On working on some issues with our environment , Microsoft recommended us to implement Kerberos.
You can find these steps on many blogs/Technet but still I am writing down on what we followed.
If this is a existing environment and you want to know if Kerberos is already implemented or not, than check by running below command on your CAS servers.
Get-ClientAccessServer "Server" -IncludeAlternateServiceAccountCredentialStatus | Fl
As you can see AlternateServiceConfiguration is Not Set, that means kerberos is not configured.
Here are the steps you need to follow to implement Kerberos in your Exchange environment.
Create a Computer account in Active Directory and Name it ASA. (do not create User account as you normally do, although it can be done but than you need to set its password to never expire etc and bypass some of the organizational policies)
Type Get-ClientAccessArray : to get the value of CAS Array FQDN Name.
Cd $exscripts (This will change the path the exchange installation folder that contains scripts)
.\RollAlternateServiceAccountPassword.ps1 -ToArrayMembers "outlook.labtest.com" -GenerateNewPasswordFor "LABTEST\ASA$" ($ is used as its a computer account)
Here is the output of above script:
Check the Status of AlternateServiceAccountCredentials now
Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl Alter*
Next step is to convert OAB on all CAS servers(so run below on each CAS server in the array you are enabling Kerberos)
Convert the OAB virtual directory
Last Step is to register SPN in Active directory:
It depends on how you have configured your Exchange environment but here is the example:
- http ( Exchange Web Services, Offline Address Book downloads, and the Autodiscover service)
- exchangeMDB (RPC Client Access service.(CASArray fqdn)
- exchangeRFR Address Book service.(CASArray fqdn)
- exchangeAB Address Book service.(CASArray fqdn)
setspn -s exchangeMDB/outlook.labtest.com LabTest\ASA$
setspn -s exchangeRFR/outlook.labtest.com LabTest\ASA$
setspn -s exchangeAB/outlook.labtest.com LabTest\ASA$
setspn -s HTTP/exwebservices.labtest.com LabTest\ASA$
setspn -s HTTP/autodiscover.labtest.com LabTest\ASA$
Setspn –L ASA$
This will show all the registered SPN for ASA account.
To disable/remove Kerberos Authentication, remove the SPNs as well as delete shared account.
Use .\RollAlternateServiceAccountPassword.ps1 script to clear out credentials from all CAS servers by using -copy from server parameter to specify the server that does't host kerberos credentials.
Configure your Outlook client to connect via Kerberos:
If outlook connects successfully & is working that means kerberos is configured correctly.
Thanks for Reading