Hi all, I am in the midst of upgrading Exchange in my organization from 2003 to 2010. We are currently using ISA 2006 SP1 to protect OWA and to handle certificate-based authentication of ActiveSync devices (using Kerberos Constrained Delegation). We have a load-balanced CAS Array setup, but of course, using KCD against the CAS array fails. Having read this ExTeam Blog post (http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx) my team and I have decided to put in place this recommended change (creating a computer account as the ASA) and will try to use the computer account as a source for KCD. The question that I have is in regards to the SPNs to use. Externally the site is "webmail.company.com" and internally the CAS Array is "excasarray.company.local", but our older Exchange infrastructure is using "webmail.company.local" and "email.company.local" for OWA (these are really just host records pointing to the IP of our main 2003 Front-End, exfe01.company.local). We have "webmail.company.local" and "webmail" setup as SPNs on my main and DR 2003 FE servers. I understand I will need to create SPNs for "excasarray.company.local" (which is where I will be having the new TMG servers sending ActiveSync requests), but what about "webmail" and "email"? I would like to update their A-records to point to "excasarray" when we're ready to deploy the CAS around the company, but should I add "webmail" and "email" as SPNs on the ASA computer object as well? These records would only be used by OWA, ECP, and likely EWS. I ask because this TechNet article (http://technet.microsoft.com/en-us/library/ff808312.aspx) says to not use an existing SPN, but I don't understand why that would cause a problem if the current ISA server directs clients to the two 2003 FE servers (round-robin). I guess I just want to make sure that I have accounted for every SPN I need. I'd like to think I would only need to set SPNs for "excasarray" and "autodiscover", but I just wanted to make sure about "webmail" and "email" before I put it in place. Thanks in advance!

ARe you sure? I cann't find a warning saying not use an existing SPN. Marking the replies that has answered the question may help others who have got the same or a similar question.

Hi Adele, Thanks for the reply. Yes, I'm sure it's in that article; look at the section labeled "Associating Service Principal Names with the Alternate Service Account Credential" on this article http://technet.microsoft.com/en-us/library/ff808312.aspx: Before you configure the SPNs, verify that the target SPNs aren't already configured on a different account in the forest. The ASA credential must be the only account in the forest with which these SPNs are associated. You can verify that no other account in the forest has the SPNs associated with it by running the setspn command with the q and f parameters from the command line. The following example shows how to run this command. The command should return nothing. If it returns a value, another account is already associated with the SPN youre thinking of using. I understand that TechNet is supposed to be gospel when it comes to all things Microsoft, but I'm not getting why I can't have "webmail" set as an SPN on my ASA object and my old 2003 FEs at the same time. Yes, it would be setup on two separate infrastructures during co-existence, but the older ISA servers are looking to the 2003 FE servers (and authenticating to "webmail") and the TMGs will be looking to the 2010 servers (and authenticating to "excasarray"). Setting up "webmail" as an SPN on the ASA object will simply be there for "legacy" support for people who use OWA on-premises (and perhaps some programs which would be configured for that address to use EWS). As an aside, the autodiscover is pointing to "excasarray" as well, so most-things Outlook would be connecting to "excasarray" to do their thing (OAB, MAPI, EWS, etc). Thanks again.

If doubt this is still relevant, but maybe it helps somebody else... You cannot have duplicate SPNs, period - this is not a limitation of Exchange but simply the way Kerberos works. It uses the SPNs in Active Directory to dermine which account/computer to request a service ticket for. If you have the same SPN on two different entities it wouldn't know which one to use, and it would ultimately break Kerberos for both services. Clients are going to talk to one of the systems with one name (ISA/TMG, or Exchange 2010, or Exchange 2003), and whichever one they are talking to needs the SPN. In your case "webmail" would probably be on the Exchange 2010 servers/ASA, and they would redirect legacy clients to a different URL ('legacy'), and that would be on the old server.

If doubt this is still relevant, but maybe it helps somebody else... You cannot have duplicate SPNs, period - this is not a limitation of Exchange but simply the way Kerberos works. It uses the SPNs in Active Directory to dermine which account/computer to request a service ticket for. If you have the same SPN on two different entities it wouldn't know which one to use, and it would ultimately break Kerberos for both services. Clients are going to talk to one of the systems with one name (ISA/TMG, or Exchange 2010, or Exchange 2003), and whichever one they are talking to needs the SPN. In your case "webmail" would probably be on the Exchange 2010 servers/ASA, and they would redirect legacy clients to a different URL ('legacy'), and that would be on the old server. I guess this is where I am confused. We have an ISA 2006 server acting as the broker for ActiveSync from the outside. On the ISA server we have a server farm with two 2003 FEs in it. When we were setting this up we were told to create a webmail SPN for HTTP and w3svc on each front-end server. So http/webmail and w3svc/webmail is registered on both of them. Looking at the delegation tab of the ISA computer account I see that http/webmail and w3svc/webmail are on the list once each, along with each of the FEs (http/fe01, http/fe02, w3svc/fe01, w3svc/fe02). So was that incorrect? If so, where should these SPNs have been registered?