Hi, didn't find an answer for this question (question one): is it supported to point AD MA to NLB name of exchange 2010 CAS servers? well... the question is caused by the fact that it just doesn't work with cluster NLB name and works with any of cluster nodes. http://server1/powershell as RPS URI works fine while http://clustername/powershell raises export errors with claims to kerberos failures and so on... the interesting part here is that /powershell virtual directory on IIS on both nodes is setup the way when all authentication methods are disabled. and here goes question two: how does it work then? I can't find any kerberos tokens on a client and all authentication methods are disabled on IIS on CAS

hm... kerberos definitely does its job POST /powershell?PSVersion=2.0 HTTP/1.1 Connection: Keep-Alive Content-Type: application/soap+xml;charset=UTF-8 Authorization: Kerberos User-Agent: Microsoft WinRM Client Content-Length: 0 Host: HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 WWW-Authenticate: Kerberos YIGYBgkqhkiG so, SPN for the app. pool account might do the trick. still curious what's happening with auth methods on IIS

ok, after an hour of struggle with exchange powershell apppool to be running under domain account instead of local system our admins refused to have this in production. as just adding useAppPoolCredentials for defaultsite/powershell and SPN breaks the whole thing including EMC. anyone had a luck to run WinRM/powershell on exchange CAS servers under domain account (seems like a question to the exchange forum)? otherwise having just 1 node in exch10 RPS URI doesn't look like fault-tolerant solution for me...

Evgeniy, Your Exchange Admins are right, changing the application pool identity in IIS for Exchange 20xx is madness. I did it in a lab once for fun, it's doable if you only have 2 HUB/CAS in an NLB setup, if you have CAS redirection and so... As it involves more than just using an app pool identity. You have to grant that account some specific rights. + It's not supported. So full stop here! However, check http://setspn.blogspot.com/2010/08/exchange-2010-enable-kerberos-on-cas.html And as far as I am concerned: with Exchange 2010 SP1, you can Kerberos enable your CAS array properly when following the following instructions: http://technet.microsoft.com/en-us/library/ff808313.aspx Which refers to: http://technet.microsoft.com/en-us/library/ff808312.aspx Remember: I think using the above procedure is only supported on Exchange 2010 SP1 and onwards! Happy Kerberizing! Regards, Thomashttp://setspn.blogspot.com

Thomas, I knew you can't just miss this thread :D I'll try with other SPNs, not only HTTP and come back. 'cause this question IMNSHO _must_ be in FIM docs, otherwise MS should provide other solution for AD MA and user provisioning with exch 10 CAS in NLB. the original idea we tried to do was leaving NTLM for MDB and AB, while enabling kerberos only for /powershell (so it will not affect all users) and finally we got AB, OWA and other stuff working with NTLM and /powershell running kerberos with its own app pool. the down side was that authentication worked fine, even kerberos, but server started to show 50x errors for /powershell and EMC stopped working :)

Evgeniy, I would really not touch the stuff in IIS from Exchange. It will break things and will get you in an unsupported configuration. But I agree it's really not "enterprise" if you can't provision towards an NLB url. In my current project we are point to a single node, knowing that we will enter production in two months. This will allow us to upgrade Exchange 2010 to SP1 and implement the supported way to talk Kerberos to the NLB url. Out of the box remote powershelling only Works when targetting HTTP => HTTPS will not work Works when authenticating using Kerberos => means you have to use a Hostname of a CAS server I agree it should be in the FIM Docs, at least as a sidenote. Perhaps an alternative is to write a wiki page about this. P.S. what exchange version do you have? I guess not SP1? Regards, Thomas http://setspn.blogspot.com

I don't really understand why it will break CAS. we have Exch10SP1 in place, 2 nodes in NLB for every array... why don't try to enable kerberos? and as for powershell/winRM and kerberos. I saw network traces and it looks like it uses own kerberos auth dialog, not IIS.

If you have Exchange 2010 SP1 in place, it's easy, follow the Technet Docs! Basically: create an AD user set the required SPNs on it Run the configuration script on Exchange: http://technet.microsoft.com/en-us/library/ff808311.aspx Done :) But in no way you have to touch IIS configurationhttp://setspn.blogspot.com

fortunetly NLB name works fine for FIM Service with NTLM. just changed server name in Microsoft.ResourceManagement.Service.exe.config and it works....

True, That's a whole other communication flow. That's the FIM Service accessing it's mailbox through "/ews". It's the "/powershell" which requires Kerberos... Regards, Thomas http://setspn.blogspot.com

True, That's a whole other communication flow. That's the FIM Service accessing it's mailbox through "/ews". It's the "/powershell" which requires Kerberos... Regards, Thomas http://setspn.blogspot.com

yep, in fact I had expected that EWS could also require Kerberos, but it's happy with NTLM (FIM Service) the odd thing was, that it will not work if FIM Service is set up to use EWS from Exch10 and Fim mailbox is still on Exch2007.

yep, in fact I had expected that EWS could also require Kerberos, but it's happy with NTLM (FIM Service) the odd thing was, that it will not work if FIM Service is set up to use EWS from Exch10 and Fim mailbox is still on Exch2007.

Wo what about the /powershell URL, did it worked by following the guide I referenced?http://setspn.blogspot.com

Wo what about the /powershell URL, did it worked by following the guide I referenced?http://setspn.blogspot.com

still waiting for a maintenance window to change app pool id

still waiting for a maintenance window to change app pool id

ok, followed your instructions and it works. 1. create an account (not sure whether it needs 'Generate Security audits permissions' but I have granted them to it) 2. set up SPNs for HTTP, exchangeMDB, exchangeRFR, exchangeAB/<cluster FQDN name> 3. on every CAS in the array $cred = get-credential "contoso\svcexchapppool" Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred iisreset restart-service MSexchangeAB restart-service MSexchangeRPC 4. setup AD MA for RPS URI: http://<cluster FQDN name>/powershell ps, didn't use the script. Thomas, I really appreciate your help here. I think our exchange admins now owe your a grand or two :) 'cause in a case it will not work they'll have to check every new user account for a mailbox manually :D

ok, followed your instructions and it works. 1. create an account (not sure whether it needs 'Generate Security audits permissions' but I have granted them to it) 2. set up SPNs for HTTP, exchangeMDB, exchangeRFR, exchangeAB/<cluster FQDN name> 3. on every CAS in the array $cred = get-credential "contoso\svcexchapppool" Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred iisreset restart-service MSexchangeAB restart-service MSexchangeRPC 4. setup AD MA for RPS URI: http://<cluster FQDN name>/powershell ps, didn't use the script. Thomas, I really appreciate your help here. I think our exchange admins now owe your a grand or two :) 'cause in a case it will not work they'll have to check every new user account for a mailbox manually :D

Markus, if you're reading this - it's good to have this procedure in a FIM installation manual. or at least a link to http://technet.microsoft.com/en-us/library/ff808313.aspx or http://technet.microsoft.com/en-us/library/ff808312.aspx