Adding NTLM support for Outlook publishing

TAC supports NTLM authentication for Outlook publishing. Kerberos Constrain Delegation (KCD) enables published web servers to authenticate users by Kerberos after TAC verifies their identity by using a non-Kerberos authentication method. This method will prevent users from entering credentials twice.


Note: Administrator must assure that backend server of Exchange has NTLM enabled and that Negotiate is enabled transparently.  If Admin cannot enable NTLM authentication or Negotiate authentication on backend server, TAC should be configured to use Basic authentication. 

To configure KCD, please export LDIF file to Active Directory first in order to ensure KCD settings are available in Active Directory.  Doing so will ensure that TAC is able to delegate Kerberos for specified services (http) to all the CAS being published.  

Before you export KCD file, you need to enable and configure TAC application to use NTLM authentication, then the required servers will be listed in KCD Settings Export window. 

If Basic was previously enabled and the administrator would like to switch to NTLM, the administrator is required to process the export steps of KCD as there may be a new server(s) listed. 

To configure KCD for Outlook Publishing in TAC, do the following:  

1. Open TAC Configuration Console. 

2. Click Configuration and Select Export KCD Settings. This will open KCD Export Window. 


Make sure all SPN are listed for delegation configuration in Active Directory. 

  1. Click Export to LDIF, save the exported file 

Now, exported file should be imported into Active Directory. To do this, first copy the exported file into AD and run the following command to import the changes to AD: 

ldifde –i –f (path to previously created file) 

Assuming you see no errors, the changes will be made in AD. To validate those changes, you can simply view the properties of the TAC server computer object in AD, and look at the Delegation tab, showing that we have rights to delegate http only, to both Client Access servers in the site.