cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exchange 2016 Coexistence with Kerberos Authentication
By
Ross Smith IV
Published Oct 22 2015 07:00 AM 51.6K Views
Ross Smith IV
Microsoft
‎Oct 22 2015 07:00 AM

Exchange 2016 Coexistence with Kerberos Authentication

‎Oct 22 2015 07:00 AM

 

With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize Kerberos authentication.

Depending on your environment, you may utilize a single ASA or have multiple ASA accounts during the coexistence period.

Exchange 2016 Coexistence with Exchange 2010

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to Exchange 2016 and host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

Exchange 2016 Coexistence with Exchange 2013

A single ASA credential will be utilized and configured on all Exchange 2013 and Exchange 2016 servers.

For more information, see the Exchange 2013 Configuring Kerberos authentication for load-balanced Client Access servers article.

Note: The RollAlternateserviceAccountCredential.ps1 script included in Exchange 2016 scripts directory utilizes the new cmdlets, Get/Set-ClientAccessService. This cmdlet will not execute correctly on Exchange 2013 servers. Copy the RollAlternateserviceAccountCredential.ps1 script included in Exchange 2013 CU10 scripts directory to an Exchange 2016 server. Execute the copied script in order to deploy the ASA across Exchange servers.

Exchange 2016 Coexistence with both Exchange 2010 and Exchange 2013

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to the Exchange 2013 and Exchange 2016 servers to host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

 

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

0 Likes
Like
4 Comments
Not applicable
‎Oct 27 2015 06:21 PM
‎Oct 27 2015 06:21 PM
Please see my article, Enabling Kerberos Authentication in a Mixed Exchange 2013 / 2016 Environment, which discusses some gotchas configuring coexistence.

http://www.expta.com/2015/10/enabling-kerberos-authentication-in.html

0 Likes
Like
Not applicable
‎Nov 17 2015 01:29 PM
‎Nov 17 2015 01:29 PM
Configured Exchange 2013 Kerberos (co-existence with Exchange 2010). OL 2010 SP2 (with 2013 mbx) Kerberos auth works.


However, after some time Outlook 2010 SP2 client gets issue:

Logon network security option in Microsoft Outlook is set to Anonymous Authentication via Exchange Autodiscover process as described at

https://support.microsoft.com/en-us/kb/2834139


Resolution 3 (set InternalClientRequireSSL to False) does not work with OL 2010 SP2.


So, removed Ex 2013 Kerberos and re-configured Outlook Anywhere (Ntlm auth & require ssl) and everything is working again.


Any ideas?

0 Likes
Like
PraveenKumar
Copper Contributor
‎Jun 02 2022 03:34 PM
‎Jun 02 2022 03:34 PM

@Ross Smith IV , 
I was searching to find if a single ASA account is enough for a coexistence scenario between 2016 and 2019 and did not find the precise answer. hence requesting your help here. 

I have 2016 and 2019 coexistence and Kerberos was configured on 2016 before introducing 2019. Since a single ASA account can be used across 2013 and 2016, is it safe to assume we can use the account created for 2016 and associate it with 2019 or do we have to create a new ASA account for 2019?

0 Likes
Like
cengizyilmaz
Brass Contributor
‎Jun 03 2022 03:06 AM
‎Jun 03 2022 03:06 AM

Spelling blog for asa configuration for Exchange 2019.

Exchange Server 2019’da Load-Balancer İçin Kerberos Yapılandırılması - Cengiz YILMAZ - IT Blog

0 Likes
Like
Version history
Last update:
‎Jul 29 2019 06:06 AM
Updated by: