Create an Alternate Service Account (ASA) to represent the Exchange server. If an environment has multiple Client Access Server (CAS) or Exchange ActiveSync (EAS) servers, then the service registration procedure varies.


  1. Open the Active Directory User, Computers, and create a new computer account. Create an ASA for the Exchange server in the domain. Enter a name for the ASA.
  2. Create a service principal name (SPN) on the domain using the following command. See the Microsoft documentation on how to use the setspn command. The syntax for this command varies depending on your environment.
    setspn -s http/{MAIL-SERVER-FQDN} {ASA_ACCOUNT}$
    The MAIL-SERVER-FQDN must be the same mail server configured in the MEM configuration.
  3. Run the following command in PowerShell and verify that all relevant SPNs are assigned.
    setspn –L {ASA_ACCOUNT}
  4. To set the ASA to the Exchange servers, run the Alternate Service Account credential script in the Exchange Management Shell RollAlternateserviceAccountPassword.ps1 based on the Exchange version.
    .\RollAlternateServiceAccountPassword.ps1 -ToSpecificServers {MAIL-SERVER-FQDN} -GenerateNewPasswordFor "{DOMAIN}{ASA_ACCOUNT}" -Verbose
    After you run the script, a Success message is displayed.
  5. Verify if the ASA credentials are deployed.
    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl name,*alter*
  6. Enable the SEG to delegate HTTP EAS traffic to the newly created ASA instead of the Exchange server FQDN.
    For more information, see step 6 in Assign Delegation Rights to the Service Account.