Blog Post

Exchange Team Blog
2 MIN READ

Exchange 2016 Coexistence with Kerberos Authentication

Ross Smith IV's avatar
Ross Smith IV
Icon for Microsoft rankMicrosoft
Oct 22, 2015

 

With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize Kerberos authentication.

Depending on your environment, you may utilize a single ASA or have multiple ASA accounts during the coexistence period.

Exchange 2016 Coexistence with Exchange 2010

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to Exchange 2016 and host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

Exchange 2016 Coexistence with Exchange 2013

A single ASA credential will be utilized and configured on all Exchange 2013 and Exchange 2016 servers.

For more information, see the Exchange 2013 Configuring Kerberos authentication for load-balanced Client Access servers article.

Note: The RollAlternateserviceAccountCredential.ps1 script included in Exchange 2016 scripts directory utilizes the new cmdlets, Get/Set-ClientAccessService. This cmdlet will not execute correctly on Exchange 2013 servers. Copy the RollAlternateserviceAccountCredential.ps1 script included in Exchange 2013 CU10 scripts directory to an Exchange 2016 server. Execute the copied script in order to deploy the ASA across Exchange servers.

Exchange 2016 Coexistence with both Exchange 2010 and Exchange 2013

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to the Exchange 2013 and Exchange 2016 servers to host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

 

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

Updated Jul 29, 2019
Version 3.0
  • Configured Exchange 2013 Kerberos (co-existence with Exchange 2010). OL 2010 SP2 (with 2013 mbx) Kerberos auth works.


    However, after some time Outlook 2010 SP2 client gets issue:

    Logon network security option in Microsoft Outlook is set to Anonymous Authentication via Exchange Autodiscover process as described at

    https://support.microsoft.com/en-us/kb/2834139


    Resolution 3 (set InternalClientRequireSSL to False) does not work with OL 2010 SP2.


    So, removed Ex 2013 Kerberos and re-configured Outlook Anywhere (Ntlm auth & require ssl) and everything is working again.


    Any ideas?

  • PraveenKumar's avatar
    PraveenKumar
    Copper Contributor

    Ross Smith IV , 
    I was searching to find if a single ASA account is enough for a coexistence scenario between 2016 and 2019 and did not find the precise answer. hence requesting your help here. 

    I have 2016 and 2019 coexistence and Kerberos was configured on 2016 before introducing 2019. Since a single ASA account can be used across 2013 and 2016, is it safe to assume we can use the account created for 2016 and associate it with 2019 or do we have to create a new ASA account for 2019?