From Jim Harrison and confirmed by Jason Jones:
No; I’m saying that if CIO-JerkyBoy is intent on a no-prompt user experience, Amy will have to:
- configure his OL to use NTLM (you probably overlooked this one) and point it to the oa.domain.tld listener
- create two listeners for Exch; one for OA and another to support FBA / Basic
- create separate DNS records for the two listeners (yes; now they have to use “oa.domain.tld” and “EveryFreakinOtherExchServiceCuzTheCioIsAJerkyBoy.domain.tld”)
- configure the OA ISA listener for Integrated authentication
- configure the non-OA listener for FBA
- build two rules appropriate to the two listeners and point them both to the same Exchange CAS or farm
For detailed instructions on how to configure KCD with an Exchange 2003 in a FE/BE configuration:
You can use that information to configure your Exchange 2007 CAS configuration, the general principles are the same. Or maybe you can wait to the Exchange Team puts out guidance, but don’t hold your breath 🙂
For more information on how to set SPNs in an environment that differs from my example network in the KCD article I wrote, check out Stefaan Pouseele’s article at:
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)