Some users have reported problems viewing archived emails using the OWA add-in on Exchange 2003. This happens when the UAA Service is not located on the Exchange machine. The identity of the user needs to be passed from the Exchange server to the UAA Service server in order to verify access to the archived mailbox, and this falls foul of the Kerberos "double-hop" - by default, authentication cannot be forwarded.
To get this to work, the Exchange machine needs to be configured to allow delegation of credentials to the UAA Service machine. In the pictures below, the Exchange machine is exchange.jontest2net.com and the UAA Service machine is client1.jontest2net.com
First the domain needs to be running at Windows Server 2003 functional level or higher. You can set this from the “Active Directory Users and Computers†application on the domain controller. On the property menu for the domain there is a “Raise Domain Functional Level†option:
The Exchange server now needs to be trusted for delegation:
Then delegation needs to be constrained to calling the HTTP service on the UAA Service server. The dialog to do this is found in “Active Directory Users and Computersâ€, on the property menu for the computer in question:
Be aware that these changes may take some time to propagate; in the cases where I have done this, I have rebooted the machines after making this change.
To get this to work, the Exchange machine needs to be configured to allow delegation of credentials to the UAA Service machine. In the pictures below, the Exchange machine is exchange.jontest2net.com and the UAA Service machine is client1.jontest2net.com
First the domain needs to be running at Windows Server 2003 functional level or higher. You can set this from the “Active Directory Users and Computers†application on the domain controller. On the property menu for the domain there is a “Raise Domain Functional Level†option:
The Exchange server now needs to be trusted for delegation:
Then delegation needs to be constrained to calling the HTTP service on the UAA Service server. The dialog to do this is found in “Active Directory Users and Computersâ€, on the property menu for the computer in question:
Be aware that these changes may take some time to propagate; in the cases where I have done this, I have rebooted the machines after making this change.