Zachary Loeber

The personal website of Zachary Loeber.

Exchange 2010 SP1: Web Services Fix

I’m utilizing 2 CAS servers behind an F5 load balancer and was finding that a migrated user to my new CAS array would get a red spat in communicator and get authorization prompts for the autodiscover url. I fixed it, finally, just today.

Some people recommend using setspn to add a service principal name for the cas server to help fix the autodiscover prompting. Do NOT do this in a load balanced situation as you can only have one spn per account in AD. Otherwise duplicates defeat the purpose of having the spn anyways (to uniquely locate a service in AD for kerberos authentication). If you do want kerberos you need to setup a shared service account to use via this complicated


Also, this procedure may fix the issue for communicator accessing autodiscover over the internet.

To fix this in a cas array where you are not implementing kerberos for autodiscover and web services MAKE SURE TO DELETE ALL HTTP SPNs.

If an HTTP spn is showing when you run setspn -L then just go ahead and remove it, (setspn -D http/ casservername). Yup remove them all. Then things will start to use NTLM authentication instead of trying Kerberos and giving annoying autodiscover prompts.

Hope this helps someone as I never ran across this in any deployment documentation from either F5 or Microsoft or anyone else.

comments powered by Disqus