I’m utilizing 2 CAS servers behind an F5 load balancer and was finding that a migrated user to my new CAS array would get a red spat in communicator and get authorization prompts for the autodiscover url. I fixed it, finally, just today.
Some people recommend using setspn to add a service principal name for the cas server to help fix the autodiscover prompting. Do NOT do this in a load balanced situation as you can only have one spn per account in AD. Otherwise duplicates defeat the purpose of having the spn anyways (to uniquely locate a service in AD for kerberos authentication). If you do want kerberos you need to setup a shared service account to use via this complicated
Also, this procedure may fix the issue for communicator accessing autodiscover over the internet.
To fix this in a cas array where you are not implementing kerberos for autodiscover and web services MAKE SURE TO DELETE ALL HTTP SPNs.
If an HTTP spn is showing when you run setspn -L
Hope this helps someone as I never ran across this in any deployment documentation from either F5 or Microsoft or anyone else.