Update 4/26/11: This post has been updated to include additional steps to ensure Kerberos authentication can be used for OAB downloads by domain-connected Outlook clients. With Exchange 2010, ...
Updated Jul 01, 2019
Version 2.0
Blog Post
Hi.
There is one caveat with http/ SPNs. Documentation says "For Exchange Web Services and the Autodiscover service", but there are more things with integrated auth, which are usualy accesed with same hostname - OAB, Exchange, Exchweb and Public virtual directories.
Since those virtual directories runs in ApplicationPoolIdentity context (in DefaultAppPool), kerberos authentication will fail if http/ SPN is set for service account. So typicaly Outlook 2007 and higher will throw authentication window during OAB download unless your OAB url uses different hostname than EWS/Autodiscover url. Solution could be to change DefaultAppPool context to the service account, but then password generation feature of the ASA script cannot be used.
d.