In order for the SEG server to be able to delegate traffic to a specific service, you need to identify and register the service. The target service must match the Exchange server Hostname on the “web.config” file of the “Web Listener” folder on SEG.

The “SETSPN” command is used to register the service and this can be executed on AD server or EAS server.

SETSPN -s HTTP/<target service name> <target computer name>


If your environment has multiple Client Access Servers (CAS) or multiple Exchange ActiveSync (EAS) servers, then you must specify the domain name with the target computer name. For example, {domain}/{asa_account} or {domain}/{exchangebox}. An alternate service account needs to be created to represent the Client Access Services.

Create an ASA Credential Type

You can create a computer account or a user account for the alternate service account. Because a computer account does not allow interactive logon, it may have simpler security policies than a user account and therefore is the preferred solution for the ASA credential.

If you create a computer account, the password doesn't actually expire however Workspace ONE UEM still recommends updating the password periodically. Local group policy can specify a maximum account age for computer accounts and there might be scripts scheduled to periodically delete computer accounts that do not meet current policies.

Periodically updating the password for computer accounts ensures that your computer accounts are not deleted for not meeting local policy. Your local security policy determines when the password needs to be changed.

Credential Name

There are no particular requirements for the name of the ASA credential. You can use any name that conforms to your naming scheme.

Groups and Roles

The ASA credential does not need special security privileges. If you are deploying a computer account for the ASA credential, this means that the account only needs to be a member of the Domain Computers security group.

If you are deploying a user account for the ASA credential, this means that the account only needs to be a member of the Domain Users security group.


The password you provide when you create the account is actually never used. Instead, the script resets the password. So when you create the account, you can use any password that conforms to your organization’s password requirements.

All computers within the Client Access Services must share the same service account. In addition, any Client Access servers that may be called on in a datacenter activation scenario must also share the same service account.

  1. Create the alternate service account (ASA) for the CAS in the domain by opening the Active Directory User and Computers and creating new computer account. Type a name for the ASA, using CASARRAY- ASA as example. Verify that the account has replicated to all Domain Controllers before proceeding.


  2. Verify the CAS's FQDN, since this name is used for the SPN that is attached to the ASA. In order to check the CAS’s FQDN, run the next command in PowerShell.

  3. Create the SPN using the setspn command.

    setspn -s http/<target service name> {ASA_ACCOUNT}$
  4. Verify that all relevant SPNs have been assigned by running the following command from PowerShell.

    setspn –L {ASA_ACCOUNT}
  5. To set ASA to the CAS servers, run the Alternate Service Account credential script in the Exchange Management Shell RollAlternateserviceAccountPassword.ps1

    .\RollAlternateserviceAccountPassword.ps1 -ToArrayMembers {CAS-FQDN} -GenerateNewPasswordFor “{DOMAIN}\{ASA_ACCOUNT}$” -Verbose

  6. You can see a ‘Success’ message when the script has completed running. To verify that the ASA credentials have been deployed properly, use the following command.

    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl name,*alter*

Next, you must Configure Delegation Settings on the SEG Server.