With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize Kerberos authentication.
Depending on your environment, you may utilize a single ASA or have multiple ASA accounts during the coexistence period.
Exchange 2016 Coexistence with Exchange 2010
Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to Exchange 2016 and host the http SPN records.
For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.
Exchange 2016 Coexistence with Exchange 2013
A single ASA credential will be utilized and configured on all Exchange 2013 and Exchange 2016 servers.
For more information, see the Exchange 2013 Configuring Kerberos authentication for load-balanced Client Access servers article.
Note: The RollAlternateserviceAccountCredential.ps1 script included in Exchange 2016 scripts directory utilizes the new cmdlets, Get/Set-ClientAccessService. This cmdlet will not execute correctly on Exchange 2013 servers. Copy the RollAlternateserviceAccountCredential.ps1 script included in Exchange 2013 CU10 scripts directory to an Exchange 2016 server. Execute the copied script in order to deploy the ASA across Exchange servers.
Exchange 2016 Coexistence with both Exchange 2010 and Exchange 2013
Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to the Exchange 2013 and Exchange 2016 servers to host the http SPN records.
For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.
Ross Smith IV
Principal Program Manager
Office 365 Customer Experience
You Had Me at EHLO.