As a Microsoft Premier Field Engineer, I found customers asking for specific steps to configure Kerberos for their CAS Array. Below is an example of how Contoso configured Kerberos for their outlook.contoso.com CAS Array.
Enable Kerberos for the CAS Array
- Create a new Computer Account in Active Directory User and Computers (ADUC) called CASARRAY-ASA
Note: ASA stands for Alternative Service Account - Distribute the newly created account to all CAS Array members using a script. Open the Exchange Management Shell
Within the Exchange Management Shell change to
c:\Program Files\Microsoft\Exchange Server\V14\Scripts
Tip: Use the existing variable to switch fast to the scripts folder by running the following command in the Exchange Management Shell:
cd $exscripts
Run:
.\RollAlternateserviceAccountPassword.ps1 –ToArrayMembers outlook -GenerateNewPasswordFor contoso\CASARRAY-ASA$ –Verbose
When asked to change the password in Active Directory for CASARRAY-ASA$, choose “Yes”
Note: outlook is the name of the CAS Array (Get-ClientAccessArray | FL Name)
3. Set the SPNs for the Alternate Service Account (ASA):
Note: You must set the Exchange service principal names (SPNs) that will be associated with the ASA credentials. The list of Exchange SPNs may vary with your configuration, but should include at least the following. Review: Configuring Kerberos Authentication for Load-Balanced Client Access Servers - http://technet.microsoft.com/en-us/library/ff808312(v=exchg.141).aspx
- http Use this SPN for Exchange Web Services, Offline Address Book downloads, and the Autodiscover service.
- exchangeMDB Use this SPN for RPC Client Access service.
- exchangeRFR Use this SPN for the Address Book service.
- exchangeAB Use this SPN for the Address Book service.
a. Open cmd and run:
(outlook.contoso.com is the CAS Array fqdn
contoso is the domain where CASARRAY-ASA was created)
setspn -s exchangeMDB/outlook.contoso.com contoso\CASARRAY-ASA$
setspn -s exchangeRFR/outlook.contoso.com contoso\CASARRAY-ASA$
setspn -s exchangeAB/outlook.contoso.com contoso\CASARRAY-ASA$
setspn -s http/mail.contoso.com contoso\CASARRAY-ASA$
setspn -s http/autodiscover.contoso.com contoso\CASARRAY-ASA$
b. Verify that all SPNS are set correctly, run (on E2K3-DC within cmd)
setspn –L contoso\CASARRAY-ASA$
Note: The Script RollAlternateServiceAccountPassword.ps1 offers additional capabilities:
1. Copying ASA Credential to new Servers added to the CAS ARRAY:
.\RollAlternateServiceAccountPassword.ps1 -CopyFrom ServerA -ToSpecificServers ServerB –Verbose
2. Schedules a once-a-month automated password roll scheduled task called “Exchange-RollAsa”. It will update the ASA credential for all Client Access servers in the entire forest with a new, script-generated password. The scheduled task is created, but the script is not run. When the scheduled task is run, the script runs in unattended mode
.\RollAlternateServiceAccountPassword.ps1 -CreateScheduledTask "Exchange-RollAsa" -ToEntireForest -GenerateNewPasswordFor 'contoso\computerAccount$'
Exchange stores the current and previous used ASA password. This prevents access problems due to AD replication delays.
Convert OAB virtual directory to a Web application
Out of the box, the OAB virtual directory is not a web application and, therefore, is not under the control of the Microsoft Exchange Service Host service. As a result, Kerberos authentication requests to the OAB virtual directory cannot be decrypted by the ASA credential.
1. To convert the OAB virtual directory to a web application, execute the ConvertOABVDir.ps1 script on each CAS member. The script will also create a new application pool for the OAB virtual directory.
Script location:
http://gallery.technet.microsoft.com/scriptcenter/525fb1dc-b612-4998-a2d1-55f32a6c35ac
Additional Reading:
Recommendation: Enabling Kerberos Authentication for MAPI Clients
http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
Configuring Kerberos Authentication for Load-Balanced Client Access Servers
http://technet.microsoft.com/en-us/library/ff808312.aspx