Kerberos authentication for MAPI client connection to a Client Access server array

Article translations Article translations
Article ID: 2688772 - View products that this article applies to.
Expand all | Collapse all


For Microsoft Exchange Server 2010 deployments that have more than one Client Access server in an Active Directory site, the topology frequently requires a Client Access server array and a load-balancing solution to distribute traffic among all the Client Access servers in the site. Because of changes in Exchange Server 2010, MAPI email clients can't use Kerberos authentication to connect to a mailbox when a Client Access server array is being used. To work around this behavior, Microsoft Exchange Server Service Pack 1 (SP1) includes new functionality that lets you configure Kerberos authentication for MAPI email clients in a Client Access server array. 

For more information about how Kerberos authentication worked in earlier versions of Exchange Server and about the changes in Exchange Server 2010 that prevent Kerberos authentication from working with MAPI email clients, see the following blog post on the Exchange Team blog:

Recommendation: Enabling Kerberos Authentication for MAPI Clients 

More information

The Microsoft Exchange Service Host service that runs on the Client Access server (CAS) role is extended in Exchange Server 2010 SP1 to use a shared alternate service account (ASA) credential for Kerberos authentication. This service host extension monitors the local computer. When credentials are added or removed, the Kerberos authentication package on the local system and the network service context is updated. As soon as a credential is added to the authentication package, all client access services can use it for Kerberos authentication. The Client Access server will also be able to authenticate service requests addressed directly in addition to being able to use the ASA credential. This extension, known as a servicelet, runs by default and requires no configuration or action to run.

You may have to use Kerberos authentication for your Exchange Server 2010 organization for the following reasons: 
  • Kerberos authentication is required for your local security policy.
  • You're encountering or expecting NTLM scalability issues, such as direct MAPI connectivity to the RPC Client Access service causing intermittent NTLM failures. 
    In large-scale customer deployments, NTLM can cause bottlenecks on Client Access servers. This can cause intermittent authentication failures. Services that use NTLM authentication are more sensitive to Active Directory latency issues. These lead to authentication failures when the rate of Client Access server requests increases.
To configure Kerberos authentication, you must be familiar with Active Directory and how to set up Client Access server arrays. You must also have a working knowledge of Kerberos authentication. 

To deploy the ASA credential for Kerberos authentication, follow these steps.

Create an account to use as the ASA credential
Determine the SPNs to associate with the alternate service account credential
Convert the OAB virtual directory to an application
Deploy the ASA credential to the CAS members
Verify the deployment of the ASA credential
Associate SPNs with the ASA credential
Verify that the Microsoft Exchange Service Host service is running
Validate authentication from Outlook

Additional Resources

For detailed information about this issue and its work around, see the following TechNet article:

Using Kerberos with a Client Access Server Array or a Load-Balancing Solution

For more information about how to use Kerberos authentication on load-balanced client access servers, see the following TechNet article:

Configuring Kerberos Authentication for Load-Balanced Client Access Servers  


Article ID: 2688772 - Last Review: September 3, 2013 - Revision: 4.0
Applies to
  • Microsoft Exchange Server 2010 Service Pack 1
kbsurveynew KB2688772

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from