Configuring Exchange Server for Kerberos constrained delegation
Configuring the /Exchange virtual directory to accept Kerberos authentication
- Open System Manager for Exchange Server.
- If administrative groups are displayed, expand the Administrative Groups node, and expand Administrative_Group_Name.
- Expand Servers, and then expand Exchange_Server_Name.
- Expand Protocols, expand HTTP, expand Exchange Virtual Server, right-click Exchange, and then click Properties.
- On the Access tab, click Authentication.
- Select the Integrated Windows Authentication check box and verify that the Basic Authentication check box is cleared.
- Click OK, and then click OK again.
- Repeat this procedure on each Exchange server in your deployment.
Enabling Kerberos constrained delegation on Exchange servers
- In System Manager, locate the administrative group that contains the Exchange servers on which you want to enable Kerberos constrained delegation.
- Right-click Administrative_Group_Name, and then click Properties.
- Select the Enable Kerberos Constrained Delegation check box, and then click Modify.
- Type the credentials for the account under which the KCD Service runs.
- Click Apply, and then click OK.
Configuring an Exchange front-end server to support Kerberos constrained delegation
- In System Manager, right-click the applicable server, and then click Properties.
- On the General tab, verify that the This is a front-end server check box is selected to confirm that you are configuring a front-end server.
- On the KCD-FE tab, click This server is a KCD-FE server for the organization.
- Click Apply, click OK, and then restart the Exchange System Attendant service.
- Repeat these steps on each front-end server that you want to enable as a front-end server that supports Kerberos constrained delegation.
Requiring secure communications to the Web site
- Open IIS Manager.
- Expand the local computer, and then expand the Web Sites folder.
- Right-click the Web site where the Exchange front-end services have been installed, by default, the Default Web Site, and click Properties.
- On the Directory Security tab, under Secure communications, click Edit.
- Select Require secure channel (SSL) on the Secure Communication page, and then click OK. Click OK again to close the Web site properties dialog box.
Deployments with Exchange front-end and back-end servers
- In the Active Directory Users and Computers console tree, expand the Domain_Name node and click Computers.
- In the details pane, double-click the name of an Exchange front-end server.
- On the Delegation tab, select Trust this computer for delegation to specified services only, and then select Use any authentication protocol.
- Click Add.
- In the Add Services dialog box, click Users or Computers.
- In the Select Users or Computers dialog box, enter the NetBIOS name of the Exchange back-end servers that serve the selected Exchange front-end server. Click Check Names after you type each name, and then click OK.
- In the Add Services dialog box, find http in the list of available services. Select the entry for an Exchange back-end server (or hold down the CTRL key and select the entries for all the Exchange back-end servers that serve the selected front-end server) and click OK.
- On the Delegation tab, verify that http appears under Service Type and that the names of the Exchange back-end servers appear under User or Computer, and then click OK.
- Repeat this procedure for each Exchange front-end server in your deployment.