This post will be about how to configure KCD in for Exchange in a load balanced environment.
The scenario is that i need to configure one of my Access Gateways to use Kerberos Constrained Delegation (KCD) to provide Single Sign On (SSO) for my users.
This can be done for any Access Product like TMG, UAG, Netscaler, Juniper, F5 or PointSharp Mobile Gateway. The configuration for the Access Gateways differs for the different product but backend configuration remains the same.
So what is KCD and what does it do? To keep it really simple it’s will let your Access Gateway act as a door Guard, and your backend server will be the bartender.
The door guard will check your ID and let you in, the Bartender will serve you drinks because he trust in the door guard. Also the door guard gave you a stamp on your hand showing that you have show your id.
In my example i will do this using PointSharp Mobile Gateway and Exchange Server 2013.
First of all let’s look at the environment
- psg1.domain.com
- psg2.domain.com
- lb.domain.com
- exch01.domain.com
- exch02.domain.com
- exch03.domain.com
- exch04.domain.com
Image may be NSFW.
Clik here to view.
When doing KCD delegation you assign Serivce Principal Names to either a Computer or User Account. The SPN has to be uniqe.
setspn -l exch01.domain.com
This will show you the SPN’s that are already set for the computer account exch01.
You might see HOST/exch01.domain.com this can be used if you only have one exchange server and is not using a loadbalance.
So why does using a loadbalancer change how setup the SPN?
Well this is because the Access Gateway get blind and doesn’t know what backend server it ends up on, and it need to know that so that it is using the correct SPN, and since you can’t put he same SPN on all 4 servers you need to do this in a different way.
They way to do this is to use a service account that can run on all of the Exchange servers. This is called RollAlternateServiceAccount
When you run this it’s takes a service account that you have created for this purposes let’s call it svc_kcd and configure it on all of the Exchange Servers.
Next you set an SPN for this account.
The SPN should be the name that you will be using for your loadbalancer. Let for now assume the name is mail.domain.com
setspn -S http/mail.domain.com svc_kcd
In my case i want to use KCD for ActiveSync so in the IIS of the Exchange Servers i need to verify that Windows Authentication is enabled for the /Microsoft-Server-ActiveSync virtual directory.
Also i need to make sure that Negotiate is added as a Provider.
Image may be NSFW.
Clik here to view.
Now the configuration for the Exchange Servers are done, next we’ll look at how to setup the Access Gateway.
I have a Mobile Gateway that is using IIS so i’ll need to configure the Application Pool in the IIS that is used to use a Service Account. let call this account svc_psg
Now i want to Delegate Permission for the account svc_psg (the doorguard) to svc_kcd (the bartender)
The Delegation tab is only visible for computer accounts, but not for service account. To make it visible you need to add an SPN to the svc_psg account as well.
We won’t really use this SPN so you can put anything you want. I’ll just set an spn that is http/psg.domain.com
Now we can do the AD delegation using “Active Directory users and Computers” and it’t looks like this.
Image may be NSFW.
Clik here to view.
Be sure to select “Use any authentication protocol” and then select the service account and then HTTP as the servicetyp
Now my clients will Authenticate to my Access Gateway and it will do Kerberos Constrained Delegation providing SSO to the backend.
The Access Gateway will be configure to direct all traffic to mail.domain.com that is the load balancer and it will use the SPN http/mail.domain.com
The Load balancer will send the requests to the backend Exchange Servers that are all running as the service account svc_kcd that has mail.domain.com as the SPN
For all of this to work the Access Gateway need to be joined to the domain, and since you most likely place the Access Gateway on the DMZ you might not want to do this.
You can get around this by using 2 serial gateways. One in the DMZ (non domain joined) and on the LAN (domain joined) This way you won’t need to open additional ports in your DMZ firewall, but can still take advantage of the SSO from the domain joined Access Gateway.
If you’re Domain forest level is 2012 R2 then there is a new way to do the delegation where you get more control over how has delegated permissions to accounts. Also this new way enabled you to do KCD between trusted forests. I won’t go in to detail about that configuration but thought i’d mention it. It’s called Resource-based constrained delegation across domains and you can find more information about it here http://technet.microsoft.com/en-us/library/jj553400.aspx
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
