Set ASA to the second Exchange node (copy from first Exchange node): \RollAlternateServiceAccountPassword.ps1 -ToSpecificServer -GenerateNewPasswordFor WS1\ASA$ ps1 script and let script generate new password: Set ASA to the first Exchange node with. Create ASA (new computer object in AD) for Exchange array (OWA) and set encryption type to "28" the rest is UAG and WS1 steps in the links I provided. Define SPN delegation on delegate user (in the setspn step: HTTP/) KRB5_NT_PRINCIPAL /pass * /out C:\Temp\kerberos.keytab /mapuser uagkerberos Setspn -S WEBAPPSERVERNAME (Setspn -S HTTP/ EXCH) Machine Name if the application pool is running as Local System/Network Service Account if the application pool is running as a domain account.ģ. ASA Account – if you have multiple load balanced CAS servers or a CASĢ. Create the Target SPN for CAS Servers using setspn command (notes: 1. Server02 -GenerateNewPasswordFor AIRWLAB\CASARRAY-ASA$ -Verbose Set ASA to the individual CAS Servers: \RollAlternateserviceAccountPassword.ps1 -ToSpecificServers server01, Create ASA (new computer object) for cas array (OWA) IIS - Enable Windows Authentication, add Negotiate as a Provider, if Negotiate:Kerberos uncheck Kernal mode I know this question is actually more for Microsoft specialist but if you already know how to do it, I believe it would be very helpful for many others reading your blog, thanks :) Reply Delete Export keytab file for ASA computer account in Active Directory (UAG will be configured with that keytab)Īre these steps correct approach or is some important step missing here? On Exchange ECP console, configure "Integrated Windows Authentication" as authentication method for OWA virtual directory Associate Exchange (OWA) SPN (Service Principal Name) with the ASA credential computer account in Active Directory Deploy the ASA credential to the Exchange server (Using the RollAlternateserviceAccountCredential.ps1) Create ASA (Alternate Service Account) credentials for Exchange as computer account in Active Directory When talking about identity bridging to OWA, whole concept absolutely makes sense but please tell have you actually ever tried to configure KCD for OWA? If yes, would you please tell if this is correct approach: Just want to ask about one specific part of configuration. First of all, thank you for great article!
0 Comments
Leave a Reply. |