While taking this Pluralsight learning path, I did the setup required to enable client access to mailboxes on Microsoft Exchange Server.
In order for the Outlook client to trust the Exchange server I needed to setup a certificate that the Exchange server will use.
Download the issued certificate
Complete the certificate request
Setup the Exchange services that should use the certificate
Second, I setup Exchange to use Kerberos authentication as to eliminate the situation where many or all clients are connecting to one Exchange server to perform authentication. This way Outlook contacts a domain controller and gets issued a certificate that is then used to authenticate with the Exchange server.
This PowerShell command allows the shared service computer account to use AES encryption. This account will be used by the Exchange server.
In the command window below I perform all the remaining steps to have Exchange use Kerberos
- The service account password is shared with the Exchange server
- Then I verify that the alternate service account configuration has been applied
- Then I create the service principal names for the Exchange client namespaces: mail and autodiscover. This will ensure the Outlook client will get a ticket from the domain controller for the alternate service account instead of the hostname of the exchange server
This is what the user experience looks like when opening Outlook for the first time. There are no authentication errors and autodiscover is able to find their email account as it matches their user principal name in the domain.
Also the Outlook client is using the correct client access namespace.
And that’s it for this post. Thank you for reading!