Hi,
I have two Exchange 2010 Sp1 CAS with Windows Network Loadbalancing. I set up an alternate Serviceaccount and mapped the http,ExchangeMDB,PRF and ExchangeAB SPNs.
Then i published the Exchange Services via ISA 2006. OWA is working using Internet -> via NTLM -> ISA(webmail.domain.com) -> via KCD -> CAS-Array(ex2010.domain.com)
I tried the same with Outlook Anywhere (RPC over HTTP) without success.
Authentication to the ISA via NTLM works fine, but i think the isa server cannot delegate the Credentials successfully to the CAS-Server.
The ISA Log looks like:
Allowed Connection ISA 24.11.2011 15:50:40
Log type: Web Proxy (Reverse)
Status: 403 Forbidden
Rule: Exchange 2010 RPC
Source: Internal (172.16.251.33)
Destination: (172.18.10.182:443)
Request: RPC_OUT_DATA
http://webmail.domain.com/rpc/rpcproxy.dll?ex2010.domain.com:6001
Filter information: Req ID: 108b89d8; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
So i always get a 403 Forbidden from the CAS.
I the IIS logfile from the cas server i see this entry:
2011-11-24 15:51:37 172.18.10.182 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.domain.com:6001 443 - <ISA IP> MSRPC 401 1 2148074254 203
I use the same Listener for OWA and Outlook Anywhere. Authentication Methods are Basic and Integrated. I forward the request to a webfarm which exists of the two physical CAS. Internal Site Name is set to the NLB name ex2010.domain.com, SPN is set to http/ex2010.domain.com
Thanks for your support