Update 4/26/11: This post has been updated to include additional steps to ensure Kerberos authentication can be used for OAB downloads by domain-connected Outlook clients. With Exchange 2010, ...
Updated Jul 01, 2019
Version 2.0
Blog Post
Hi,
Is there a HTTP/ SPN required on Exchange 2007 CAS servers? It's not listed in
http://technet.microsoft.com/en-us/library/aa996905%28EXCHG.80%29.aspx
technet.microsoft.com/.../aa996905%28EXCHG.80%29.aspx.
My understanding from this article is that when Outlook connects to the CAS 2007 Virtual Directories (Oab, EWS, Autodiscover) which have Integrated Authentication set, it will negotiate the authentication picking Kerberos if it can and falling back to NTLM
if Kerberos fails. Not the best, but the user doesn't get pestered looking for credentials, which is my first concern.
In a scenario where Exchange 2007 CAS servers share the same namespace behind a Hardware load Balancers Kerberos cannot be used but Outlook will always fail back to NTLM, which is transparent to the user. However, I believe that Office Communicator connects
to the EWS virtual directory using Kerberos if the "Enable Windows Integrated Authentication" is set in Internet Explorer. In this scenario Communicator will fail on Kerberos like Outlook but will not fall back to NTLM and therefore will not be able to access
Out-of-Office and Missed calls etc.
To get around this I can add the HTTP/ SPN to each CAS server object in AD, although you are saying this will cause it to fail. I have tried this and while I do get errors in the Event logs it seems to work. I am currently looking into using Kerberos Constrained
Delegation (KCD) on the 2007 CAS servers, which seems identical to the ASA in Exchange 2010 that you are describing.
In a migration scenario, when I swap over my https://mail.constoso.com
https://mail.constoso.com name space from Exchange 2007 to Exchange 2010 and replace it with
https://legacy.contoso.com will I also have to worry about Kerberos on the legacy namespace? Will Outlook or a Communicator client connecting to the Exchange 2010 using Kerberos have to authenticate
again with Kerberos when it gets redirected to the Legacy namespace? I’ve read some migration examples where the HTTP/legacy SPN is added to the Exchange 2007 CAS.
I am looking to migrate Exchange 2007 to Exchange 2010 with both https://mail and https://legacy names spaces behind hardware load balancers. My aim is to ensure that users never see a credentials dialog box during the co-existence and migration period.
My current thinking now is to use KCD on the Exchange 2007 CAS servers, implement the ASA as described in this article and swap the SPNs when we swap the namespaces.
Any thoughts are appreciated.
Conor