into this situation. If there are any questions, please feel free to post them below.