Before you begin

This article demonstrate how to the configure SSO via KCD in Exchange 2007 Load Balancing architecture (NLB)

Important to know!

This document describe the procedures you need to implement only on the Exchange servers and not on the IAG or Active Directory servers

Prerequisites

To configure the entire architecture you MUST follow the configuration procedures in my technical paper "How to configure IAG KCD in Load Balancing Architectures (IIS 6.0 / 7.0)" before continue with this technical paper

This is the link to the document:

http://www.forefrontsecurity.org/?ctype=Articles&id=A00000021&rootid=21&name=How-to-configure-IAG-KCD-in-Load-Balancing-Architectures-(IIS-6.0-/-7.0)

Pay attention:The back-end servers names and the NLB name are different from the document "How to configure IAG KCD in Load Balancing Architectures (IIS 6.0 / 7.0)", this is very important for the KCD to function, the new FQDN names in this article are:

1. NLB: EXCH2007.IAGserver.ORG
2. Exchange Node 01: EXCH200701.IAGserver.ORG
3. Exchange Node 02: EXCH200702.IAGserver.ORG

Configuration Procedures

Conceptual high level architecture

The following diagram maps the relevant attributes which demonstrate the solution for the KCD Load Balancing problem: SPN, msDS-AllowToDelegateTo

Configuration on the Exchange server Client Access Server (CAS) role

1. Add the Identity of the application pool LAB\svcIIS to the Local Administrators on the Exchange server Client Access Server (CAS) role

   

2. Add the Identity of the application pool LAB\svcIIS to the "Exchange Servers" Security group in Active Directory

   

3. Change the Identity of the "MSExchangeOWAAppPool" application pool on the Exchange CAS IIS from "Local System" to "LAB\svcIIS"

If you have any issues with this architecture please post them in our Technical http://Forums.ForefrontSecurity.ORG or use our online support services