We have OWA running in an NLB configuration. Everything appears to be working fine except Entourage clients cannot use kerberos to authenticate. After some troubleshooting it appeared that they were trying to locate the SPN for HTTP/owaURL.domain.tld and not finding it. So following the advice in this article: http://support.microsoft.com/default.aspx/kb/929650 Scenario 3, I tried to register the SPN. However, that didn't work because MSExchangeOWAAppPool was running under local system. So I switched it to use a domain user account. After that OWA stopped working with the error: Microsoft Exchange Active Directory Topology Service cannot be contacted via RPC interface, error 0x5. Which led me to this article http://technet.microsoft.com/en-us/library/dd577063.aspx , which seems to indicate that you have to run the OWA application pool as local system. So it seems like i'm stuck in a catch-22 situation. Is there something obvious that I have overlooked? Thanks.

Check info: 1. Please describe the exchange topology 2. How did entourage encounter the error? What’s the exact error info? 3. You must have checked the IIS log when reproduced the issue, right? What’s the error trace? 4. Is there any error event in the application log on the exchange servers? 5. How did you narrow down the issue to SPN property? 6. Does the entourage stay in the internal network? 7. Does the KDS server (Responsible for generating the Kerberos ticket) bound to the same domain where the exchange server is? And ensure it’s listed in the “System settings” of mailbox (MBX) server a. Launch EMC b. Server Configuration->Mailbox c. Right-click MBX server, and go to “Properties” d. Select “System settings” tab 8. Does the entourage point to MBX server? 9. Does the domain name type in all uppercase letters when attempting to create a new Kerberos ID? 10. Please make sure that entourage is configured with SSL settings for certificate 11. Please verify if the format of CAS server were correctly entered in the entourage (KB 931350) Resources: Exchange 2007 Security Guide Using Entourage 2008 with Kerberos authentication Entourage 2008 – New Features (Part II)

1. All servers are Exchange 2007 SP1 RU9. 8 CAS, 4 HUB, 9 MBX and 2 PF servers. 2. When configuring Entourage to use Kerberos authentication for Entourage, it displays the following error: Verifying Exchange account "email address" on "owaURL.domain.tld": Verification Failed: "Logon failure: unknown user name or bad password" (-17900 ) 3. Since there are 8 CAS servers in an NLB configuration with heavy traffic, it's very difficult to isolate which server the client is accessing and then check the logs on it. 4. There is no related error in the application log. 5. Entourage logging was turned on and in the log showed that the client is attempting to get a service ticket for HTTP/owaURL.domain.tld but was receiving a KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) error. 6. Entourage works fine internally and externally when Kerberos is not selected and the credentials are supplied. 7. Yes, we only have one domain and all the DCs show up in the window listing DCs and GCs used by Exchange. 8. No, Entourage does not point directly to the MBX server. All the configuration is done through autodiscover (we used both Entourage 2008 with and without EWS) and it points to the OWA url. This configuration works fine when kerberos is not thrown in the mix. 9. Yes, the kerberos ID shows the domain in all uppercase. 10. If you mean entourage is using SSL to connect to Exchange, yes that is enabled, since we require SSL for all access. 11. Yes, the URL used is in the correct format, it's the same URL with or without kerberos, and without kerberos selected, everything works fine.

I see why you want to add the SPN for NLB I think the “A particular area of trouble can occur when you set the SPN Determine the server name” section in KB 907272 may work for your environment

Hi Abhi, I have a simular problem and my clients must authenticate using kerberos. How did you resolve the problems in the end ? I thought I will ask before I try the KB907272 Thanks ECL

Unfortunately we were not able to resolve the problem. The KB article didn't help with the issue. We have since then upgraded to Exchange 2010 and post SP1 supposedly there is support for using kerberos with the CAS servers. http://setspn.blogspot.com/2010/08/exchange-2010-enable-kerberos-on-cas.html

Hi Abhi, We are on Exchange 2010 SP1 already. Just before I saw your post I ran "setspn -A HOST\owa.domain.com casserver1", went in AD to enable trust for delegation for the CAS server. Rebooted and it worked :) all still using the loacl system account. I will take a detailed look at the artical you gave me thanks. ECL