Exchange 2007 Autodiscovery and Kerberos

The Exchange 2007 Autodiscover feature is one of the great imporvements in Exchange 2007. Using Autodiscover, clients can automatically configure their email settings. Outlook 2007 uses Autodiscover through Active Directory, searching for a Service Connection Point (SCP) that identifies all the Client Access servers in the organization. The SCP object, in turns, contains the URL that is to be used in contacting the CAS server to retreive the configuration information. The URL points to a virtual directory called Autodiscover in IIS on the CAS server the SCP objet belongs to.
Autodiscover also works outside the organization. Outlook 2007 and Windows Mobile 6 devices are hard-coded to contact either https://autodiscover.<your email domain>/autodiscover or https://<your email domain>/autodiscover.
Sometimes you want to use the same FQDN for the Autodiscover URL both inside and outside of your organization. This is achieved using the Set-ClientAccessServer cmdlet and its AutoDiscoverServiceInternalUri parameter. There is no external Autodiscover URI parameter, because the external URL will always be the same; autodiscover.<your email domain>.
You have to be careful changing the internal name. After Outlook 2007 finds the URL from the SCP in Active Directory it contacts the URL and authenticates to it using your username and password. The authentication method used is Kerberos. If you change your Autodiscover URL to something with a host name different from the host name of the actual CAS server you will not be able to get the configuration information from the Autodiscover service. You will fail with an Access Denied message, because you cannot successfully authenticate. The reason for this is Kerberos.
When using Kerberos authentication you request and receive a series of tickets from Domain Controllers to access a resource. These tickets are bound to the name of the server hosting the services you want to access, through something called a Service Principal Name (SPN). An SPN is comprised of the service being offered, eg. HTTP or HOST, and the name of the server. A computer’s valid SPNs are listed in the servicePrincipalName attribute on it’s computer object in Active Directory.
If you change the FQDN name in the Autodiscover URL Kerberos will grant a ticket with the wrong SPN and you will be denied access. The soultion to this is to use the SETSPN.EXE utility from the Windows Support Tools to add the new names.
Eg. setspn.exe -A HOST/
After doing this you can reset IIS with the iisreset /noforce command and successfully use your new Autodiscover URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.