Update 4/26/11: This post has been updated to include additional steps to ensure Kerberos authentication can be used for OAB downloads by domain-connected Outlook clients. With Exchange 2010, ...
Updated Jul 01, 2019
Version 2.0
Blog Post
Hi,
Thanks for taking the time to reply. I appreciate that Exchange 2007 has no intrinsic provision for this, but the Microsoft Exchange Service Host in Exchange 2007 would only manage Outlook Anywhere, which wouldn’t be using Kerberos anyway. Thus, considering Exchange 2007 clients only use the CAS for Web Services I would have thought that as long as the service account that an Application Pool such as MSExchangeAutodiscoverAppPool held the SPN, the client could authenticate against IIS using Kerberos with Kerberos Constrained Delegation.
KCD would allow for a scenario whereby those application pools on each CAS server could run under a service computer account that has the SPN of the VIP namespace registered. This service computer account would also be added to all relevant security groups that an Exchange server must be in. This would mean that each CAS would be able to authenticate Kerberos for the same namespace, but no longer for the hostname or FQDN of the server itself.
The ISA and TMG documentation mention KCD in relation to Exchange 2003 http://technet.microsoft.com/en-us/library/cc995228.aspx. I haven’t come across any Exchange 2007 articles yet, but I’ve only begun to look into this, but perhaps it would just be easier to set Windows Authentication on IIS to use only NTLM rather than Negotiate during the co-existence period.
Conor