Set up the Target Service Principal Name (SPN) for the Exchange Server.

In this mode of deployment, the SEG server is not a member of the domain to which you are authenticating. In this cross-domain environment, a service account is assigned delegation rights to perform impersonation of the authenticating user. To begin with, start accessing the Active Directory Users and Computers on the domain that is being authenticated.

If there are multiple EAS servers in an array, you must create an Alternate Service Account (ASA) in the Active Directory and then continue with Assigning Delegation Rights to the Service Account. If you have only one EAS or CAS server in your environment follow the instructions:

  1. If the SEG is not referring to the Exchange server by its Fully Qualified Domain Name (FQDN) or its Machine Name, create a SPN for your Domain Controller to allow delegation by the service account.

    If the SEG is referring to the Exchange server by its Fully Qualified Domain Name (FQDN) or its Machine Name, skip this step.

  2. To set the SPN, open a command line window from a server on the domain being authenticated to and run the following command.
    Example:
     setspn -s HTTP/{EX_DNS_NAME} {EX_MACHINE_NAME}

    Wherever {EX_DNS_NAME} is the name, the SEG uses it to refer to the Exchange server and {EX_MACHINE_NAME} is the actual machine name of the Exchange server, you must select this SPN when assigning delegation rights to the Service Account.

Assign Delegation Rights to the Service Account

Configure delegation rights for the service account.

  1. Open Active Directory Users and Computers on the domain that you are authenticating to and navigate to View and enable the Advanced Features.
  2. If you do not have a Service Account created for the SEG to use for the Kerberos request, create a Service Account and name the Service Account SVC awseg.
  3. Right-click the Service Account, and select Properties. In the Properties menu, select the Attribute Editor tab.
  4. To assign delegation rights to a user account, Microsoft requires that the account be assigned a Service Principal Name (SPN). Find the servicePrincipalName attribute in the list and edit it to be in the format HTTP/SVC_awseg.

    Example:

    Service Principal Name

  5. After setting up the SPN for the user account, close the Properties window and reopen it to access the Delegation tab. Delegation cannot be set for a user account until an SPN is set.
  6. On the Delegation tab, select the option Trust this user for delegation to specified services only and also Use any authentication protocol.
  7. Select Add and then search and select the Exchange server (or the ASA account if you followed the Create an Alternative Service Account section in the Configure KCD for Cross Domain Authentication topic) for which you want to provide the delegation rights. You should provide the actual machine name of the Exchange server {EX_MACHINE_NAME}. For example EXCH. Scroll through the list to find the HTTP service type. If you set the SPN for the Exchange server in Step 2, select the SPN you created. If you have not set the SPN, select the HTTP service type for your server.

    Example:

    Add Exchange Server Name

Add Service Account to Local IIS_IUSRS Group of the CAS/EAS Server

Add a service account to the IIS user groups of the ActiveSync server.

  1. On the CAS/EAS server, open Server Manager and navigate to Configuration > Local Users and Groups > Groups.
  2. Right-click IIS_IUSRS and select Add to Group. Select Add… to search for the SVC_awseg Service Account, add the user to the local group, and then select OK.

    Example:

    Add to Group

Enable Windows Authentication on the CAS/EAS

Configure Windows Authentication on CAS/EAS. If you configure SEG with KCD, and the EWS proxy is enabled, then you must perform the following procedure on the EWS Virtual Directory also.

  1. On the Exchange Server, open IIS Manager and navigate to the Microsoft-Server-ActiveSync Virtual Directory.
  2. Select Authentication, enable Windows authentication, and add Negotiate as a provider.

    Example:

    Add Negotiate as Authentication Providers.

  3. In the Microsoft-Server-ActiveSync Virtual Directory, access the Configuration Editor and navigate to system.webServer > Security > Authentication > WindowsAuthentication. Select Enabled, set useAppPoolCredentials and useKernelMode values to True.

    Example:

    EAS Virtual Directory

Leveraging an ASA Credential Type

Configure an alternate service account to represent the Exchange server. You can create a computer account or a user account for the Alternate Service Account (ASA).

Because a computer account does not allow interactive logon, it may have simpler security policies than a user account and therefore is the preferred solution for the ASA credential. If you create a computer account, the password doesn't actually expire, but we still recommend updating the password periodically. Local group policy can specify a maximum account age for computer accounts and there might be scripts scheduled to periodically delete computer accounts that do not meet current policies. Periodically updating the password for computer accounts ensures that your computer accounts are not deleted for not meeting local policy. Your local security policy determines when the password needs to be changed.

Credential Name

There are no particular requirements for the name of the ASA credential. You can use any name that conforms to your naming scheme.

Groups and Roles

The ASA credential does not need special security privileges. If you are deploying a computer account for the ASA credential, the account only needs to be a member of the Domain Computers security group. If you are deploying a user account for the ASA credential, the account only needs to be a member of the Domain Users security group.

Password

The password you provide when you create the account is actually never used. Instead, the script resets the password. So when you create the account, you can use any password that conforms to your organization’s password requirements. All computers within the Exchange server must share the same Service Account . In addition, any CAS that are called on in a data center activation scenario must also share the same Service Account.

Create an Alternative Service Account

Create an Alternate Service Account (ASA) to represent the Exchange server. If an environment has multiple Client Access Server (CAS) or Exchange ActiveSync (EAS) servers, then the service registration procedure varies.

  1. Open the Active Directory User, Computers, and create a new computer account. Create an ASA for the Exchange server in the domain. Enter a name for the ASA.
  2. Create a service principal name (SPN) on the domain using the following command. See the Microsoft documentation on how to use the setspn command. The syntax for this command varies depending on your environment.

    Example:

    setspn -s http/{MAIL-SERVER-FQDN} {ASA_ACCOUNT}$

    The MAIL-SERVER-FQDN must be the same mail server configured in the MEM configuration.

  3. Run the following command in PowerShell and verify that all relevant SPNs are assigned.

    Example:

    setspn –L {ASA_ACCOUNT}
  4. To set the ASA to the Exchange servers, run the Alternate Service Account credential script in the Exchange Management Shell RollAlternateserviceAccountPassword.ps1 based on the Exchange version.

    Example:

    .\RollAlternateServiceAccountPassword.ps1 -ToSpecificServers {MAIL-SERVER-FQDN} -GenerateNewPasswordFor "{DOMAIN}{ASA_ACCOUNT}" -Verbose

    After you run the script, a Success message is displayed.

  5. Verify if the ASA credentials are deployed.

    Example:

    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl name,*alter*
  6. Enable the SEG to delegate HTTP EAS traffic to the newly created ASA instead of the Exchange server FQDN.

    For more information, see step 6 in the Assign Delegation Rights to the Service Account section in the Configure KCD for Cross Domain Authentication topic.