move/configure Kerberos Authentication from exchange 2010 to 2016

Subham Wipro 21 Reputation points
2020-07-08T04:47:30.75+00:00

We have hybrid environment. we were using exchange 2010 with Kerberos Authentication. now we have upgraded our exchange version to 2016. so now we want to move/configure Kerberos Authentication on 2016. how can we do?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,448 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-07-08T16:56:01.117+00:00

    Hello @SubhamWipro-2202 ,

    You have mentioned that you have upgrade to Exchange 2016 , So I am assuming that you are not using coexistence. You can do this but its difficult to lay out exact process here as its a very long process and requires proper planning. You can check the article on how to enable Kerberos Authentication for accessing Exchange in a resource forest. It describes the process in detail. If you have load balanced client access servers you can review the details in article about configuring Kerberos authentication for load balanced Client Access servers. I would suggest you to test the same in your lab before implementing in your production.

    If by any chance I have understood wrong and you are using coexistence you will need to create a New Alternate Service account credential for utilizing with Exchange 2016 while the Exchange 2010 will have its own ASA. You would need to prepare your environment before you can configure Kerberos auth and steps would be same as Exchange 2013 and Exchange 2010 coexistence.

    • Deploy Outlook client updates in your environment .
    • Configure Legacy Public Folder Access
    • Create a New Alternate Service Account Credential
    • Remove HTTP Service Principal Names from Exchange 2010 ASA
    • Deploy ASA to Exchange 2013 Client Access Servers
    • Assign the Service Principal Names to the Exchange 2013 ASA
    • Enable Kerberos Authentication for Outlook clients

    The above is described in detail in this article . If you do not have coexistence anymore some of the details may not apply in your case. I would suggest you to go through the links provided and check the complete process in different scenarios and test it in your lab as its a complex process. If the information provided in the post is helpful , please do accept the same as answer so that it can help people with similar issue. In case you have any further query , I would suggest you to engage directly with the community on either Exchange techcommunity or Technet forums because we have not onboarded Exchange server on QnA forums as yet and primarily focus on Azure related products. Reaching out on Technet/TechCommunity will also give you access to a wider product specific community for exchange server.

    Thank you.

    0 comments No comments