Exchange 2010 RPS URI and NLB
Hi,
didn't find an answer for this question (question one): is it supported to point AD MA to NLB name of exchange 2010 CAS servers?
well... the question is caused by the fact that it just doesn't work with cluster NLB name and works with any of cluster nodes.
http://server1/powershell as RPS URI works fine while http://clustername/powershell raises export errors with claims to kerberos failures and so on...
the interesting part here is that /powershell virtual directory on IIS on both nodes is setup the way when all authentication methods are disabled.
and here goes question two: how does it work then? I can't find any kerberos tokens on a client and all authentication methods are disabled on IIS on CAS
December 21st, 2010 7:38am
hm... kerberos definitely does its job
POST /powershell?PSVersion=2.0 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/soap+xml;charset=UTF-8
Authorization: Kerberos
User-Agent: Microsoft WinRM Client
Content-Length: 0
Host:
HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
WWW-Authenticate: Kerberos YIGYBgkqhkiG
so, SPN for the app. pool account might do the trick. still curious what's happening with auth methods on IIS
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 8:49am
ok, after an hour of struggle with exchange powershell apppool to be running under domain account instead of local system our admins refused to have this in production. as just adding useAppPoolCredentials for defaultsite/powershell and SPN breaks the whole
thing including EMC.
anyone had a luck to run WinRM/powershell on exchange CAS servers under domain account (seems like a question to the exchange forum)?
otherwise having just 1 node in exch10 RPS URI doesn't look like fault-tolerant solution for me...
December 21st, 2010 10:21am
Evgeniy,
Your Exchange Admins are right, changing the application pool identity in IIS for Exchange 20xx is madness. I did it in a lab once for fun, it's doable if you only have 2 HUB/CAS in an NLB setup, if you have CAS redirection and so... As it involves more
than just using an app pool identity. You have to grant that account some specific rights.
+ It's not supported. So full stop here!
However, check
http://setspn.blogspot.com/2010/08/exchange-2010-enable-kerberos-on-cas.html
And as far as I am concerned: with Exchange 2010 SP1, you can Kerberos enable your CAS array properly when following the following instructions:
http://technet.microsoft.com/en-us/library/ff808313.aspx
Which refers to:
http://technet.microsoft.com/en-us/library/ff808312.aspx
Remember: I think using the above procedure is only supported on Exchange 2010 SP1 and onwards!
Happy Kerberizing!
Regards,
Thomashttp://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 1:55pm
Thomas, I knew you can't just miss this thread :D
I'll try with other SPNs, not only HTTP and come back. 'cause this question IMNSHO _must_ be in FIM docs, otherwise MS should provide other solution for AD MA and user provisioning with exch 10 CAS in NLB.
the original idea we tried to do was leaving NTLM for MDB and AB, while enabling kerberos only for /powershell (so it will not affect all users)
and finally we got AB, OWA and other stuff working with NTLM and /powershell running kerberos with its own app pool.
the down side was that authentication worked fine, even kerberos, but server started to show 50x errors for /powershell and EMC stopped working :)
December 22nd, 2010 2:27am
Evgeniy,
I would really not touch the stuff in IIS from Exchange. It will break things and will get you in an unsupported configuration.
But I agree it's really not "enterprise" if you can't provision towards an NLB url. In my current project we are point to a single node, knowing that we will enter production in two months. This will allow us to upgrade Exchange 2010 to SP1 and implement
the supported way to talk Kerberos to the NLB url.
Out of the box remote powershelling only
Works when targetting HTTP => HTTPS will not work Works when authenticating using Kerberos => means you have to use a Hostname of a CAS server
I agree it should be in the FIM Docs, at least as a sidenote. Perhaps an alternative is to write a wiki page about this.
P.S. what exchange version do you have? I guess not SP1?
Regards,
Thomas
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 3:04am
I don't really understand why it will break CAS.
we have Exch10SP1 in place, 2 nodes in NLB for every array... why don't try to enable kerberos?
and as for powershell/winRM and kerberos. I saw network traces and it looks like it uses own kerberos auth dialog, not IIS.
December 22nd, 2010 3:18am
If you have Exchange 2010 SP1 in place, it's easy, follow the Technet Docs!
Basically:
create an AD user set the required SPNs on it Run the configuration script on Exchange:
http://technet.microsoft.com/en-us/library/ff808311.aspx
Done :)
But in no way you have to touch IIS configurationhttp://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 3:28am
fortunetly NLB name works fine for FIM Service with NTLM.
just changed server name in Microsoft.ResourceManagement.Service.exe.config and it works....
December 22nd, 2010 6:17am
True,
That's a whole other communication flow. That's the FIM Service accessing it's mailbox through "/ews".
It's the "/powershell" which requires Kerberos...
Regards,
Thomas
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 6:33am
True,
That's a whole other communication flow. That's the FIM Service accessing it's mailbox through "/ews".
It's the "/powershell" which requires Kerberos...
Regards,
Thomas
http://setspn.blogspot.com
December 22nd, 2010 6:33am
yep, in fact I had expected that EWS could also require Kerberos, but it's happy with NTLM (FIM Service)
the odd thing was, that it will not work if FIM Service is set up to use EWS from Exch10 and Fim mailbox is still on Exch2007.
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 6:38am
yep, in fact I had expected that EWS could also require Kerberos, but it's happy with NTLM (FIM Service)
the odd thing was, that it will not work if FIM Service is set up to use EWS from Exch10 and Fim mailbox is still on Exch2007.
December 22nd, 2010 6:38am
Wo what about the /powershell URL, did it worked by following the guide I referenced?http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 6:39am
Wo what about the /powershell URL, did it worked by following the guide I referenced?http://setspn.blogspot.com
December 22nd, 2010 6:39am
still waiting for a maintenance window to change app pool id
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 6:41am
still waiting for a maintenance window to change app pool id
December 22nd, 2010 6:41am
ok, followed your instructions and it works.
1. create an account (not sure whether it needs 'Generate Security audits permissions' but I have granted them to it)
2. set up SPNs for HTTP, exchangeMDB, exchangeRFR, exchangeAB/<cluster FQDN name>
3. on every CAS in the array
$cred = get-credential "contoso\svcexchapppool"
Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred
iisreset
restart-service
MSexchangeAB
restart-service
MSexchangeRPC
4. setup AD MA for RPS URI: http://<cluster FQDN name>/powershell
ps, didn't use the script.
Thomas, I really appreciate your help here. I think our exchange admins now owe your a grand or two :) 'cause in a case it will not work they'll
have to check every new user account for a mailbox manually :D
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 8:20am
ok, followed your instructions and it works.
1. create an account (not sure whether it needs 'Generate Security audits permissions' but I have granted them to it)
2. set up SPNs for HTTP, exchangeMDB, exchangeRFR, exchangeAB/<cluster FQDN name>
3. on every CAS in the array
$cred = get-credential "contoso\svcexchapppool"
Set-clientaccessserver -Identity CASserver -AlternateServiceAccountCredential $cred
iisreset
restart-service
MSexchangeAB
restart-service
MSexchangeRPC
4. setup AD MA for RPS URI: http://<cluster FQDN name>/powershell
ps, didn't use the script.
Thomas, I really appreciate your help here. I think our exchange admins now owe your a grand or two :) 'cause in a case it will not work they'll
have to check every new user account for a mailbox manually :D
December 22nd, 2010 8:20am
Markus,
if you're reading this - it's good to have this procedure in a FIM installation manual.
or at least a link to http://technet.microsoft.com/en-us/library/ff808313.aspx or http://technet.microsoft.com/en-us/library/ff808312.aspx
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 8:23am