Setting up constrained delegation

It is necessary to configure constrained delegation for use with the Enterprise Vault OWA 2007 Extensions if the mailbox being accessed is located on a server which is separate from the CAS computer, and users are authenticated to OWA using Integrated Windows Authentication (IWA).

Note that IWA is a requirement to support Client Access Server (CAS) proxying. For information on CAS proxying, see http://msexchangeteam.com/archive/2007/09/04/446918.aspx

Configuring constrained delegation requires a domain functional level of Windows Server 2003 or later. For more information about domain functional levels, see "Domain and forest functionality" in the Help and Support Center for Windows Server 2003.

For each CAS configured for IWA, perform the following steps:

  1. Using Active Directory Users and Computers, locate the CAS computer account.

  2. Right-click the computer object, and click Properties.

  3. Click the Delegation tab.

  4. On the Delegation page, click Trust this computer for delegation to specified services only.

  5. Click Use any authentication protocol.

  6. Click Add, and then Users or Computers.

  7. In the box, Enter the object names to select, type the name of an Exchange Server 2007 computer which has mailbox role installed and will be accessed through this CAS.

    If the Mailbox role is clustered, be sure to use the Clustered Mailbox Server name instead of the node name.

  8. Click Check Names, and then OK.

  9. In the Available services list, click http, and then OK.

  10. Repeat steps 6 to 9 to add additional Exchange Server 2007 Mailbox computers that will be accessed through this CAS.

    For constrained delegation to work properly, Exchange Server 2007 computers with Mailbox roles must have IWA enabled on the /Exchange virtual directory.