Sunday, December 15, 2013

Exchange Server and Kerberos Authentication for MAPI Clients

Today I was reading some topics on Exchange Server Authentication, I came across few great articles available on the community which cleary explains the MAPI Client authentication. Also most important one to review is how to configure the MAPI Clients to use Kerberos Authentication with Exchange Server 2010 and 2013.

Every Admin is aware about the authentication mechanism available for Clients to authenticate to Exchange Server and most Organizations are using the Traditional NTLM (Integrated Windows Authentication) for Internal clients connection and Basic authentication for web and external connections and still Kerberos authentication is the most preferable for major Large Organizations, which makes the authentication more easy and secure. Though it is one of the best method configuring comes to little complex when it comes to establishing it in a Exchange Server 2010 Organization or later.

Today I am going to point you to few vital articles available from Microsoft and Technical Experts on this topic already which are clearly explained with the reason to configure Kerberos authentication and the guided steps with live examples for better understanding, read the same to know how you can enable your MAPI Clients to use Kerberos authentication.

First Review this below Microsoft KB article and the EHLO Blog post to begin your study. This clearly updates you why you need to setup Kerberos authentication with addition steps as with Exchange Server 2010 as this is enabled by default in earlier versions of the product, because of the new client connectivity changes introduced in the product with CAS Server and CAS ARRAY and how you can configure Exchange Server to allow the MAPI clients to authenticate using Kerberos authentication with Exchange Server 2010 SP1 using Alternate Service Account (ASA) Mechanism.

Kerberos authentication for MAPI client connection to a Client Access server array

Recommendation: Enabling Kerberos Authentication for MAPI Clients

Once you review the above articles and the referenced TechNet articles inside them you will come to know about the significance of Kerberos Authentication and how enable the same in your Environment.

Next you need to see how to do this configuration visually, for this review below TechNet blog

Setting up Kerberos with a Client Access Server Array Exchange 2010 SP1

Above articles completes the requirement of enabling the MAPI Clients to use Kerberos authentication with Exchange Server 2010.

When it comes to Exchange Server 2013 there an entire shift in the Exchange server Architecture where we now have our CAS Server as a stateless Proxy and there is no need of a CAS Array and majorly now Exchange 2013 uses RPC over HTTP (outlook anywhere) to allow the MAPI clients to connect which removes the need of the RPC end points. 

Internally in Exchange Server 2013 environment NTLM is used for authentication and for External it would be Basic and even with this version of Exchange we can still leverage the benefit of having Kerberos authentication, there is no official Documentation from Microsoft available on the same and I came across and an excellent blog post  from You said "Unified"? blog posted by Collaboration Architect Benoit Boudeville, below which explains clearly over the new changes as an Introduction and also visually explains you how to configure your Exchange 2013 Environment to support Kerberos authentication.

Review here:  Exchange 2013 - Configure the Client and Kerberos (load balancer or DNS round-robin) access

Note:  Ensure that you translate the above post to English as it is posted in French.


Microsoft team published the below vital EHLO blog post today (2/20/2015) to provide guidance on how to setup and utilize  Kerberos authentication with Exchange 2013 and Exchange 2010 Coexistence Environment.

Access here: Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication


After the release of Exchange Server 2016 RTM, Microsoft team published the new guidance for Exchange 2016 Coexistence with Kerberos Authentication for Exchange Server 2010/2013.

Access here: Exchange 2016 Coexistence with Kerberos Authentication

Additionally, review the below excellent article on the topic from MVP Jeff Guillet

Enabling Kerberos Authentication in a Mixed Exchange 2013 / 2016 Environment

No comments:

Post a Comment