Forum Discussion
Greg_130338
Nimbostratus
NimbostratusKerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external...
Stanislas_Piro2
Cumulonimbus
CumulonimbusHi,
most of SSO methods need password variable (Basic, ntlm, form based, ...)
If authentication does not provide this information, APM cannot reuse it. that's true for NTLM, OTP or SAML auth.
For every Exchange 2013, kerberos is recommended for 2 services:
- OA (to allow NTLM auth)
- OWA (Client based form based sso does not work every time)
- ECP (share the same authentication as OWA)
when kerberos SSO is deployed for these services, the better configuration is to enable it on all services to simplify VPE tree.
If you configure NTLM for some services and Kerberos for others, variable session.logon.last domain may have 2 possible values:
- windows NT domain for NTLM
- REALM for Kerberos
