Hello, in this article Exchange Server 2019 üzerinde Kerberos we'll cover how to enable authentication. But first, KerberosWe need to examine what is and the benefits of using Kerberos authentication.
What is Kerberos?
Kerberos, Microsoft Besides Windows Apple, FreeBSD, UNIX ve Linux It is an authorization technology found in operating systems such as. Microsoftfirst introduced Kerberos with Windows 2000, and the technology has been adopted as a standard for websites and SSO applications.
Kerberos, strong encryption and third-party authentication make it much harder for malware authors to infiltrate your network. It is not completely foolproof, but in a well-structured environment NTLM provides better security than technology.
Advantages of Kerberos
Kerberos, makes it harder for malware to infiltrate your network by using strong encryption and third-party authentication techniques. Also, Kerberos's robust architecture facilitates its integration and evolution with other systems. Kerberos, offers the following advantages in particular:
- Access Control: Kerberosprovides an effective access control mechanism so that users can keep track of all logins and implemented security policies in one place.
- Mutual Authentication: Both service systems and users can verify the identities of other parties with whom they interact.
- Limited Ticket Life: Kerberos Tickets have a limited lifetime, allowing security administrators to control authentication times.
- Reusable Authentication: After successfully logging into the system for the first time, users do not have to re-enter their credentials for the duration of the ticket's validity.
- Security: Kerberosoffers a secure authentication protocol using multiple secret keys and encryption.
Exchange Server a Load balancer Kerberos verification In order to use it, we must first SO (Alternate Service Account) we need to configure.
More than one in your environment Exchange if the server is located and Namespaces If it is used jointly, Kerberos authentication does not come by default. For example, if the mail.cozumpark.com Namespace is used as a single name, an ASA needs to be created on AD and you need to connect your Exchange environment with this account.
Enterprise Benefits of Kerberos Authentication
Kerberos authentication, especially in large-scale deployments, NTLM can reduce scalability issues encountered with . Kerberos, the user already has a TGTto (Ticket Granting) because of its ownership, the client has Outlook without having to re-authenticate at session opening, Significantly reduces the load on Exchange servers and Domain Controllers.
Steps to Create ASA on Active Directory
Active Directory (AD) inside, Exchange for servers SO Creating an account is an important management task. SO, is generally defined as a computer account. Microsoftrecommends using a computer account instead of a user account because computer accounts do not allow interactive logins and have simpler security policies than user accounts. Passwords for computer accounts do not expire, but should be updated regularly as a security best practice.
Creating an ASA Computer Account
PowerShell You can create a computer account by running the following command using . Set a strong password for this account and add the account description.
New-ADComputer -Name CP-ASA \
-AccountPassword (Read-Host 'Enter Password' -AsSecureString) \
-Description 'ASA Account for Exchange Servers' \
-Enabled:$True \
-SamAccountName CP-ASA \
-Path "CN=Computers,DC=yourdomain,DC=com"
-
-Name
parameter is the name of the account in AD,-SamAccountName
specifies the SAM compatible name of the account.-Path
parameter specifies the location where the account will be created. - Enabling AES 256 for Kerberos: Required for Kerberos authentication AES 256 You can update the computer account created to enable encryption with the following command.
Set-ADComputer CP-ASA -Add @{"msDS-SupportedEncryptionTypes"="28"}
This command adds the required Kerberos encryption types for the specified computer account.
Replication : Created SO of your account AD To verify that it has successfully replicated to all controllers in your AD domain controller, you need to run the following command on one of your AD domain controllers.
repadmin /syncall /ADPe
This command ensures that AD objects are synchronized across all controllers in the domain and -ADPe
parameter enables display of errors and warnings during replication.
- When creating a computer account, set the naming and path information according to your organization's standards.
- For security reasons, make sure that the password you choose complies with your organization's password policies.
- Note that any changes you make when using ADSIEdit or other advanced AD management tools cannot be undone.
ASA and SPN (Service Principal Name) Association
SPNs (Service Principal Names), different Exchange are credentials used by services and associated with specific URLs. Now, the newly created SO with this SPNWe need to associate the 's.
SPN List
SPNs cover URLs used for Exchange services such as:
- Outlook, MAPI over HTTP, Exchange Web Services, and Offline Address Book you may check the link below to discover:
mail.cengizyilmaz.net
- Autodiscover Service you may check the link below to discover:
autodiscover.cengizyilmaz.net
Setting SPN Values
SPN values must be mapped correctly to DNS names. This is done on domain names rather than servers. For example, all Exchange servers are in a single Active Directory (AD) site and mail.cengizyilmaz.net
ve autodiscover.cengizyilmaz.net
If the URLs are located in two namespaces, such as , then the SPNs must be associated with those URLs.
If you have multiple AD environments and Exchange services are running in these environments, separate SPN settings may need to be made for each namespace used. For example, CY-Mail.
ve cengizyilmaz.net
NY-Autodiscover.
If you have additional namespaces, such as , you must configure SPN settings for those namespaces as well.cengizyilmaz.net
Configuring Exchange Server ASA Identity
On Exchange Server Kerberos The key component of authentication is the mailbox servers running Microsoft Exchange Server Host service. Kerberos required for identity verification ASA (Alternate Service Account) Management of credentials, provided for each mailbox server RollAlternateServiceAccountPassword.ps1
It is done with the script.
