OWA publishing using Kerberos Constrained Delegation method for authentication delegation

This article is to show case how you would configure kerberos constrained delegation method for authentication delegation .We would use the OWA publishing post as reference. Although this method is used in scenarios where you are using Client SSL certificate for authentication on the listener as there is no way to delegate the user credentials to the published server other then this method in such scenarios. In our case we know that we are using form based authentication method on the listener and we have other ways to delegate the user credentials to the published server for authentication to happen on the published server such as basic authentication as we have already done in the OWA publishing post. But we can use keberos constrained delegation method as well . I m doing this to elaborate what is required to configure KCD(kerberos constrained delegation) if we want to.

Real action starts at domain controller where we have our ISA server's computer object as shown below open its properties

go to the delegation tab as shown below choose the third option "Trust this computer for delegation to specified service only and under it choose option "Use any authentication protocol"

Then click on Add button and you would get following window

click on Users or computers and type the CAS server's name then do checkname and then click on Ok

we will get following window

choose service as http and then click on Ok and we will have following window.

Apply and save the settings.

We will then register the spn for this service for CAS server and we would use setspn command to do that. We will use windows support tools and its command prompt run command >setspn -A http/corpa08 corpa08

In this I used netbios name of the CAS server for spn registeration. We can also use FQDN . Then you can also use command setspn -L corpa08 to see the registered spns for corpa08 as shown below.

 

 

Then we will make change in our OWA publishing rule to use Kerberos Constrained Delegation method for Authentication Delegation. We also need to configure spn used by the ISA server for kerberos constrained delegation in this case it is http/corpa08.

Rest remains same in terms of authentication in our existing rule, listener shows we are using FBA with AD authentication on listener as shown below

 

For users we have all authenticated users.

Now lets go ahead and test this from an external client machine as shown below

and here we are with our inbox.  

 

I know you wont see any emails as this user recieved none as yet.