Recent we came across an issue where certain users in our domain could not connect to Outlook Anywhere externally when connected via Direct Access.
The thing we found bizarre was that certain users could actually authenticate with exchange and another user who was practically identical couldn’t. Please note we had Kerberos constrained delegation set for Outlook anywhere.
When a broken user attempted to connect to exchange the following event was looged in the application log in UAG
Event ID 120
The S4U2Self Kerberos token for user Username with source IP address IP Address cannot be retrieved. Protocol transition failed. The application is Exchange 2010 on trunk TrunkName; Secure=1.
In the system log there were also Kerberos errors (Please not after Kerberos Logging has been enable on UAG server) and also the below errors were shown in Netmon.
To Fix this we added our UAG server to the Windows Authorization Access Group and then straight away everything sprang into life and every user could connect to Outlook via Outlook Anywhere