Configure Exchange 2013 CAS Array with WNLB and enable Kerberos support for OA

#en, #exchange edit this page

Like Tom described in his Post Migrating from Exchange 2010 to 2013 – part 2 the major changes in the Exchange 2013 CAS role, I explain in this post how to configure high available CAS Array with WNLB.

First you have to install WLNB on both CAS nodes and create the Cluster and VIP. The CAS Servers need only one NIC, we use the Multicast operation mode.

image

Next we create the Port Rules. In this example I create a port rule for the whole port range. Because there is not need of Affinity we can safely disable the the feature:

image

Now create the Host A Record for the Cluster name excararray01 to point to the VIP.

Remember to change the internal URL’s of the virtual directories of both CAS servers to use the Cluster name and not the CAS computername.

Kerberos support

I have 2 UAG servers that are publishing the Exchange 2013 CAS servers. On the UAG servers I don’t want to publish both CAS servers and use the UAG load balancing. I want to publish the CAS Cluster Name and let the WNLB do the load balancing.
If you don’t configure an alternate service account for the CAS Cluster Name you will no be able to use NTLM authentication for Outlook Anywhere.

To use Kerberos authentication you have to create a computer account in AD (the name don’t have to match the array FQDN):

image

Then run the following script that is located in C:\Program Files\Microsoft\Exchange Server\V15\Scripts to configure the Alternative Service Account

.\RollAlternateServiceAccountPassword.ps1 -ToArrayMembers excasarray01.domain.local -GenerateNewPasswordFor "domain\EXCASARRAY01ASA$" –Verbose

excasarray01.domain.local stands for the FQDN of the CAS array
domain\EXCASARRAY01ASA$ stands for the created computer account

image

After the script has finished configuring we have to register some spn’s with the CAS Array FQDN

setspn -s exchangeMDB/excasarray01.domain.local domain\EXCASARRAY01ASA$
setspn -s exchangeRFR/excasarray01.domain.local domain\EXCASARRAY01ASA$
setspn -s exchangeAB/excasarray01.domain.local domain\EXCASARRAY01ASA$
setspn -s http/excasarray01.domain.local domain\EXCASARRAY01ASA$
setspn -s http/excasarray01.domain.local domain\EXCASARRAY01ASA$

Now we can publish the CAS Array FQDN with uag and use NTLM as authentication method for Outlook Anywhere.

Greetings
dn