Regardless of the enterprise infrastructure being used, the implementation methodology is basically the same. If you understand the methodology, have the technical expertise, and have a strong understanding of the hardware and software required, then it is much easier to configure and ensures the user has a seamless experience receiving their email.
Registering Target Service
Initially, you need to identify the service for which SEG will delegate the traffic to EAS server. This can be accomplished by creating the SPN (Service Principal Name).
Permitting the SEG Server for Kerberos Delegation to the EAS Server
By default, no infrastructure is permitted to grant access to other servers using Kerberos delegation. Therefore, administrators must first configure security settings on the directory server so that the SEG server can delegate access to the EAS server using HTTP (for EAS traffic). Specifically for Microsoft Active Directory infrastructure, this entails:
- Configuring AD to give permissions to SEG to impersonate a user.
- Enabling SEG to delegate HTTP EAS traffic to the EAS server.
Enabling EAS Server to Accept Kerberos Tickets
The EAS server requires “Windows Authentication” enabled in order to analyze the Kerberos ticket received from the SEG server.
Configuring the SEG Server for Certificate Authentication
Once the domain security settings have been adjusted, the SEG server must be configured for certificate authentication. In order for the SEG to authenticate the user’s device that is assigned to a particular certificate, Internet Information Services (IIS) on the SEG server must be configured to accept that certificate. Specifically this can be accomplished by:
- Setting up Active Directory to Authenticate
- Using the Configuration Editor to Set Up Email Authentication
- Setting Up Secure Socket Layer (SSL)
- Adjusting uploadReadAheadSize Memory Size
Enabling the SEG EAS Service Account to Begin Kerberos Delegation
Lastly, administrators must enable the SEG EAS Service account to start granting access to the EAS server through user impersonation. This effectively completes the setup and users may begin authenticating with certificates to receive their corporate mail. Administrators can complete this by:
- Verifying the identity of the SEG
- Configuring local security policy for SEG to act as part of the operating system
- Configuring local security policy for SEG to impersonate a client after authentication