Recommendation: Enabling Kerberos Authentication for MAPI Clients

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

JLundfelt — Tue, 21 Jun 2011 00:09:08 GMT

Hi,

I set the spn's for my new exchange 2010 environment, and its now prompting users for authentication within OCS, and possibly Outlook. I checked to make sure I didn't have any duplicate spn's, but something has obviously gone wrong. I apparently need to delete, or re-add a SPN to fix this, but am not sure if I am supposed to run 'setspn -A exchangeAB/' with my GC server, CAS, or Mailbox servers?

All I ran was these commands-

Setspn -S http/mail.mycompany.com mycompany\casarray$

Setspn -S http/autodiscover.mycompany.com mycompany\casarray$

Setspn -S http/autodiscover.myothercompany.com mycompany\casarray$

Setspn -S exchangeMDB/cas.mycompany.com mycompany\casarray$

Setspn -S exchangeRFR/cas.mycompany.com mycompany\casarray$

Setspn -S exchangeAB/cas.mycompany.com mycompany\casarray$

Please help!!

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Nick Smith — Wed, 08 Jun 2011 22:04:57 GMT

Ross,

What is the entire exit strategy for this process? Is it just:

1) Removing and recreating the OAB directory.

2) Deleting the ASA Credential account.

Or are there more steps involved to completely reverse the changes made?

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Lee — Tue, 07 Jun 2011 18:57:51 GMT

You mention "External or Internet-based clients that use Outlook Anywhere won’t use Kerberos authentication as they cannot directly contact a KDC." Why is this true for Internal OA clients? Is this true both the HTTP level auth as well as the RPC level auth when doing RPC Encryption?

I'm trying to figure out if Outlook Anywhere can do Kerberos for the RPC auth, regardless of the HTTP auth. I posted this question to the forums, but haven't found a diffinitive answer:

social.technet.microsoft.com/.../7e5005e7-323d-48aa-b2a9-7a81dbfe84c6

Most everything seems concerned with the HTTP auth (I see only Basic, NTLM supported), but nothing is really addressing the RPC level auth with OA. In practice, even with Outlook set to "Kerberos Only" RPC auth, I still see NTLM being used.

Thanks,

-Lee

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

PJ — Mon, 23 May 2011 13:33:03 GMT

Ross: how do you reverse the work done by the RollAlternateserviceAccountPassword.ps1 script?

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Ross Smith IV [MSFT] — Tue, 10 May 2011 14:44:21 GMT

@Joe - You simply delete the OAB vdir (Remove-OABVirtualDirectory) and recreate it (New-OABVirtualDirectory).

Ross

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Joe — Tue, 03 May 2011 22:33:11 GMT

If we need to fall back the changes, How do you convert back the OAB application back to a virtual folder

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Ross Smith IV [MSFT] — Wed, 27 Apr 2011 16:22:37 GMT

@CY - When you use external trust, only NTLM authentication is available.

@Gabriel - Other MAPI applications will leverage an authentication mechanism that is defined in the MAPI profile. Kerberos could be leveraged if they are leveraging an FQDN that maps to a deployed SPN on the ASA credential.

@David - Outlook (and MAPI apps) do not use the /exchweb, /exchange, /public vdirs (some of which don't exist in E2010). I have added the guidance for OAB vdir.

Ross

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

cy — Wed, 27 Apr 2011 04:14:27 GMT

Hi Ross.

We have a situation where a Exchange 2010 sp1 was setup in a resource forest mode and it uses linked-mailbox to another user domain. Due to some reasons, we can only create an external trust to the user domain, not forest trust.

Will Kerberos work in this senario?

TIA

Cheers

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

Gabriel — Tue, 26 Apr 2011 16:58:45 GMT

Hi,

Just wondering if making this change to an existing environment will have any impact to non-microsoft MAPI applications such as my backup and BES servers. What type of impact, if any?

re: Recommendation: Enabling Kerberos Authentication for MAPI Clients

David — Mon, 18 Apr 2011 13:18:39 GMT

Hi.

There is one caveat with http/ SPNs. Documentation says "For Exchange Web Services and the Autodiscover service", but there are more things with integrated auth, which are usualy accesed with same hostname - OAB, Exchange, Exchweb and Public virtual directories.

Since those virtual directories runs in ApplicationPoolIdentity context (in DefaultAppPool), kerberos authentication will fail if http/ SPN is set for service account. So typicaly Outlook 2007 and higher will throw authentication window during OAB download unless your OAB url uses different hostname than EWS/Autodiscover url. Solution could be to change DefaultAppPool context to the service account, but then password generation feature of the ASA script cannot be used.