Exchange 2010 SP1 Outlook Anywhere Issue when being published via UAG

2017-12-07T09:49:19+00:00 February 11th, 2011|Exchange|

Recent we came across an issue where certain users in our domain could not connect to Outlook Anywhere externally when connected via Direct Access.

The thing we found bizarre was that certain users could actually authenticate with exchange and another user who was practically identical couldn’t. Please note we had Kerberos constrained delegation set for Outlook anywhere.

When a broken user attempted to connect to exchange the following event was looged in the application log in UAG

Event ID 120

The S4U2Self Kerberos token for user Username with source IP address IP Address cannot be retrieved. Protocol transition failed. The application is Exchange 2010 on trunk TrunkName; Secure=1.

In the system log there were also Kerberos errors (Please not after Kerberos Logging has been enable on UAG server) and also the below errors were shown in Netmon.

KDC_ERR_PREAUTH_REQUIRED

KDC_ERR_C_PRINCIPAL_UNKNOWN

To Fix this we added our UAG server to the Windows Authorization Access Group and then straight away everything sprang into life and every user could connect to Outlook via Outlook Anywhere Smile