none
Exchange 2013 kerberos Unable to run RollAlternateserviceAccountPassword.ps1 RRS feed

  • Question

  • I have 2 cas servers end 4 mailbox servers in exchange 2013. I want to use kerberos. I created the ASA computer account.

    When I execute the RollAlternateserviceAccountPassword.ps1 the cas server, I am getting this error for each servers.

     Cannot process argument transformation on parameter 'Identity'. Cannot convert value "casserver1" to type
    "Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter". Error: "Cannot convert hashtable to an object
    of the following type: Microsoft.Exchange.Configuration.Tasks.ClientAccessServerIdParameter. Hashtable-to-Object
    conversion is not supported in restricted language mode or a Data section."
        + CategoryInfo          : InvalidData: (:) [Get-ClientAccessServer], ParameterBindin...mationException
        + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ClientAccessServer
        + PSComputerName        : casserver1.domain.com
    Thursday, March 13, 2014 6:48 PM

Answers

  • I do not believe that the Kerberos support for Exchange 2013 has been official published right now.

    I did ask for this recently, and it will be out in the near future.  Until you see that please do not configure this in a production environment unless you have been told to do so via a support case etc.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, March 15, 2014 12:26 AM

All replies

  • Hi,

    The error message shows that Hashtable-to-Object conversion is not supported in restricted language mode or a Data section. It seems that there is something wrong in your command. I recommend you review your command and check if there is something wrong in your command.

    Here is an article about using the RollAlternateserviceAccountPassword.ps1 Script in the Shell for your reference. Even though the article is for Exchange 2010, it also applied to Exchange 2013.

    Using the RollAlternateserviceAccountPassword.ps1 Script in the Shell
    http://technet.microsoft.com/en-us/library/ff808311(v=exchg.141).aspx

    Best regards,
    Belinda


    Belinda Ma
    TechNet Community Support

    Friday, March 14, 2014 7:26 AM
  • I used this one 

    .\RollAlternateserviceAccountPassword.ps1 -ToEntireForest -GenerateNewPasswordFor "Contoso\ComputerAccount$" -Verbose


    Friday, March 14, 2014 11:30 AM
  • I do not believe that the Kerberos support for Exchange 2013 has been official published right now.

    I did ask for this recently, and it will be out in the near future.  Until you see that please do not configure this in a production environment unless you have been told to do so via a support case etc.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, March 15, 2014 12:26 AM
  • Kerberos is supported from CU1.

    In SP1 there is bug with RollAlternateserviceAccountPassword.ps1

    Workarround:

    1. Line 349:

              Invoke-Command `
                  -Session $session `
                  -Arg @($_.Identity, $retrievePasswords, $InnerVerbose) `
                  -ScriptBlock $getCas `
                  -ErrorAction $errorAction

    with

              Invoke-Command `
                  -Session $session `
                  -Arg @($_.Identity.Name, $retrievePasswords, $InnerVerbose) `
                  -ScriptBlock $getCas `
                  -ErrorAction $errorAction

    2. Line 866

            Invoke-Command `
              -Session $session `
              -Arg ($server.Identity, $credentialsToSetToCas, $removeAllExistingCredentials, $WhatIfPreference, $InnerVerbose) `
              -ScriptBlock {
                param($serverId, $creds, $shouldRemoveAll, $whatIf, $verbose)
                Set-ClientAccessServer $serverId `
                  -RemoveAlternateServiceAccountCredentials:$shouldRemoveAll `
                  -CleanUpInvalidAlternateServiceAccountCredentials:(-not $shouldRemoveAll) `
                  -AlternateServiceAccountCredential $creds `
                  -Verbose:$verbose `
                  -WhatIf:$whatIf }

    with

            Invoke-Command `
              -Session $session `
              -Arg ($server.Identity.Name, $credentialsToSetToCas, $removeAllExistingCredentials, $WhatIfPreference, $InnerVerbose) `
              -ScriptBlock {
                param($serverId, $creds, $shouldRemoveAll, $whatIf, $verbose)
                Set-ClientAccessServer $serverId `
                  -RemoveAlternateServiceAccountCredentials:$shouldRemoveAll `
                  -CleanUpInvalidAlternateServiceAccountCredentials:(-not $shouldRemoveAll) `
                  -AlternateServiceAccountCredential $creds `
                  -Verbose:$verbose `
                  -WhatIf:$whatIf }

    (Replace Identity with Identity.Name)


    Сазонов Илья http://isazonov.wordpress.com/

    Friday, April 18, 2014 10:38 AM
  • I didn't say it wasn't supported :)   Just that the documentation around this is not complete.

    Adding the below as the search engines will inevitable pick this up as there is minimal Kerberos guidance for 2013 right now.

    For example, you have CAS only servers and that hits a problem right now...

    What if there are also legacy Exchange servers in the environment.  How should you move the SPN's over from the Exchange 2010 CAS array - if you upgraded to 2013 from 2010 what did you do with the ASA?  Was that removed? Was it left hanging?  That's why we need a bit more guidance on the subject. 

    Other issues to think about--

    Do you also have legacy PFs still in the org - if so then CU5 might add some work on that to assist.

    A blog post is in progress to discuss this, and the MAPI/HTTP feature.

    Brian Day discusses this in his MEC 2014 recording http://blogs.technet.com/b/rmilne/archive/2014/05/02/mec-2014-content-available.aspx#comments


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, May 5, 2014 2:40 PM
  • RollAlternateServiceAccountPassword.ps1 bug fixed in CU6

    Kerberos configuration is now documented http://technet.microsoft.com/en-us/library/ff808312(v=exchg.150).aspx


    Сазонов Илья http://isazonov.wordpress.com/

    Wednesday, October 15, 2014 6:52 AM