TAC supports NTLM authentication for Outlook publishing. Kerberos Constrain Delegation (KCD) enables published web servers to authenticate users by Kerberos after TAC verifies their identity by using a non-Kerberos authentication method. This method will prevent users from entering credential twice.
Note: Administrator must assure that backend server of SharePoint has Negotiate (Kerberos) authentication enabled, if they plan to use NTLM for SharePoint. Often it is not enabled. If Administrator cannot enable Negotiate authentication on backend server, TAC should be configured to use Basic authentication.
To configure KCD, first export LDIF file to Active Directory to ensure KCD settings are made available in Active Directory so that TAC is able to delegate Kerberos for specified services (http) to all the CAS being published.
Before you export KCD file, you need to enable and configure TAC application to use NTLM authentication, then the required servers will be listed in KCD Settings Export window.
If Basic was previously enabled and the administrator would like to switch to NTLM, the administrator is required to process the export steps of KCD as there may be a new server(s) listed.
To configure KCD for SharePoint Publishing in TAC, do the following:
1. Open TAC Configuration Console.
2. Click Configuration and select Export KCD Settings. This will open KCD Export Window.
Make sure all SPN are listed for delegation configuration in Active Directory.
3.Click Export to LDIF, save the exported file
Now, exported file should be imported into Active Directory. To do this, first copy the exported file into AD and run the following command to import the changes to AD:
ldifde –i –f (path to previously created file)
Assuming you see no errors, the changes will be made in AD. To validate those changes, you can simply view the properties of the TAC server computer object in AD and look at the Delegation tab, showing that we have rights to delegate http only, to the backend servers in the site.