[Update 21/12/2010] This topic was discussed on the FIM TechNet Forums as there’s some official Technet Documentation out there now, I would like to reference here. For a fully supported Kerberos enabled CAS array, Exchange 2010 SP1 is required, and you can follow this guide: http://technet.microsoft.com/en-us/library/ff808313.aspx
One of the problems I had with FIM 2010 in the past is the configuration of the RPS URI in the FIM Active Directory Management Agent (AD MA) configuration. When you want FIM to provision mailbox’ for you, or when using FIM for GALsync (provision contacts) you have to provide the URL to the exchange PowerShell webservice (http://webmail.contoso.com/powershell):
A lot of Exchange environments have more than one CAS server, typically these are combined with a NLB solution. So ideally you just point FIM to the CAS URL (like webmail.contoso.com) and thus ensuring FIM will not be dependent on the uptime of one specific CAS server. Because the MA only uses Kerberos to connect to that URL, there is a problem. Out of the box the CAS array URL is not kerberos enabled. As such the provisioning of mailbox’ will fail. When targeting a specific CAS server Kerberos authentication goes just fine. Because all required SPN’s are registered for each CAS server by the exchange setup and thus Kerberos authentication against a CAS server works.
From Exchange 2010 RU3 (Or RU4, not quit sure) there is a way to enable the CAS array for Kerberos. The word is out that this would officially be supported from Exchange 2010 SP1. The following steps are required:
- Create a service account in Active Directory: svc_exchange
- Register the SPN’s on this account (I always register both FQDN and short):
- setspn -F -S exchangeMDB/webmail.contoso.com CONTOSO\svc_exchange
- setspn -F -S exchangeRFR/webmail.contoso.com CONTOSO\svc_exchange
- setspn -F -S exchangeAB/webmail.contoso.com CONTOSO\svc_exchange
- setspn -F -S HTTP/webmail.contoso.com CONTOSO\svc_exchange
- setspn -F -S exchangeMDB/webmail CONTOSO\svc_exchange
- setspn -F -S exchangeRFR/webmail CONTOSO\svc_exchange
- setspn -F -S exchangeAB/webmail CONTOSO\svc_exchange
- setspn -F -S HTTP/webmail CONTOSO\svc_exchange
- The following steps have to be executed on each CAS server
- $cred = get-credential "CONTOSO\svc_exchange"
- Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred
- restart-service MSexchangeAB
- restart-service MSexchangeRPC
- To verify the setting, execute the following on each CAS server
- Get-ClientAccessServer -Identity CASserver -IncludeAlternateServiceAccountCredentialStatus |fl AlternateServiceAccountConfiguration
From now on, if you use outlook to connect to the CAS array, or just when provisiong with FIM and using HTTP, Kerberos will be used. You can eassily verify this with Klist (Windows 2008 and up built-in) or with Kerbtray. Or just in the security eventlog of a CAS server.
The actual procedure I used comes from the following blog: TUTORIEL: Exchange 2010 SP1 (Beta) - Activer Keberos pour un pool de serveurs CAS (Client Access Array) As it’s French, I think it’s justified to have some English alternative.
Technet help for the set-clientaccessserver command: http://technet.microsoft.com/en-us/library/bb125157.aspx