Application Proxy Incorrect Kerberos constrained delegation

I was publishing the Sharepoint site 2010  with Azure application proxy Server.

I requested to Sharepoint team to make the required changes on Sharepoint Side. We have done configuration &  Site is able to accessible from outside, But we when we enabled  Single sign on with WIA by setting up SPN we were getting an error.

“Incorrect Kerberos constrained delegation configuration in your on-premises Active Directory.”

Above problem comes when you have misconfigured the SPN.

Solution:

Check the SPN Confiuration with Below cmds.

SetSPN -Q HTTP/portal.domain.com

SetSpn -L  “domain\Service account”

Please check the Event on APP proxy server.

We found some event related to delegation, We checked app proxy server’s computer object in AD & hit to Delegation Tab, We found there was no SPN added.

In AD Users and Computers you will need to navigate to the OU that contains the server to which you installed the Application Proxy Connector.  Once you locate that computer entry, just right-click on it and select Properties.  In the Properties dialog click on the Delegation tab.

You need to add SPN like below Image.

This is how I resolved my issue, Please share your thoughts, How you resolved it.

 

 

 

 

 

 

Import and Export Receive Connector Exchange 2013/2016

How to Configure Exchange Server 2016 SMTP Relay while upgrading your email services.

In most organizations, there are several devices or applications that need to use an SMTP service to send email messages. An Exchange can provide that service for you, however, the configuration required on the server depends on the SMTP relay requirements of your scenario.

 

In my scenario, i am upgrading our client’s exchange server 2013 to exchange 2016. Now today we are moving application relay workload to new exchange 2016 server.

 

Few things you need to follow.

1. Export all details of the current connector.
2. Share the IP details with the responsible team for confirmation.
3. Once you get the confirmation create new connector on new exchange server with below followings steps.

1:-Export Current Connector Information:-

You can use below cmds on EMS.

$list=(Get-ReceiveConnector “servername\external Relay”).RemoteIPRanges > c:\relayIPs.txt

Get-ReceiveConnector “servername\nameofconnector”| select -ExpandProperty remoteipranges|export-csv c:\filename.csv

Now in given path you will see a csv or txt file as per you cmds selection.

2:- Verify the configuration.

You should check the existing configuration of the connector. I suggest you ,  To document the configuration for reference.

Get-ReceiveConnector “CPLEXCH03\GC APP-FFRAPP-2013” | fl > c:\relayIPs.txt

3:- Create New Connector on Exchange 2016 

New-ReceiveConnector -Name “AppRelay” -Server servername -Usage custom -Bindings 0.0.0.0:25 -RemoteIPRanges 10.10.12.13 -MaxMessageSize 30MB -TransportRole frontendtransport

4:- How to Add Remote IP Addresses to new  Receive Connectors (You can use same cmds to add on IPs on existing connector)
$RecvConn = Get-ReceiveConnector “Connectorname”

Place IP address in text file  and save in c:printer.txt

Get-Content .\printer.txt | foreach {$RecvConn.RemoteIPRanges += “$_”}

Set-ReceiveConnector “AppRelay” -RemoteIPRanges $RecvConn.RemoteIPRanges

5:- Add Permission on connector

Get-ReceiveConnector “apprealy” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Set-ReceiveConnector “servername\apprealy” -PermissionGroups AnonymousUsers

 

Method 2. 

You can use below scripts to copy the receive connector on multiple servers. 

Copy a receive connector from one Exchange Server to multiple Exchange Servers

Clone Exchange 2016/2013 SMTP Receive connectors