Create alternate service account
All Exchange servers running Client Access services that share the same namespaces and URLs need to use the same alternate service account credentials. In general, it's sufficient to have a single account for a forest for each version of Exchange. alternate service account credential or ASA credential.
Create a service account using dsa.msc
Now we have to assign a password to all servers part of the namespace. we can use the built-in script for this purpose. This script will create a system generated password, assign that password to all array member servers and also it will update that generated password to the AD.
To verify this activity
From eventvwr
Using powershell
Identify the Service Principal Names that should be associated with the ASA
After you create the alternate service account, you must determine the Exchange service principal names (SPNs) that will be associated with the ASA credentials. The list of Exchange SPNs may vary with your configuration, but should include at least the following. In my lab i am going to associate the ASA with all SPNs.
• http Use this SPN for Exchange Web Services, Offline Address Book downloads, and the Autodiscover service.
• exchangeMDB Use this SPN for RPC Client Access.
• exchangeRFR Use this SPN for the Address Book service.
• exchangeAB Use this SPN for the Address Book service.
Associating SPNs with ASA
The following command provides an example of how to set the SPNs on the shared ASA credential. The setspn command with this syntax must be run once for every target SPN that you identify.
Enabling kerberos authentication for outlook clietns
Since i am using MAPI over HTTP for outlook connections, i am assigning kerberos only on the MAPI virtual directory. I you are using RPC over HTTP, you have to assign this to outlook anywhere VD.
Get-MapiVirtualDirectory -Server CAS-1 | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate
Validating Exchange client kerberos authentication
After you've successfully configured Kerberos and deployed the RollAlternateServiceAccountPasswordl.ps1 script, verify that clients can authenticate successfully.
Validating from outlook
goto outlook connection status and make sure the authentication method is "Negotiate".
Validating from CAS logs
goto C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi and open the latest log and check for the word "Negotiate".
We can also check the OAB logs for the same.
No comments:
Post a Comment