locked
Exchange 2010 RPS URI and NLB RRS feed

  • Question

  • Hi,

    didn't find an answer for this question (question one): is it supported to point AD MA to NLB name of exchange 2010 CAS servers?

    well... the question is caused by the fact that it just doesn't work with cluster NLB name and works with any of cluster nodes.

    http://server1/powershell as RPS URI works fine while http://clustername/powershell raises export errors with claims to kerberos failures and so on...

    the interesting part here is that /powershell virtual directory on IIS on both nodes is setup the way when all authentication methods are disabled.

    and here goes question two: how does it work then? I can't find any kerberos tokens on a client and all authentication methods are disabled on IIS on CAS

    Tuesday, December 21, 2010 12:33 PM

Answers

All replies

  • hm... kerberos definitely does its job

     

    POST /powershell?PSVersion=2.0 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/soap+xml;charset=UTF-8
    Authorization: Kerberos
    
    User-Agent: Microsoft WinRM Client
    Content-Length: 0
    Host: 
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    WWW-Authenticate: Kerberos YIGYBgkqhkiG
    
    so, SPN for the app. pool account might do the trick. still curious what's happening with auth methods on IIS

     

    Tuesday, December 21, 2010 1:45 PM
  • ok, after an hour of struggle with exchange powershell apppool to be running under domain account instead of local system our admins refused to have this in production. as just adding useAppPoolCredentials for defaultsite/powershell and SPN breaks the whole thing including EMC.

     

    anyone had a luck to run WinRM/powershell on exchange CAS servers under domain account (seems like a question to the exchange forum)? 

    otherwise having just 1 node in exch10 RPS URI doesn't look like fault-tolerant solution for me...

    Tuesday, December 21, 2010 3:17 PM
  • Evgeniy,

    Your Exchange Admins are right, changing the application pool identity in IIS for Exchange 20xx is madness. I did it in a lab once for fun, it's doable if you only have 2 HUB/CAS in an NLB setup, if you have CAS redirection and so... As it involves more than just using an app pool identity. You have to grant that account some specific rights.

    + It's not supported. So full stop here!

    However, check http://setspn.blogspot.com/2010/08/exchange-2010-enable-kerberos-on-cas.html

    And as far as I am concerned: with Exchange 2010 SP1, you can Kerberos enable your CAS array properly when following the following instructions:

    http://technet.microsoft.com/en-us/library/ff808313.aspx

    Which refers to: http://technet.microsoft.com/en-us/library/ff808312.aspx

    Remember: I think using the above procedure is only supported on Exchange 2010 SP1 and onwards!

    Happy Kerberizing!
    Regards,
    Thomas


    http://setspn.blogspot.com
    Tuesday, December 21, 2010 6:51 PM
  • Thomas, I knew you can't just miss this thread :D

    I'll try with other SPNs, not only HTTP and come back. 'cause this question IMNSHO _must_ be in FIM docs, otherwise MS should provide other solution for AD MA and user provisioning with exch 10 CAS in NLB.

     

    the original idea we tried to do was leaving NTLM for MDB and AB, while enabling kerberos only for /powershell (so it will not affect all users)

    and finally we got AB, OWA and other stuff working with NTLM and /powershell running kerberos with its own app pool.

    the down side was that authentication worked fine, even kerberos, but server started to show 50x errors for /powershell and EMC stopped working :)

    Wednesday, December 22, 2010 7:23 AM
  • Evgeniy,

    I would really not touch the stuff in IIS from Exchange. It will break things and will get you in an unsupported configuration.

    But I agree it's really not "enterprise" if you can't provision towards an NLB url. In my current project we are point to a single node, knowing that we will enter production in two months. This will allow us to upgrade Exchange 2010 to SP1 and implement the supported way to talk Kerberos to the NLB url.

    Out of the box remote powershelling only

    • Works when targetting HTTP => HTTPS will not work
    • Works when authenticating using Kerberos => means you have to use a Hostname of a CAS server

    I agree it should be in the FIM Docs, at least as a sidenote. Perhaps an alternative is to write a wiki page about this.

    P.S. what exchange version do you have? I guess not SP1?

    Regards,
    Thomas

     


    http://setspn.blogspot.com
    Wednesday, December 22, 2010 8:00 AM
  • I don't really understand why it will break CAS.

    we have Exch10SP1 in place, 2 nodes in NLB for every array... why don't try to enable kerberos?

     

    and as for powershell/winRM and kerberos. I saw network traces and it looks like it uses own kerberos auth dialog, not IIS.

    Wednesday, December 22, 2010 8:14 AM
  • If you have Exchange 2010 SP1 in place, it's easy, follow the Technet Docs!

    Basically:

    Done :)

    But in no way you have to touch IIS configuration


    http://setspn.blogspot.com
    Wednesday, December 22, 2010 8:24 AM
  • fortunetly NLB name works fine for FIM Service with NTLM.

    just changed server name in Microsoft.ResourceManagement.Service.exe.config and it works....

     

    Wednesday, December 22, 2010 11:13 AM
  • True,

    That's a whole other communication flow. That's the FIM Service accessing it's mailbox through "/ews".

    It's the "/powershell" which requires Kerberos...

    Regards,
    Thomas


    http://setspn.blogspot.com
    Wednesday, December 22, 2010 11:30 AM
  • yep, in fact I had expected that EWS could also require Kerberos, but it's happy with NTLM (FIM Service)

    the odd thing was, that it will not work if FIM Service is set up to use EWS from Exch10 and Fim mailbox is still on Exch2007.

    Wednesday, December 22, 2010 11:34 AM
  • Wo what about the /powershell URL, did it worked by following the guide I referenced?
    http://setspn.blogspot.com
    Wednesday, December 22, 2010 11:36 AM
  • still waiting for a maintenance window to change app pool id
    Wednesday, December 22, 2010 11:37 AM
  • ok, followed your instructions and it works.

    1. create an account (not sure whether it needs 'Generate Security audits permissions' but I have granted them to it)

    2. set up SPNs for HTTP, exchangeMDB, exchangeRFR, exchangeAB/<cluster FQDN name>

    3. on every CAS in the array

    $cred = get-credential "contoso\svcexchapppool"

    Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred

     iisreset

     restart-service MSexchangeAB

     restart-service MSexchangeRPC

    4. setup AD MA for RPS URI: http://<cluster FQDN name>/powershell

     

    ps, didn't use the script.

     

    Thomas, I really appreciate your help here. I think our exchange admins now owe your a grand or two :) 'cause in a case it will not work they'll have to check every new user account for a mailbox manually :D 

    Wednesday, December 22, 2010 1:16 PM
  • Markus,

     

    if you're reading this - it's good to have this procedure in a FIM installation manual.

    or at least a link to http://technet.microsoft.com/en-us/library/ff808313.aspx or http://technet.microsoft.com/en-us/library/ff808312.aspx 

    Wednesday, December 22, 2010 1:19 PM