Outlook Anywhere with Integrated Authentication on AD Functional Level "Win Server 2008"
-
Thursday, May 24, 2012 7:14 AM
Hi,
I am following this document from Microsoft http://www.microsoft.com/en-us/download/details.aspx?id=22723 to publish Outlook Anywhere with Integrated Authentication and in the prerequisites it says the following.
The domain where TMG and Exchange have been installed must be operating in Windows Server 2003 mode. This is required to allow TMG and CAS to be able to use Kerberos Constrained Delegation.
The problem is this we have implemented a new AD Domain on Win2008 R2 and the Domain & Forest Functional Level is Windows Server 2008.
Is it possible to achieve the desired configuration for Publishing Outlook on the current AD Functional Level?
Is there an alternate configuration to achieve our requirement?
Is there any latest document from Microsoft on this subject as the one in the link is published in 2010?
Please suggest.
Regards,
maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
All Replies
-
Thursday, May 24, 2012 9:08 AM
Hi,
The document is stating a minimum domain level so 2008 is fine.
Regards, Rmknight
-
Thursday, May 24, 2012 10:40 AM
But in the prerequisites it clearly says the domain mode must be win server 2003 i dont see anywhere as Win 2008 is fine.
- The domain where TMG and Exchange have been installed must be operating in Windows Server 2003 mode. This is required to allow TMG and CAS to be able to use Kerberos Constrained Delegation.
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Thursday, May 24, 2012 10:47 AM
It's poorly worded.
We are running our production environment with Windows 2008 R2 AD and publishing Outlook Anywhere with KCD.
Kerberos Constrained Delegation, it should read "and higher." Requirements are domain must be set to the Windows Server 2003 functional level or the Windows Server 2008 functional level.About Kerberos constrained delegation
http://technet.microsoft.com/en-us/library/cc995228.aspx
Regards, Rmknight
-
Thursday, May 24, 2012 11:01 AM
Thanks a lot.
This gives me confidence to go ahead and deploy this configuration.
I shall update you the status.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Friday, May 25, 2012 10:45 AM
Hi,
I am preparing to Publish Outlook Anywhere through TMG and i got the following configuration.
1 - TMG Publishign Rule - Authenitcaton - KCD (What should be the SPN here we have a two CAS Servers which are running in NLB the virtual name is corecas01.abc.com and we have the dns alias for it email.abc.com) so what should i put in the SPN.
And do i need to set the same SPN on the Virtual Account propoerties or both CAS Server account properties?
2 - Web Listener - HTML with Integrated Authentication and we are using Public certificate for SSL connection.
Please suggest me if there is anything i am missing for this configuration.
Regards,
maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Friday, May 25, 2012 4:00 PMModerator
SPN should be http/* the SPN will be created dynamically based upon the actual farm member used.
You need to add the http/cas-server1 and http/cas-server2 SPNs to the delegation properties of the TMG computer object.
You need to choose HTTP authentication on the web listener and enable Windows integrated.
This is an old, but still quite relavant in places, guide here: http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html
Cheers
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Marked As Answer by Maqsood Mohammed Sunday, May 27, 2012 10:12 AM
.png)
