Sunday, 12 May 2013



Configuring ASA (Alternate Service Account) for Kerberos authentication


We will setup ASA (Alternate Service Account) for Kerberos authentication on all CAS servers in kkishoreblog.com resource forest. By default, clients that attempt to negotiate authentication will fail Kerberos authentication when a CAS array is configured thus falling back to NTLM. This will cause a lot of unnecessary NTLM authentication traffic. By Default, the Kerberos should be used by domain joined clients for authentication but the reason Kerberos authentication fails is because the authentication request is sent using the FQDN (mail.kkishoreblog.com) of the CAS array which does not match the SPN (Service Principal Names) value on the CAS. To address this issue we must create an appropriate SPN value for the CAS array within Active Directory. We also cannot configure the same SPN value on multiple objects in Active Directory. To work around this we created a method called ASA. The ASA can be either a computer account or user account. Then we can associate the SPNs we want for the CAS array to the ASA.
NTLM Authentication Concerns
Why is using NTLM authentication for Outlook and other MAPI clients a concern? Let’s take a look at the authentication process:
  1. The user launches Outlook.
  2. The user’s computer sends traffic to the server (load-balanced namespace) specified in the Outlook profile. This traffic includes the user’s integrated authentication information (in other words, NTLM authentication).
  3. The load balancer directs the traffic to a specific CAS member within the load-balanced array.
  4. The CAS member needs to verify the user’s credentials. It does this by sending traffic to a specific domain controller, the one which it has an associated secure channel binding, requesting a verification of the user's credentials.
  5. The domain controller responds to the CAS member with the information on the user’s credentials.
  6. The CAS member generates an access token and services the request.
The problem here is that each connection from the client must follow this same process. Therefore, as the number of connections increase, there is potential for a bottleneck in terms of handling the NTLM authentication. The bottleneck is a result of the following two issues:
  1. The CAS member only uses a single domain controller for all authentication requests. In addition, there is no load distribution mechanism across the CAS members in the load balanced array to ensure that each CAS is using a different domain controller for its secure channel binding.
  2. Windows limits the number of concurrent secure channel calls.  There are a specific number of threads that can handle NTLM authentication (controlled by MaxConcurrentAPI value, with default equaling 2).  
Each MaxConcurrentAPI thread can only deal with one authentication request at a time.  However, attributes like network latency, the number of hops the authentication requests have to go through, and the volume of requests can introduce a bottleneck in the authentication process, resulting in some of these transactions waiting longer than a remote client can tolerate.  If you have a heavy load, you are more than likely going to hit that limit when these clients authenticate via NTLM. Windows Server does have a means to increase the number of concurrent secure channel calls up to 150 when you deploy KB 975363. However, increasing the number of concurrent secure channel calls up as far as 150 is also not recommended, as it can have adverse effects on domain controller performance.
The solution here is to leverage an alternate service account (ASA) credential mechanism to enable Kerberos authentication.
Kerberos authentication is efficient and faster
With NTLM authentication, an application server must connect to a domain controller in order to authenticate each client. With the Kerberos V5 authentication protocol, on the other hand, the server is not required to go to a domain controller. Instead, the server can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and then reuse those credentials throughout a network logon session. Renewable session tickets replace pass-through authentication.When a resource server gets Kerberos authentication information (in Kerberos speak "tickets" and "authenticators") from a client, the resource server has enough information to authenticate the client. The NTLM authentication protocol requires resource servers that aren't domain controllers (DCs), to contact a DC to validate a user's authentication request. This process is known as pass-through authentication. 

Leveraging an alternate service account (ASA)
Credential Type
We can create a computer account or a user account for the alternate service account. Because a computer account doesn’t allow interactive logon, it may have simpler security policies than a user account and therefore is the preferred solution for the ASA credential. If you create a computer account, the password doesn't actually expire, but we still recommend updating the password periodically. Local group policy can specify a maximum account age for computer accounts and there might be scripts scheduled to periodically delete computer accounts that do not meet current policies. Periodically updating the password for computer accounts will ensure that your computer accounts aren't deleted for not meeting local policy. Your local security policy will determine when the password needs to be changed.

Credential Name
There are no particular requirements for the name of the ASA credential. You can use any name that conforms to your naming scheme.

Groups and Roles
The ASA credential doesn't need special security privileges. If you are deploying a computer account for the ASA credential this means that the account only needs to be a member of the Domain Computers security group. If you are deploying a user account for the ASA credential, this means that the account only needs to be a member of the Domain Users security group.

