3

The first version of Exchange 2010 to support Kerberos is SP1 RU3. It does this through the RollAlternateServiceAccountCredential.ps1 commandlet.

Besides implementing "better" security, does this offer any other benefits for disaster recovery, performance, or anything else worth knowing?

FYI - in case Google sends you here:

The way to determine if Kerberos is being used, use KList.exe in conjunction with 

Test-OutlookConnectivity -Identity administrator -MailboxCredential $c -Protocol tcp
makerofthings7
  • 8,821
  • 28
  • 115
  • 196

1 Answers1

2

By my read of it, this will provide two things:

  1. If you're using a CAS Array, clients will authenticate faster since they won't have to fail-back past Kerberos to NTLM anymore.
  2. Kerberos is generally considered more secure than NTLM, so overall security should be improved.

I don't believe it offers any benefits to disaster recovery, just initial-connection performance and possibly reduced log-spam.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296