Enabling Kerberos Authentication in a Mixed Exchange 2013 / 2016 Environment

Tuesday, October 27, 2015
Recently, the Exchange Team published an article, "Exchange 2016 Coexistence with Kerberos Authentication" explaining how to enable Kerberos authentication in a mixed environment. Using Kerberos authentication for Exchange is a best practice and is part of the preferred architecture.

The Kerberos article above gives all the details of how to create the alternate service account (ASA) account and necessary SPNs in Active Directory, as well as how to configure Exchange to use Kerberos.

Once the ASA account is configured on the first Exchange server (2013 or 2016) using the RollAlternateServiceAccountPassword.ps1 script, you run the same script on your other 2013 and 2016 servers to copy the ASA account and password to those servers. We are told to use the 2013 version of the script to deploy across all Exchange servers, even 2016.

However, if you run the Exchange 2013 version of the script from Exchange 2013 targeting an Exchange 2016 server, you will get an error as shown below:

It appears that the Exchange 2013 script invokes a remote PowerShell call to the Exchange 2016 server because we can see a warning that the Get-ClientAccessServer cmdlet is being deprecated. Exchange 2013 would not know this. The script then fails due to a serialization error.

The fix is to copy the 2013 version of the RollAlternateServiceAccountPassword.ps1 script to your Exchange 2016 servers and run it from there. You will see several warnings that the Get-ClientAccessServer cmdlet is being deprecated, but the script will complete successfully.

Another gotcha in the article, Configuring Kerberos authentication for load-balanced Client Access servers is in the step to Enable Kerberos authentication for Outlook clients. This step instructs you to enable Kerberos for the MAPI virtual directory using the following command:
Get-MapiVirtualDirectory -Server CAS-1 | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, Negotiate
If you are a hybrid customer or have configured OAuth for any other reason, the command above will remove OAuth as an authentication method for IIS. A better way of doing this would be to use the following two commands:
$server = Get-MapiVirtualDirectory –Server CAS-1
$server | Set-MapiVirtualDirectory -IISAuthenticationMethods ($server.IISAuthenticationMethods += "Negotiate")
This will add Negotiate (Kerberos) to the existing IIS authentication methods if it does not already exist.