The steps below are shorthand sent to me by a colleague that I used on a recent engagement. I would encourage anyone doing this for the first time to study the documentation and use a lab for your first go around.
1) Create new computer account in AD called “CASARRAY1”
2) Run Exchange Management Script .\RollAlternateserviceAccountPassword.ps1 -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$" (CAS servers here will not always include all CAS Array members, rather they should include all CAS servers that will need to authenticate requests for the associated CAS Array FQDN)
3) Set SPNs using commands below:
a. setspn -S http/webmail.contoso.com CASArray1$
b. setspn -S exchangeMDB/ outlook.contoso.com CASArray1$
c. setspn -S exchangeRFR/ outlook.contoso.com CASArray1$
d. setspn -S exchangeAB/outlook.contoso.com CASArray1$
4) Create Scheduled task to update password on computer account: .\RollAlternateServiceAccountPassword.ps1 -CreateScheduledTask "CAS Array Kerberos Password Update" -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$"
5) Test via Outlook client by enforcing Kerberos authentication in the mail profile (more settings->security)
6) Test by reviewing the address book service log (2011-02-05T06:04:21.072Z,139928,0,/o=Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username,,10.10.10.10,CAS1,ncacn_ip_tcp,GetNewDSA,,5,Self,,Kerberos
*Don't forget to restart Blackberry services (or at least test functionality) after this change.
Grade: Thanks Chica!
*Don't forget to restart Blackberry services (or at least test functionality) after this change.
Grade: Thanks Chica!
No comments:
Post a Comment