Wednesday, January 20, 2016

Kerberos and User account as ASA

Hi folks,

In this brief post I would love to share you a little about configuration of Kerberos authentication on Exchange 2013 CAS server behind the load balancers. This protocol is more secure and better scalable than NTLM. I won't go into too many details here on how to configure it. This Technet article fully descrbies how to configure Kerberos authentication for Outlook Anywhere (including MAPI/HTTP) and this one provides great guideline on how to configure it in co-existence with Exchange 2010.

The best way of configuring ASA is to use a computer account as password for it is automatically managed. However, here I will discuss using user account as an ASA. The particular step of our interest is:

.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer -GenerateNewPasswordFor contoso\userASA

This command deploys ASA credentials on the first CAS servers and is also used to reset ASA account password. Unfortunately, you need to do with your user service accounts every now and then. Please note that you can't use AD tools to reset password and therefore only the above command will do you a magic.

In order to successfully change password for this account you will need to ensure that your admin account used for this activity has the following permissions on the ASA user account:

- Change Password
- Reset Password

If they are not preset you may get an error as below:

I hope you will find this post helpful in your Exchange configuration adventures.