Configuring Exchange Server Kerberos

Hello, in this article Exchange Server 2019 üzerinde Kerberos we'll cover how to enable authentication. But first, KerberosWe need to examine what is and the benefits of using Kerberos authentication.

What is Kerberos?

Kerberos, Microsoft Besides Windows Apple, FreeBSD, UNIX ve Linux It is an authorization technology found in operating systems such as. Microsoftfirst introduced Kerberos with Windows 2000, and the technology has been adopted as a standard for websites and SSO applications.

Kerberos, strong encryption and third-party authentication make it much harder for malware authors to infiltrate your network. It is not completely foolproof, but in a well-structured environment NTLM provides better security than technology.

Advantages of Kerberos

Kerberos, makes it harder for malware to infiltrate your network by using strong encryption and third-party authentication techniques. Also, Kerberos's robust architecture facilitates its integration and evolution with other systems. Kerberos, offers the following advantages in particular:

  • Access Control: Kerberosprovides an effective access control mechanism so that users can keep track of all logins and implemented security policies in one place.
  • Mutual Authentication: Both service systems and users can verify the identities of other parties with whom they interact.
  • Limited Ticket Life: Kerberos Tickets have a limited lifetime, allowing security administrators to control authentication times.
  • Reusable Authentication: After successfully logging into the system for the first time, users do not have to re-enter their credentials for the duration of the ticket's validity.
  • Security: Kerberosoffers a secure authentication protocol using multiple secret keys and encryption.

Exchange Server a Load balancer   Kerberos verification In order to use it, we must first SO (Alternate Service Account) we need to configure.

More than one in your environment Exchange if the server is located and Namespaces If it is used jointly, Kerberos authentication does not come by default. For example, if the mail.cozumpark.com Namespace is used as a single name, an ASA needs to be created on AD and you need to connect your Exchange environment with this account.

Enterprise Benefits of Kerberos Authentication

Kerberos authentication, especially in large-scale deployments, NTLM can reduce scalability issues encountered with . Kerberos, the user already has a TGTto (Ticket Granting) because of its ownership, the client has Outlook without having to re-authenticate at session opening, Significantly reduces the load on Exchange servers and Domain Controllers.

Steps to Create ASA on Active Directory

Active Directory (AD) inside, Exchange for servers SO Creating an account is an important management task. SO, is generally defined as a computer account. Microsoftrecommends using a computer account instead of a user account because computer accounts do not allow interactive logins and have simpler security policies than user accounts. Passwords for computer accounts do not expire, but should be updated regularly as a security best practice.

Creating an ASA Computer Account

PowerShell You can create a computer account by running the following command using . Set a strong password for this account and add the account description.

New-ADComputer -Name CP-ASA \
-AccountPassword (Read-Host 'Enter Password' -AsSecureString) \
-Description 'ASA Account for Exchange Servers' \
-Enabled:$True \
-SamAccountName CP-ASA \
-Path "CN=Computers,DC=yourdomain,DC=com"
  1. -Name parameter is the name of the account in AD, -SamAccountName specifies the SAM compatible name of the account. -Path parameter specifies the location where the account will be created.
  2. Enabling AES 256 for Kerberos: Required for Kerberos authentication AES 256 You can update the computer account created to enable encryption with the following command.
Set-ADComputer CP-ASA -Add @{"msDS-SupportedEncryptionTypes"="28"}

This command adds the required Kerberos encryption types for the specified computer account.

Replication : Created SO of your account AD To verify that it has successfully replicated to all controllers in your AD domain controller, you need to run the following command on one of your AD domain controllers.

repadmin /syncall /ADPe
This command ensures that AD objects are synchronized across all controllers in the domain and -ADPe parameter enables display of errors and warnings during replication.
  • When creating a computer account, set the naming and path information according to your organization's standards.
  • For security reasons, make sure that the password you choose complies with your organization's password policies.
  • Note that any changes you make when using ADSIEdit or other advanced AD management tools cannot be undone.

ASA and SPN (Service Principal Name) Association

SPNs (Service Principal Names), different Exchange are credentials used by services and associated with specific URLs. Now, the newly created SO with this SPNWe need to associate the 's.

SPN List

SPNs cover URLs used for Exchange services such as:

  • Outlook, MAPI over HTTP, Exchange Web Services, and Offline Address Book you may check the link below to discover:
    • mail.cengizyilmaz.net
  • Autodiscover Service you may check the link below to discover:
    • autodiscover.cengizyilmaz.net

Setting SPN Values

SPN values ​​must be mapped correctly to DNS names. This is done on domain names rather than servers. For example, all Exchange servers are in a single Active Directory (AD) site and mail.cengizyilmaz.net ve autodiscover.cengizyilmaz.net If the URLs are located in two namespaces, such as , then the SPNs must be associated with those URLs.

If you have multiple AD environments and Exchange services are running in these environments, separate SPN settings may need to be made for each namespace used. For example, CY-Mail.cengizyilmaz.net ve NY-Autodiscover.cengizyilmaz.net If you have additional namespaces, such as , you must configure SPN settings for those namespaces as well.

