Forum Discussion
Nelgin_Nepolean
Nimbostratus
NimbostratusKerberos: can't get S4U2Self ticket for user Exch2016@MYDOMAIN.COM - Server not found in Kerberos database (-1765328377)
We are publishin Exchange 2016 in F5 APM. We are facing an issue for Outlook Anywhere as NTLM authentication is used. I have used latest available iApp for the exchange 2016 deployment and followed d...
Stanislas_Piro2
Cumulonimbus
CumulonimbusHi,
I think your wrong with SPN configuration.
In AD, only Service can have delegation role, not User. adding SPN (ServicePrincipalName) to a user give it the delegation role capability.
the delegation account must be:
- sAMAccountName : svc_apm.abc.net
- UserprincipalName : host/svc_apm.abc.net@abc.net
- ServicePrincipalName = host/svc_apm.abc.net
the setspn command configure SPN from command line. In a comment, you told of setspn with SPN host/mail.company.com... this is not the good configuration.
Then for your exchange account, you must configure the following configuration
- sAMAccountName : svc_exchange
- UserprincipalName : svc_exchange@abc.net
- ServicePrincipalName = host/mail.mydomain.com
Then in delegation account, add delegation to service svc_exchange. it will display all SPN including http/mail.mydomain.com
to display user SPN list, you can add attribute editor tab in user properties. to add this tab, enabled View/Advanced Features in Active Directory Users and Computers
then, you can view and edit servicePrincipalName attribute for every users.
When deploying new customers, I don't use setspn anymore because it's easier to understand what I do with attribute editor. setspn does not add the right to access this server but only give a service name to a user.