locked
UAG 2010 and Exchange 2010: KCD Problems RRS feed

  • Question

  • Hi,

     

    Just deployed UAG 2010 with a dedicated trunk for Exchange 2010 and having some problems.

     

    I cannot seem to get Outlook Anywhere working and get 401 errors in the CAS IIS logs when trying to use KCD.

     

    On UAG I see event logs for “KCD Protocol Transition Success” and “Application Started” so it looks like UAG is auth’ing the user OK and getting a ticket from the KDC OK.

     

    All hosts are configured for delegation in AD, as per normal. CAS servers are using native internal FQDN’s as http SPNs and UAG configured to use http/* as using a web farm. CAS servers defined in UAG as internal FQDNs to match SPNs.

     

    I have used ISA with KCD and Exchange 2007 for quite a few customers now, so I know the concept works and I am used to the usual KCD problems.

     

    Having configured Kerberos logging on all hosts, I don’t see anything obvious.

     

    If I run the Outlook Anywhere test from www.testexchangeconnectivity.com I get this weird error “anonymous authentication did not fail, but anonymous is not a configured authentication method”.

     

    Currently, OWA, Autodiscover and ActiveSync are working but these all use Basic/NTLM delegation not KCD.

     

    The problem appears to be KCD specific, because if I configure OWA to use KCD, this fails too L

     

    Any ideas or advice?

     

    Cheers

     

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 24, 2010 8:45 PM

Answers

  • I used NTLM and get the same error to ;)

    Think this must be a false positive - are you using HTTP to HTTPS redirect trunks too?


    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:04 PM
    Friday, March 26, 2010 3:56 PM

All replies

  • Problem solved...
    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, March 25, 2010 12:48 PM
  • Hi,

    Using the exchange connectivity test site I'm getting the same error.. Could you please share the solution?

     

    Thanks.

    Thursday, March 25, 2010 3:48 PM
  • That error isn't fixed, but I now have a working Outlook Anywhere connection with KCD.

    I assume I am getting the error because I have a HTTP to HTTPS trunk which allows anonymous connections...not 100% sure though...

    I don't get the above error if I use the test tool against ISA running NTLM auth combined with KCD, but ISA does HTTP/HTTPS redirects differently I think :(

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, March 25, 2010 5:57 PM
  • Ok, thanks for your answer.

    It seems the testconnectivity site returns the error when anonymous authentication is used for the autodiscover path. We use basic authentication and got the same error, when using ISA it indeed returns no errors.

    Friday, March 26, 2010 9:42 AM
  • I used NTLM and get the same error to ;)

    Think this must be a false positive - are you using HTTP to HTTPS redirect trunks too?


    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:04 PM
    Friday, March 26, 2010 3:56 PM
  • Think you're right, I'm using an http to https redirect for autodiscover....(anonymous => basic)
    Monday, March 29, 2010 7:55 AM
  • Hi Jason,

    sorry to resurrect an old(er) thread here, but I am curious to know if you got KCD working with Outlook Anywhere / Exchange 2010 through UAG ?

    I am currently porting a TMG setup to UAG, and while KCD works fine with Outlook Anywhere on the TMG setup, it absolutely refuses to work using UAG.

    Have got OWA, ActiveSync and Autodiscover working fine (using Basic auth), but no go on the Kerberos Constrained Delegation.

    Have doublechecked SPN's as well. Currently using internal certs, so unable to test using testexchangeconnectivity.com...

    Any hints much appreciated..

    Regards,

    Lars

    Tuesday, June 29, 2010 9:27 PM
  • Yep, all working really well (was at the customer in question today in fact!)

    You have modified the delegation in AD for the UAG computer objects - yes?

    Setup of KCD in UAG was very similar to TMG for me...

    Are you using a farm? Did you define the web servers using FQDNs?

    What do you get in Web Monitor when KCD is enabled? Enable Kerberos logging on UAG and CAS servers and provide any errors you see...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, June 29, 2010 11:40 PM
  • Hi again,

    some more info.. have been throwing some switches to see if I could get it working.

    Delegation has been adjusted (basically delegated UAG computer account permissions for same SPNs on Exchange as were delegated for the TMG server) - and AutoDiscover also works using KCD now ... (switched it around from basic auth)

    Not using a farm - single Exchange 2010 box, defined using FQDN in the 'web servers' list.

    Autodiscover can now complete, and the XML it returns shows all the right settings, but after completing Outlook is unable to connect to Exchange through UAG.

    Now, off the top of my head - the certificate currently used is an internal one, and does not have a resolvable path defined for CRL retrieval - The OWA publishing pops up a box about this asking if you want to continue anyhow - but could this be what is throwing Outlook Anywhere?

    / Lars

    Wednesday, June 30, 2010 11:03 AM
  • I would always use a public cert and would also strongly recommend it ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 30, 2010 11:51 AM
  • Hi again.

    Well, had I used a public cert I probably wouldn't have run into this particular issue.. got it fixed earlier today.

    Turns out that the missing HTTP CRL Distribution Point in the certificate was the problem. Here's what I did:

    1. Changed configuration on the CA, adding an externally resolvable HTTP to the CDPs listed in issued certificates.

    2. Published this external URL using TMG (could do it through UAG as well :-)). Verified it was accessible using external URL listed as CDP

    3. Issued new certificate for Exchange publishing - using exactly same CN and SANs as the original certificate, however the new cert now has a valid and accessible HTTP CDP listed.

    4. Assigned cert to Exchange IIS services (not strictly neccessary, but for the sake of consistency)

    5. Imported cert to UAG and assigned cert to trunk instead of old cert which was missing HTTP CDP.

    Bingo ... Now Outlook Anywhere using KCD works like it should. Apparently, UAG is a lot more specific with the certificate details - which is a good thing.

    Thanks for the assistance ... now off to move SharePoint publishing to UAG :-)

    Regards,
    Lars

    Wednesday, June 30, 2010 9:10 PM
  • Using the TMG publishing features on a UAG deployment is possible, but not supported...this may or may not bother you...

    Using a public CA issued cert is the "proper" answer ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, July 2, 2010 12:10 PM
  • Not using the TMG bits on the UAG box - I know full well that's a no go - but using the TMG which is in the environment doing firewall duty.

    And again - fully agree on the public certificate

    Regards,

    Lars

    Sunday, July 18, 2010 6:22 PM