Does Outlook Kerberos authentication with Exchange 2016/19 (single server) does work out of the box?

BK IT Staff 246 Punti di reputazione

Before writing here all my environment configuration (DNS, virtual directories namespace and authenticatin settings, SPN -Q and SPN -L output, etc) I will put it simple, eventually I will provide more info as long as the discussion will require it.

This question is not meant to get support for sometghing that does not work, but to know why something works, where it should not from my readings on the topic and a discussion with a (Exchange-Savvy in my opinion) Redditor.

For the curiouses, you can find the discussion here

I am in a situation where in my simple Exchange environment, made by a single Exchange 2016 server, split-brain DNS (same namespace internally and externally), with MAPI/HTTP enabled at organization level, the Kerberos authentication works both internally and externally.

I never followed any procedure in order to have it working, such as:

My MAPI VDirs are set to accept "Negotiate" authentications. Just that. And my Outlook clients connect with Kerberos.

Now, I have been said that this should not happen. Not without registering SPNs for the service to work with Kerberos. So I have somewhere a misconfiguration that oddly allow Kerberos to work.

My question is: is that true or in my case is normal that Kerberos just works? You can think I am too apprensive, but Kerberos I think it's never too much :).

As said in the intro, if required in order to get to a conclusion without any doubts, I will provide detailed components configuration.

Thank you for helping,

Exchange Server
Exchange Server
Famiglia di software di collaborazione e messaggistica client/server Microsoft.
4 domande
{count} voti