Solved

Exchange 2010 + HLB + Kerberos

Posted on 2010-11-22
2
1,150 Views
Last Modified: 2013-03-11
Hi ALL,

I have a question concerning HLB and kerberos. I saw in article http://www.msexchange.org/articles_tutorials/exchange-server-2010/high-availability-recovery/load-balancing-exchange-2010-client-access-servers-using-hardware-load-balancer-solution-part2.html 
that we can't use HLB URL for internal OWA URL.
In article Henrik Walther say this is because kerberos is used when accessing a mailbox
Can someone tell me more about that? I would like to understant completly
0
Comment
Question by:makanzore
2 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 34200948
the issue has nothing to do with exchange but with kerberos authentication.

Kerberos is the authentication method AD works and, by default, it cannot be used unless you are accessing the server with its real name.

Let me give you an example, assuming your server name is server1 and you try to access \\server1 from the network then kerberos will be used to authenticate you as a user and will allow you to access it.

However assuming you add a dns record or change your host file in a way that server2 is resolved to the same ip as server1 and try to access the server using \\server2 you will notice that you will not be able to access it using this name from a computer that is joined to your domain since the name you are trying to use is not registered in AD.

for the same reason accessing the owa website using https:\\mail.domain.com will take you to the NLB IP and then redirected to say server1 and try to use Kerberos authentication so you will be trying to access server1 with the name mail and kerberos will refuse it.

all this been said you have 2 workarounds for this "problem"

1. just enable basic authentication on the owa instead of kerberos authentication
2.Disable Strict Name Checking on the CAS servers
http://serverfault.com/questions/23823/how-to-configure-windows-machine-to-allow-file-sharing-with-dns-alias
0
 

Expert Comment

by:klacol
ID: 38974427
Hello,

we are using Kerberos with Delegation to authenticate at an Exchange-CAS-server. Since we have a web application there is the double-hop-problem and the hop from our web-application-server (IIS) to the CAS is allready the second hop.

One of our customers has a LB-Enviroment.

Does this articel mean, that the traffic cannot be routed through the LB-balancer?

Thanks
Klaus
0

Featured Post

Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2013 event logs 1 25
SYSVOL not replicating 10 53
Exchange 2010 SP3 and Outlook 2003 7 32
Domain Controller - Upgrade DNS Delegation 2 0
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now