Password
The password you provide when you create the account will never actually be used. Instead, the script will reset the password. So when you create the account, you can use any password that conforms to your organization’s password requirements.
All computers within the Client Access server array must share the same service account. In addition, any Client Access servers that may be called on in a datacenter activation scenario must also share the same service account.
We will create a single ASA and will share the same with all CAS array (mail.kkishoreblog.com)

Creating the alternate service account (ASA)

Open Active Directory Users and Computers and create a computer account.
Setting the ASA to the CAS servers 

Verify that CASARRAY-ASA computer account is replication to all Domain Controllers in all active directory sites.
To set ASA to the CAS servers we have to run AlternateServiceAccount credential script in the Exchange Management ShellRollAlternateserviceAccountPassword.ps1 “
Syntax
.\RollAlternateserviceAccountPassword.ps1 –ToArrayMembers {CAS array name}-GenerateNewPasswordFor {Domain}\{ASA}" –Verbose 
.\RollAlternateserviceAccountPassword.ps1 -ToEntireForest -GenerateNewPasswordFor "kkishoreblog\CASARRAY-ASA$" -Verbose

The script will ask if we want to change the password on the ASA. In this case we will say Yes
With the -verbose flag it should indicate what script operations were successful. To confirm that the Client Access servers were updated, you can verify the last modified time stamp on the ASA credential.

Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialstatus |Fl Name, AlternateServiceAccountConfiguration. Once the credential is set we need to set the correct SPNs to the ASA
Setting the correct SPNs to the ASA
Identifying the Service Principal Names That Should Be Associated with the Alternate Service Account Credential
After creating the alternate service account, we must determine the Exchange service principal names (SPNs) that will be associated with the ASA credentials. Below is the list of Exchange SPNs -
  • http Use this SPN for Exchange Web Services, Offline Address Book downloads, and the Autodiscover service.
  • exchangeMDB Use this SPN for RPC Client Access.
  • exchangeRFR Use this SPN for the Address Book service.
  • exchangeAB Use this SPN for the Address Book service.
The SPN values must be configured to match the service name being used on the network load balancer, rather than on individual servers. Client Access server member in array are configured with following internal and external URL setting CAS Array FQDN mail.kkishoreblog.com
·         Exchange Web Services –

·         Offline Address Book –

·         Autodiscover Services –

Based on the fully qualified domain names that are used by the Outlook clients the following SPNs would need to be deployed on the ASA credential:
  • http/ mail.kkishore.com
  • exchangeMDB/ mail.kkishore.com
  • exchangeRFR/ mail.kkishore.com
  • exchangeAB/ mail.kkishore.com
Associating Service Principal Names with the Alternate Service Account Credential
Some MAPI applications that interact with Exchange may need to use the Array’s short name or NetBIOS. We will set NetBIOS and FQDN for each SPN. 
Open CMD and run the below commands
setspn -s exchangeMDB/mail CASARRAY-ASA$
setspn -s exchangeMDB/mail CASARRAY-ASA$
setspn -s exchangeMDB/ mail.kkishore.com CASARRAY-ASA$
setspn -s exchangeRFR/ mail.kkishore.com CASARRAY-ASA$
setspn -s exchangeAB/ mail.kkishore.com CASARRAY-ASA$
setspn -s http/ mail.kkishore.com CASARRAY-ASA$
When you've set the SPNs, verify that they've been added by using the following command.
Setspn -L kkishoreblog\CASARRAY-ASA$

Convert the Offline Address Book Virtual Directory to an Application
The Offline Address Book virtual directory isn’t a Web application, so it isn’t controlled by the Microsoft Exchange Service Host service. Therefore, Kerberos authentication requests to the Offline Address Book virtual directory can’t be decrypted by the ASA credential.
To convert the Offline Address Book virtual directory to a Web application, run the ConvertOABDir.ps1 script on each Client Access server member. The script will also create a new application pool for the Offline Address Book virtual directory

Open the power shell and locate the script in scripts folder.

D:\Program Files\Exchsrvr\scripts>.\ConvertOABVDir.ps1
Once the script completes restart the MSExchangeOAB & MSExchangeRPC on all the CAS servers in the configured array:

Get-Service MSExchangeAB,MSExchangeRPC | Restart-Service

After this user joined to these domain should be able authenticate with Kerberos protocol.

Roll back Plan
To revert the Client Access server array so that it doesn't use Kerberos, remove the SPNs from the shared service account. 
setspn -d exchangeMDB/mail CASARRAY-ASA$
setspn -d exchangeMDB/ mail.kkishore.com CASARRAY-ASA$
setspn -d exchangeRFR/ mail.kkishore.com CASARRAY-ASA$
setspn -d exchangeAB/ mail.kkishore.com CASARRAY-ASA$
setspn -d http/ mail.kkishore.com CASARRAY-ASA$ 
If the SPNs are removed, Kerberos authentication won't be attempted by your clients, and clients configured to use Negotiate authentication will use NTLM. Clients configured to use only Kerberos will be unable to connect. Once the SPNs are removed you should also delete the shared service account.
You can use the maintenance script to clean out credentials from all Client Access server array members by using the toEntireForest parameter and using the -copy from server parameter to specify a server that does not have any Kerberos credentials. In addition, you should eventually restart all client computers to clear the Kerberos ticket cache.