Configuring Exchange Server ASA Identity

On Exchange Server Kerberos The key component of authentication is the mailbox servers running Microsoft Exchange Server Host service. Kerberos required for identity verification ASA (Alternate Service Account) Management of credentials, provided for each mailbox server RollAlternateServiceAccountPassword.ps1 It is done with the script.

First, you need to run this script on the main Mailbox server. The steps are as follows:

  • Opening Exchange Management Shell (EMS):
    • If you are using Server 2019 or Server 2022 Core Server, via CMD LaunchEMS Start EMS by entering the command.
  • Running the Script:
    • We run our command via EMS.
cd $exscripts
  • We need to run the script with the ASA computer account name.
.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer EXCSERVER.akkaya.local -GenerateNewPassword AKKAYA\CP-ASA$

When prompted for the necessary confirmations, confirm the process by pressing the "Y" key and continue.

If more than one Exchange If there is a server, different commands must be used when using the relevant script on other servers. This is especially important SO This applies to situations where the password for a computer account is created or changed.

.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer EXCSERVER2.cozumpark.com -CopyFrom EXCSERVER.cozumpark.com

As a result of these steps, the first Mailbox Configurations made on the server will be applied to other servers and SO credentials will be updated. Repeating this process on each server will ensure a consistent configuration across the system.

  • Changing ASA password in AD, increases security and communication between servers.
  • If you have more than one Exchange server in your environment, make sure the credentials are updated by running this script on each one.

Exchange Server ASA Credentials Authentication

To verify that your Exchange servers on which you have activated Kerberos authentication are configured correctly, simply follow the steps below;

  • Checking ASA Credentials for a Specific Server
Get-ClientAccessService EXCSERVER -IncludeAlternateServiceAccountCredentialStatus | fl Name, AlternateServiceAccountConfiguration
  • Check ASA Credentials on All Servers
Get-ClientAccessService -IncludeAlternateServiceAccountCredentialStatus | fl Name, AlternateServiceAccountConfiguration

ASA SPN Association

Only some of the servers Kerberos When users connect to the mailbox or if configured with AutoDiscover You may encounter password prompts when accessing the service. To avoid this situation, follow these SPN association steps:

  • Checking Available SPNs
setspn -F -Q http/mail.cozumpark.com

If "No Such SPN FoundIf you get the answer “ ”, you need to make an association.

  • Relating SPNs to ASA
setspn -S http/mail.cozumpark.com AKKAYA\CP-ASA$
setspn -S http/autodiscover.cozumpark.com AKKAYA\CP-ASA$

Other things you have used in your environment SPN If there are ADs, you need to associate them as well. Defining SPN names will be enough. In this example, Outlook Anywhere ve AutoDiscover We will only use it for.

  • Verification of SPN Association
setspn -L AKKAYA\CP-ASA$

Enabling Kerberos Authentication for Clients

As a final step, Kerberos identity verification Outlook You need to enable it for connections

Set Up Kerberos Authentication for Outlook Anywhere

Get-OutlookAnywhere -Server EXCSERVER | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate

To run on all Exchange Server servers simultaneously

Get-OutlookAnywhere | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate

Setting Up Kerberos Authentication for MAPI Over HTTPS

Get-MapiVirtualDirectory -Server EXCSERVER | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate

To run it on all servers simultaneously:

Get-MapiVirtualDirectory | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate
 The most important service responsible for Kerberos authentication on Exchange servers is the default service MSExchangeServiceHost service.
If this service is stopped, Kerberos authentication will not work.

Testing Clients with Kerberos Authentication

Once you have completed your Kerberos setup, you can perform testing to ensure that clients are compatible with this new configuration by following the steps below.

Updating Configurations

Outlook Anywhere ve HTTPS over MAPI We have updated the authentication settings for . These changes Outlook To quickly apply this to your clients, you need to restart the following services:

Restarting the MSExchangeAutodiscoverAppPool Application Pool

In Exchange Management Shell (EMS) You can restart the application pool with the following commands:

$cas = Get-ClientAccessService
$cas.name | ForEach-Object {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-WebAppPool -Name MSExchangeAutodiscoverAppPool}}

Restarting MSExchangeServiceHost Service

To restart the MSExchangeServiceHost service on all mailbox servers

$cas = Get-ClientAccessService
$cas.name | ForEach-Object {Invoke-Command -ComputerName $_ -ScriptBlock {Restart-Service MSExchangeServiceHost -Force}}

MSExchangeServiceHost to check the status of your service

$cas.name | ForEach-Object {Get-Service -Name MSExchangeServiceHost -ComputerName $_}

Verifying Kerberos Authentication

There are several ways to verify that Outlook is connecting using Kerberos:

Checking Cached Kerberos Tickets with Klist

From command prompt or PowerShell klist View Kerberos tickets by running the command:

    klist
    1. You should see tickets for the SPNs associated with the ASA computer account:
      • http/mail.cozumpark.com
      • http/autodiscover.cozumpark.com
    2. Checking HTTP Proxy Log Files: You can review the HTTP Proxy log files on the Exchange server to verify that Outlook clients are connecting with Kerberos.
    C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy
    
    1. In log files Negotiate/TRUE Search for the phrase.

    Completing these steps indicates that your Exchange environment is successfully using Kerberos authentication and is securely configured. Enabling Kerberos authentication provides significant improvements to both security and user experience.

    Comment