none
Implementing 2010 in ISA 2006 Environment; ActiveSync/RPC Proxy Questions

    질문

  • Hi All,

    I originally started this thread in the "Clients" forum, but someone suggested I enter it here, as it may make more sense.  Mods, if that is incorrect, please feel free to move/delete the threads as necessary. 

    I'm implementing Exchange 2010 in a large-user Exchange 2003 environment.  The current environment consists of two back-end servers, one front-end server, and one separate bridge-head server.  ActiveSync has been enabled and is supported with an ISA 2006 SP1 system utilizing certificate-based user authentication. 
    The 2010 implementation will have multiple Hubs, CASes, and mailbox servers (hub and CAS roles will be shared on a box and the mailbox role will be alone).  ISA will also be utilized for OWA and ActiveSync until we upgrade to TMG. 

    We have been testing the ISA implementation on an ISA server at our DR site (used for DR and testing) which has the rules setup to forward the requests to the corporate Exchange 2010 servers. 
    We followed the setup article that was published on the Exchange Team's blog.  OWA is working properly (for both 2010 and 2003 mailboxes) and it appears that ActiveSync works fine for 2010 mailboxes as long as I set the Exchange ActiveSync authentication method to "Accept client certificates" (in the Server Configuration section of the EMC); however, 2003 mailboxes weren't authenticating properly.  If I looked at the ISA server logs it was "authenticating" successfully, but with a status of "403 Forbidden".  Looking at the IIS logs on the 2010 Hub/CAS server (exhubcas01) it had a line stating
    exmb01.domain.local_LdapC6_LdapL15_Error:NTLM+not+on+the+destination+CAS_Mbx:exmb01.domain.local_Dc:WINDC02.domain.local
    Looking at the logs on exmb01 (2003 mailbox) from the same time I got these results:

    2012-02-29 21:48:34 W3SVC1 10.250.50.34 PROPFIND /exchange/ActiveSyncTest2003@domain.com/NON_IPM_SUBTREE - 80 - 10.250.50.37 EAS-CheckForLock/v1.0 401 2 2148074254
    2012-02-29 21:48:34 W3SVC1 10.250.50.34 PROPFIND /exchange/ActiveSyncTest2003@domain.com/NON_IPM_SUBTREE - 80 - 10.250.50.37 EAS-CheckForLock/v1.0 401 1 0
    2012-02-29 21:48:34 W3SVC1 10.250.50.34 PROPFIND /exchange/ActiveSyncTest2003@domain.com/NON_IPM_SUBTREE - 80 - 10.250.50.37 EAS-CheckForLock/v1.0 401 1 5

    2012-02-29 21:48:34 W3SVC1 10.250.50.34 OPTIONS /Microsoft-Server-ActiveSync - 80 - 10.250.50.37 Apple-iPhone2C1/901.405 401 1 0
    2012-02-29 21:48:34 W3SVC1 10.250.50.34 OPTIONS /Microsoft-Server-ActiveSync - 80 - 10.250.50.37 Apple-iPhone2C1/901.405 401 1 5
    2012-02-29 21:48:34 W3SVC1 10.250.50.34 OPTIONS /Microsoft-Server-ActiveSync - 80 - 10.250.50.37 Apple-iPhone2C1/901.405 401 2 2148074254


    The IIS log text from the 2010 Hub/CAS it sounds like there is a problem with NTLM authentication, so I searched for the error and I found an article on the Exchange Team blog about Exchange 2007 and the need to install KB937031 on the Exchange 2003 back-end servers and setting the ActiveSync authentication settings to use Integrated Windows Authentication (using ESM).  I also left the “basic authentication” enabled as well. 

    So my boss and I looked at the computer accounts in Active Directory Users and Computers and looked at the "Delegation" tab on cashub01.  If I added RPC for exmb01, the Exchange 2003 mailboxes can now authenticate with ActiveSync. 