First, you need to run this script on the main Mailbox server. The steps are as follows:
- Opening Exchange Management Shell (EMS):
- If you are using Server 2019 or Server 2022 Core Server, via CMD
LaunchEMS
Start EMS by entering the command.
- If you are using Server 2019 or Server 2022 Core Server, via CMD
- Running the Script:
- We run our command via EMS.
cd $exscripts
- We need to run the script with the ASA computer account name.
.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer EXCSERVER.akkaya.local -GenerateNewPassword AKKAYA\CP-ASA$
When prompted for the necessary confirmations, confirm the process by pressing the "Y" key and continue.
If more than one Exchange If there is a server, different commands must be used when using the relevant script on other servers. This is especially important SO This applies to situations where the password for a computer account is created or changed.
.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer EXCSERVER2.cozumpark.com -CopyFrom EXCSERVER.cozumpark.com
As a result of these steps, the first Mailbox Configurations made on the server will be applied to other servers and SO credentials will be updated. Repeating this process on each server will ensure a consistent configuration across the system.
- Changing ASA password in AD, increases security and communication between servers.
- If you have more than one Exchange server in your environment, make sure the credentials are updated by running this script on each one.
Exchange Server ASA Credentials Authentication
To verify that your Exchange servers on which you have activated Kerberos authentication are configured correctly, simply follow the steps below;
- Checking ASA Credentials for a Specific Server
Get-ClientAccessService EXCSERVER -IncludeAlternateServiceAccountCredentialStatus | fl Name, AlternateServiceAccountConfiguration
- Check ASA Credentials on All Servers
Get-ClientAccessService -IncludeAlternateServiceAccountCredentialStatus | fl Name, AlternateServiceAccountConfiguration
ASA SPN Association
Only some of the servers Kerberos When users connect to the mailbox or if configured with AutoDiscover You may encounter password prompts when accessing the service. To avoid this situation, follow these SPN association steps:
- Checking Available SPNs
setspn -F -Q http/mail.cozumpark.com
If "No Such SPN FoundIf you get the answer “ ”, you need to make an association.
- Relating SPNs to ASA
setspn -S http/mail.cozumpark.com AKKAYA\CP-ASA$
setspn -S http/autodiscover.cozumpark.com AKKAYA\CP-ASA$
Other things you have used in your environment SPN If there are ADs, you need to associate them as well. Defining SPN names will be enough. In this example, Outlook Anywhere ve AutoDiscover We will only use it for.
- Verification of SPN Association
setspn -L AKKAYA\CP-ASA$
Enabling Kerberos Authentication for Clients
As a final step, Kerberos identity verification Outlook You need to enable it for connections
Set Up Kerberos Authentication for Outlook Anywhere
Get-OutlookAnywhere -Server EXCSERVER | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate
To run on all Exchange Server servers simultaneously
Get-OutlookAnywhere | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate
Setting Up Kerberos Authentication for MAPI Over HTTPS
Get-MapiVirtualDirectory -Server EXCSERVER | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate
To run it on all servers simultaneously:
Get-MapiVirtualDirectory | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate
The most important service responsible for Kerberos authentication on Exchange servers is the default service MSExchangeServiceHost service.
If this service is stopped, Kerberos authentication will not work.
Testing Clients with Kerberos Authentication
Once you have completed your Kerberos setup, you can perform testing to ensure that clients are compatible with this new configuration by following the steps below.
Updating Configurations
Outlook Anywhere ve HTTPS over MAPI We have updated the authentication settings for . These changes Outlook To quickly apply this to your clients, you need to restart the following services:
Restarting the MSExchangeAutodiscoverAppPool Application Pool
In Exchange Management Shell (EMS) You can restart the application pool with the following commands:
$cas = Get-ClientAccessService
$cas.name | ForEach-Object {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-WebAppPool -Name MSExchangeAutodiscoverAppPool}}
Restarting MSExchangeServiceHost Service
To restart the MSExchangeServiceHost service on all mailbox servers
$cas = Get-ClientAccessService
$cas.name | ForEach-Object {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-Service MSExchangeServiceHost -Force}}
MSExchangeServiceHost to check the status of your service
$cas.name | ForEach-Object {Get-Service -Name MSExchangeServiceHost -ComputerName $_}
Verifying Kerberos Authentication
There are several ways to verify that Outlook is connecting using Kerberos:
Checking Cached Kerberos Tickets with Klist
From command prompt or PowerShell klist
View Kerberos tickets by running the command:
klist
- You should see tickets for the SPNs associated with the ASA computer account:
http/mail.cozumpark.com
http/autodiscover.cozumpark.com
- Checking HTTP Proxy Log Files: You can review the HTTP Proxy log files on the Exchange server to verify that Outlook clients are connecting with Kerberos.
C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy
- In log files
Negotiate/TRUE
Search for the phrase.
Completing these steps indicates that your Exchange environment is successfully using Kerberos authentication and is securely configured. Enabling Kerberos authentication provides significant improvements to both security and user experience.