Exchange 2007 Autodiscovery and Kerberos

The Exchange 2007 Autodiscover feature is one of the great imporvements in Exchange 2007. Using Autodiscover, clients can automatically configure their email settings. Outlook 2007 uses Autodiscover through Active Directory, searching for a Service Connection Point (SCP) that identifies all the Client Access servers in the organization. The SCP object, in turns, contains the URL that is to be used in contacting the CAS server to retreive the configuration information. The URL points to a virtual directory called Autodiscover in IIS on the CAS server the SCP objet belongs to.
Autodiscover also works outside the organization. Outlook 2007 and Windows Mobile 6 devices are hard-coded to contact either https://autodiscover.<your email domain>/autodiscover or https://<your email domain>/autodiscover.
Sometimes you want to use the same FQDN for the Autodiscover URL both inside and outside of your organization. This is achieved using the Set-ClientAccessServer cmdlet and its AutoDiscoverServiceInternalUri parameter. There is no external Autodiscover URI parameter, because the external URL will always be the same; autodiscover.<your email domain>.
You have to be careful changing the internal name. After Outlook 2007 finds the URL from the SCP in Active Directory it contacts the URL and authenticates to it using your username and password. The authentication method used is Kerberos. If you change your Autodiscover URL to something with a host name different from the host name of the actual CAS server you will not be able to get the configuration information from the Autodiscover service. You will fail with an Access Denied message, because you cannot successfully authenticate. The reason for this is Kerberos.
When using Kerberos authentication you request and receive a series of tickets from Domain Controllers to access a resource. These tickets are bound to the name of the server hosting the services you want to access, through something called a Service Principal Name (SPN). An SPN is comprised of the service being offered, eg. HTTP or HOST, and the name of the server. A computer’s valid SPNs are listed in the servicePrincipalName attribute on it’s computer object in Active Directory.
If you change the FQDN name in the Autodiscover URL Kerberos will grant a ticket with the wrong SPN and you will be denied access. The soultion to this is to use the SETSPN.EXE utility from the Windows Support Tools to add the new names.
Eg. setspn.exe -A HOST/autodiscover.mydomain.com
After doing this you can reset IIS with the iisreset /noforce command and successfully use your new Autodiscover URL.

Yet another (unannounced) Transporter Suite update

A new version of the Transport Suite for Lotus Domino has appeared on the Microsoft download site:
The vesion number is listed as 08.01.0223, and the file size of the transporter.msi file has also changed. Like last time this was not announced and no information exists about what changes have been made.
I am in the middle of a migration project and this is very frustrating. The Trasnporter team should provide updated release notes when htey change their bits. This is the worst version control, or lack thereof, I have ever seen in a professional product.
UPDATE: A recent KB article sheds some light on one of the changes in this newest version of the Transporter Suite. It is a change to fix the problem with foreign language characters not being displayed correctly after a mailbox has been migrated. The KB article is called Foreign characters in e-mail messages are not displayed correctly after you use Microsoft Transporter Suite for Lotus Domino to migrate a mailbox to Exchange Server 2007 and is available here: