Enabling kerberos authentication for mapi clients for Exchange 2010 and outlook 2010 users.

few of the users outlook got disconnected and when we did more research on the issue we find the Issue with the authentication as with outlook 2010 it set with a negotiate authentication by default and when we change it to kerberos password authentication. Problem has been sorted out. But the issue has been widespread to one site and we want to push the kerberos authentication for all mapi client using the group policy.

Please help me who we can proceed on this. It would be good if you provide the detailed steps.

[Also i found one Article- http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx]

But this is to change something with CAS and we want to do the kerberos using the group policy.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The way I understood this was Outlook will negotiate the strongest authentication protocol possible. If kerberos is available it will use it. If you followed the blog and enabled Kerberos authentication on the CAS server then the clients should use it. forcing Kerberos in my opinion is a bad idea because although you want the clients to use Kerberos, you want them to fall back to NTLM if they can't authenticate with Kerberos.
how many CAS-server you have?
Do you use any CAS-Array?

If you are using just a single-CAS server...then you can directly expect the Kerberos to be tried and used by the Outlook Clients

Regarding the CAS-Array:
Create an account to be used as the ASA credential ....should be helping you to achieve the Kerberos Authentication.

Issue is wide-spread to a site:
>> The default Outlook profile is sufficient to ask Outlook to check for the Kerberos authentication.
If we fix the CAS-Server for the Kerberos...this should be sufficient
If we are not concentrating @ the CAS-server and just changing\forcing the Outlook UI....still the auth. may fail.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.