    I'm posting this today to ask "Why did I need to add the RPC delegation?"  Last year I implemented Exchange 2010 at a much smaller organization.  I remember installing the hotfix on the 2003 back-end and that the RPC proxying to the 2003 mailboxes worked without a hitch, however we weren't using ISA nor were we using cert-based authentication. 
    I just want to make sure that this is okay to do and find out if I set up something incorrectly or missed something, as I cannot find anything out there about needing to setup delegation for RPC on the CAS. 
    As an aside, we aren’t running RPC over HTTP (Outlook Anywhere) on the Exchange 2003 servers, so perhaps there was an ancillary-step for allowing RPC connections into the 2003 back-ends that we never did. 

    Thanks in advance for the help, and for reading my massive post.  :)

    2012년 3월 6일 화요일 오후 9:39

답변

  • I tested it a little further and it turned out I didn't need the RPC delegation set.  I think I may have needed to throw an extra reboot at the iPhone before the changes took effect on the device, but it seemed to take effect after I added the RPC delegation, hence my suspicion of that being the issue. 

    After removing the RPC delegation from the CAS server and rebooting the iPhone (many times) and removing and re-installing the iPhone profile, it appears having Http and W3svc delegation (like the way it is setup on the ISA to connect to the front-end servers) is good enough. 
    Here's a link discussing Kerberos Constrained Delegation a bit further: http://technet.microsoft.com/en-us/library/bb794858.aspx 

    • 답변으로 표시됨 Paul Newell 2012년 3월 19일 월요일 오후 7:51
    2012년 3월 19일 월요일 오후 7:51

모든 응답

  • Hi Paul

    >>install KB937031 on the Exchange 2003 back-end servers and setting the ActiveSync authentication settings to use Integrated Windows Authentication

    Have you done this already or you asking if you need to do this?  You don't have to enable RPC delegation for this to work.

    Cheers, Steve

    2012년 3월 6일 화요일 오후 9:47
  • Hi Steve,

    Yes, I installed the hotfix on one of my back-end servers and was able to make the change to the authentication to the ActiveSync protocol via the ESM.  Since I was able to update it on each back-end server from the one server that I applied the patch to, I did not install the patch on the other back-end servers.  I also used ADSIEdit to verify that the "msExchAuthenticationFlags" value was set to 6 (as noted here).

    That's why I'm confused by my needing to add the RPC delegation to get this to work. 

    2012년 3월 6일 화요일 오후 10:09
  • I can't think of any reason why you would need to do that but maybe someone else has seen this before - I have never had to enable this on any 2003 -> 2010 upgrade.  You have probably see this article but I'll link to it just in case you haven't: http://technet.microsoft.com/en-us/library/ee332348.aspx

    Cheers, Steve

    2012년 3월 6일 화요일 오후 10:14
  • Yeah, I've already read that article.  We haven't followed it line-by-line, however, as we haven't updated the OAB or set it as the generation source yet. 

    Again, we are using ISA 2006 and users authenticate using certificates, if that makes a difference.  No one connects with their standard domain password; we load a "Security Profile" on to their iPhone with a personal certificate created by our AD Certificate Authority. 

    2012년 3월 6일 화요일 오후 10:30
  • I did some research and I guess this is based on how the ISA server was originally implemented with "Kerberos Delegated Authentication".  Apparently part of the original design was done by a contractor, so I wasn't familiar with it, but my understanding is that this was due to their design; there was a need to add "Delegation Trusts" on the ISA server to the Exchange servers, but since the traffic was coming in to the new Exchange servers they needed to be trusted as well. 
    2012년 3월 13일 화요일 오후 1:57
  • I tested it a little further and it turned out I didn't need the RPC delegation set.  I think I may have needed to throw an extra reboot at the iPhone before the changes took effect on the device, but it seemed to take effect after I added the RPC delegation, hence my suspicion of that being the issue. 

    After removing the RPC delegation from the CAS server and rebooting the iPhone (many times) and removing and re-installing the iPhone profile, it appears having Http and W3svc delegation (like the way it is setup on the ISA to connect to the front-end servers) is good enough. 
    Here's a link discussing Kerberos Constrained Delegation a bit further: http://technet.microsoft.com/en-us/library/bb794858.aspx 

    • 답변으로 표시됨 Paul Newell 2012년 3월 19일 월요일 오후 7:51
    2012년 3월 19일 월요일 오후 7:51