Article ID: 2688772 - View products that this article applies to.
For Microsoft Exchange Server 2010 deployments that have more than one Client Access server in an Active Directory site, the topology frequently requires a Client Access server array and a load-balancing solution to distribute traffic among all the Client Access servers in the site. Because of changes in Exchange Server 2010, MAPI email clients can't use Kerberos authentication to connect to a mailbox when a Client Access server array is being used. To work around this behavior, Microsoft Exchange Server Service Pack 1 (SP1) includes new functionality that lets you configure Kerberos authentication for MAPI email clients in a Client Access server array.
For more information about how Kerberos authentication worked in earlier versions of Exchange Server and about the changes in Exchange Server 2010 that prevent Kerberos authentication from working with MAPI email clients, see the following blog post on the Exchange Team blog:
Recommendation: Enabling Kerberos Authentication for MAPI Clients
The Microsoft Exchange Service Host service that runs on the Client Access server (CAS) role is extended in Exchange Server 2010 SP1 to use a shared alternate service account (ASA) credential for Kerberos authentication. This service host extension monitors the local computer. When credentials are added or removed, the Kerberos authentication package on the local system and the network service context is updated. As soon as a credential is added to the authentication package, all client access services can use it for Kerberos authentication. The Client Access server will also be able to authenticate service requests addressed directly in addition to being able to use the ASA credential. This extension, known as a servicelet, runs by default and requires no configuration or action to run.
You may have to use Kerberos authentication for your Exchange Server 2010 organization for the following reasons:
To deploy the ASA credential for Kerberos authentication, follow these steps.
Create an account to use as the ASA credential
Determine the SPNs to associate with the alternate service account credential
Convert the OAB virtual directory to an application
Deploy the ASA credential to the CAS members
Verify the deployment of the ASA credential
Associate SPNs with the ASA credential
Verify that the Microsoft Exchange Service Host service is running
Validate authentication from Outlook
For detailed information about this issue and its work around, see the following TechNet article:
Using Kerberos with a Client Access Server Array or a Load-Balancing Solution
For more information about how to use Kerberos authentication on load-balanced client access servers, see the following TechNet article:
Configuring Kerberos Authentication for Load-Balanced Client Access Servers
Article ID: 2688772 - Last Review: September 3, 2013 - Revision: 4.0