i experiencing issue above our current exchange infrastructure.
we have 2 internet facing exchange sites , 1 non-internet facing site.
all servers have cas & mailbox roles installed , running exchange server 2007 ru13. users on non-internet facing server able use owa without issues there request proxied via either of internet facing servers. however, after updating our certificates keep them date new rules whereby fqdn can used have been experiencing issue.
both internet facing sites work using fqdn names internally , externally.
our hostnames example:
public site 1: ext: mail.sitea.com , int: ex2007-sitea.local public site 2: ext: mail.siteb.com , int: ex2007-siteb.local non-public site 3: ext: $null , int: ex2007-sitec.local
they have been updated below new cert:
public site 1: ext: mail.sitea.com , int: mail.sitea.com public site 2: ext: mail.siteb.com , int: mail.siteb.com non-public site 3: ext: $null , int mail.sitec.com
we created split dns appropriate internal address records each of new internal hostnames.
upon further investigation can see cas proxy issue down kerberos authentication between public cas site , internal cas site , have tried resolve adding in appropriate spn records non-public site.
this solves issue, 15 minutes created spn records disappear unknown reason. have enabled ad audit logging , can see when create record logged in event logs cannot see delete function/log record occurring , of dc's.
the below spn command fixes cas:
setspn -a host/mail.sitec.com ex2007-sitec
however after 15 mins deleted how , cas no longer authenticates.
i have run following spn commands:
setspn -a exchangemdb/mail.sitec.com ex2007-sitec setspn -a exchangerfr/mail.sitec.com ex2007-sitec setspn -a exchangeab/mail.sitec.com ex2007-sitec
this fixes cas authentication issue, exchangeab record deleted (while other 2 remain) , case proxy broken again.
note: active sync functionality working mobile devices non-internet facing cas. having issues owa.
any appreciated, upgrade our systems ex2013 bottom of first - also, unsure best approach in setting hostnames on our new exchange servers on local domain due these problems. avoid having rename domain fqdn opposed current .local domain name if cannot resolve issue see no other option...
thanks
ok, think i've solved 1 myself benefit of experiences same issue fix me was:
setspn -a http/mail.sitec.com ex2007-sitec
this allows of site-site proxy requests authenticate kerberos.
Comments
Post a Comment