Many good step-by-step manuals are available describing how to enable Kerberos authentication for Exchange Server 2013/2016.
The following issue has been seen in an Exchange 2013 infrastructure (8 server DAG) where Outlook clients use OutlookAnyhwere to connect to Exchange Server. MAPI over HTTP is disabled on an organizational level due to a compatibility issue with another client software.
Even if you follow the detailed descriptions, you might end up in a situation where your Outlook clients still won’t connect to Exchange Server using Kerberos. The Outlook connection status overview (Ctrl + Right Click on the Outlook icon in System Tray) still shows Ntlm as the used authentication provider:
You are supposed to use the following PowerShell cmdlets to configure OutlookAnywhere to use Kerberos:
Get-OutlookAnywhere -Server CASSERVER | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate
All eight Exchange 2013 servers were still not offering Nego as an authentication provider even after a while. Verifying the OutlookAnywhere configurations using PowerShell showed the correct configuration values. So what to do?
A quick check at the IIS authentication settings of the \Rpc virtual directory of the Front End website (Default Web Site) showed that this virtual directory was still configured to use NTLM only.
Use the IIS management console to add the Negotiate authentication provider to the list of available providers and reorder the list to use Nego first.
Now Outlook clients will pick up the configuration change and connect to OutlookAnywhere using Kerberos.
You should not use the IIS management console to change any settings of the Exchange Server virtual directories during normal operations. The IIS management console should only be used to troubleshoot fancy situations you encounter in your Exchange Server infrastructure.
The preferred method to change Exchange Server vDir settings is PowerShell.
- Configuring Kerberos authentication for load-balanced Client Access services (Exchange 2016)
- Configuring Kerberos authentication for load-balanced Client Access servers (Exchange 2013)
Enjoy Exchange Server