How to Enable KCD Auth for Outlook Anywhere with ESP for Exchange 2013 & 2016
Scope
Enable Kerberos Contained Delegation (KCD) with the Edge Security Pack (ESP) for Outlook Anywhere.
Limitations:
1. Outlook must be operating in "Cached Mode".
2. Currently ESP-NTLM is not supported with Windows 10 "Credential Guard".
If these limitations block you from using NTLM with ESP, you can use Client Authentication mode "Basic" instead of "NTLM" for your EWS & MAPI Sub Virtual Services. This is usually a suitable method for most environments because the traffic is encrypted from end to end, and credentials can be saved on the Outlook Anywhere client, similar to ActiveSync.
Configuration
Important: For Exchange 2013 you will need to configure Exchange to use MAPI over HTTP. Only necessary if doing NTLM. If your doing "Basic" Client Side, then you can keep RPC configured.
https://technet.microsoft.com/en-us/library/mt634322(v=exchg.160).aspx
Disable Additional L7 Header
System Configuration > Miscellaneous Options > L7 Configuration > Additional L7 Header = "None"
Configure Virtual Services
1. Configure EWS and MAPI Sub-Virtual Services (SubVSs) with NTLM for Client Side Authentication and KCD for the Server Side Authentication.
NTLM
https://support.kemptechnologies.com/hc/en-us/articles/205651585-NTLM
You will need to have a functioning KCD environment previously in place. Please refer to our KCD documentation for further information:
https://support.kemptechnologies.com/hc/en-us/articles/203860275-Kerberos-Constrained-Delegation
NOTE: If you plan on using NTLM and you need to create Mailboxes Externally, you will need to create an additional Pass-through Virtual Service, where your real server will be your Main Exchange VS IP. This is referred to as a Nested/Cascaded Virtual Service.
1.1 Navigate to your Exchange Virtual Service > EWS SubVS.
Enable NTLM in Client Authentication Mode or Basic
Enable KCD in Server Authentication Mode and select your configured Server Side configuration.
If using Basic Authentication for Client Side, Server Side Configuration will default to "Basic"
1.2 Navigate to your Exchange Virtual Service > MAPI SubVS > Advanced Settings.
Set "Additional L7 Headers" to NONE.
1.3 Navigate to ESP Options
Enable NTLM in Client Authentication Mode or Basic.
Enable KCD in Server Authentication Mode or it will default to Basic if using Basic Authentication for Client Side.
2. Specify Outlook Authentication Method for External Client
2.1 Log into ECP as an Exchange Administrator > Servers > Open (Double Click) Exchange Server > Outlook Anywhere > Specify Authentication Method for External Clients to use. Set to NTLM and Save. Or Select Basic if ESP Client Side Mode is set to "Basic".