Sunday, 5 August 2012

Pre-requisites of installing MS Exchange 2013 on Windows server 2008 R2 SP1


Pre-requisites of installing MS Exchange 2013 on Windows server 2008 R2 SP1

Install the required components.

PS C:\> Import-Module ServerManager

PS C:\> Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Restart will be required.

Then, install the below softwares in the same in the order.

  1. Microsoft .NET Framework 4.5 RC (I recommend downloading the standalone redistributable installer)
  2. Windows Management Framework 3.0 (requires restart)
  3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
  4. Microsoft Office 2010 Filter Pack 64 bit
  5. Microsoft Office 2010 Filter Pack SP1 64 bit
  6. Microsoft Knowledge Base article KB974405 (Windows Identity Foundation)
  7. Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2) (restart required)
  8. Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)

Restart will be required


Uninstall Microsoft Visual C++ Beta Redistributable x64
After installing the above software components, but before installing Exchange 2013, remove the Microsoft Visual C++ Beta Redistributable via the Control Panel.
This must be uninstalled before attempting to install Exchange Server 2013 Preview.

Register ASP.Net with .NET Framework 4.5 in IIS.

C:\> %SystemDrive%\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -ir -enable
 
C:\> iisreset

Monday, 30 July 2012

Prepare AD before installing Exchange 2013 Preview


Before you install Exchange 2013 Preview you need to prepare active directory.


  • Schema master running Windows Server 2003 with SP2, or a later version of Windows Server
  • At least one Global catalog server per site that Exchange will be installed in that is running Windows Server 2008 or later
  • At least one Domain controller per site that Exchange will be installed in that is running Windows Server 2008 or later
  • Forest functional mode of Windows Server 2003 or higher
  • An account with Schema Admins, Domain Admins, and Enterprise Admins permissions to run Exchange setup

  •  Active Directory preparation requires the RSAT-ADDS  tool to be installed from where you will prepare AD.

    Import-Module ServerManager
    Add-WindowsFeature RSAT-ADDS

    Update Schema

    To update the schema, launch a PowerShell console and type in the following:
    ./setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms


    Note the use of “setup.exe”. Setup.com which was used before has been deprecated. There is also a new switch “/IAcceptExchangeServerLicenseTerms”. It will prevent the mandatory time-out which displays the warning that by waiting you agree with the license terms.
    Prepare AD
    Next to prepare AD,

    ./setup.exe /PrepareAD /ON:<exchange organization name>

    This command will prepare Active Directory and amongst others configure the appropriate permissions. This includes the creation of the Microsoft Exchange Security Groups (if they do not exist yet).


    After installing all prerequisites and preparing AD we are ready to install Exchange 2013 Preview.
    Locate the setup.exe file in the installation folder and double click it.





    This will connect and retrieve updates from internet. It’s better to be updated so you can choose to install updates but I will skip this as this computer is not connected to the internet.
    Click next





    It will then copy the required files  for the installation



    Next




    Accept the license agreement and click next.




    You may choose to yes to enable error reporting but this I have skipped
    Next



    If you have missed anything regarding the prerequisites it will notify in this step. You can even retry if you have missed any.

    Click next




    As I will install Mailbox and CAS on the same server so I am selecting both roles here. If you want to install these on two different servers then you have choose on role here and another role different server.Also always remember that Client Access is only doing the proxying. Separating the roles will give you better control and value from the proxying mechanisms.And make sure you have selected “Automatically install Windows Server roles and feature that are required to install server”. This will install roles and features if you have missed any.




    Here I have changed the installation location to E drive. You may keep the default location.





    Here the URL mentioned will be configured to External URL on this Client Access Server.







    Now relax and wait to installation to be completed as it will take some time. If this setup fails then we can review the Exchange Setup Logs that will be located in your system drive(C  drive) in the Exchange setup logs folder. Most of the time installation fails if you have missed any prerequisites.
    Once setup is complete then you are ready to go
    In Exchange Server 2010 & Exchange server 2007we had Exchange Management console but in Exchange server 2013 preview its Exchange Administration Center (EAC).

    To access it enter (https:// <FQDN of CAS> /ECP and start configuring.


    Before installing Exchange 2013 preview we should install the prerequisites.