Exchange 2016 Coexistence with Kerberos Authentication


With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize Kerberos authentication.

Depending on your environment, you may utilize a single ASA or have multiple ASA accounts during the coexistence period.

Exchange 2016 Coexistence with Exchange 2010

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to Exchange 2016 and host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

Exchange 2016 Coexistence with Exchange 2013

A single ASA credential will be utilized and configured on all Exchange 2013 and Exchange 2016 servers.

For more information, see the Exchange 2013 Configuring Kerberos authentication for load-balanced Client Access servers article.

Note: The RollAlternateserviceAccountCredential.ps1 script included in Exchange 2016 scripts directory utilizes the new cmdlets, Get/Set-ClientAccessService. This cmdlet will not execute correctly on Exchange 2013 servers. Copy the RollAlternateserviceAccountCredential.ps1 script included in Exchange 2013 CU10 scripts directory to an Exchange 2016 server. Execute the copied script in order to deploy the ASA across Exchange servers.

Exchange 2016 Coexistence with both Exchange 2010 and Exchange 2013

Two ASA credentials will be utilized in this environment. One ASA credential will be assigned to Exchange 2010 and host the exchangeMDB, ExchangeRFR, and ExchangeAB SPNs, while a second ASA credential will be assigned to the Exchange 2013 and Exchange 2016 servers to host the http SPN records.

For more information, see the Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication article.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

Comments (2)
  1. Please see my article, Enabling Kerberos Authentication in a Mixed Exchange 2013 / 2016 Environment, which discusses some gotchas configuring coexistence.
    http://www.expta.com/2015/10/enabling-kerberos-authentication-in.html

  2. Configured Exchange 2013 Kerberos (co-existence with Exchange 2010). OL 2010 SP2 (with 2013 mbx) Kerberos auth works.

    However, after some time Outlook 2010 SP2 client gets issue:
    Logon network security option in Microsoft Outlook is set to Anonymous Authentication via Exchange Autodiscover process as described at
    https://support.microsoft.com/en-us/kb/2834139

    Resolution 3 (set InternalClientRequireSSL to False) does not work with OL 2010 SP2.

    So, removed Ex 2013 Kerberos and re-configured Outlook Anywhere (Ntlm auth & require ssl) and everything is working again.

    Any ideas?

Comments are closed.

Skip to main content