Enable Kerberos Contained Delegation (KCD) with the Edge Security Pack (ESP) for Outlook Anywhere.
Note: For Exchange 2013 you will need to configure Exchange to use MAPI over HTTP.
1. Configure EWS and MAPI Sub-Virtual Services (SubVSs) with NTLM for Client Side Authentication and KCD for the Server Side Authentication.
You will need to have a functioning KCD environment previously in place. Please refer to our KCD documentation for further information:
1. Exchange Mailbox Profile needs to be preexisting on Client system. It's not possible to create a user profile going through ESP with NTLM.
2. Depending on the number of external users, you could end up generating hundreds or thousands of Kerberos tickets per second. Please keep an eye on your Load Masters resources found under Statistics > Realtime Statistics or configure SNMP monitoring. SNMP Monitoring
3. The Load Master won't request Kerberos tickets using Sam Account Name, only UPN Name.
4. Outlook must be operating in "Cached Mode".
5. Currently ESP-NTLM is not supported with Windows 10 "Credential Guard".
If these limitations block you from using NTLM with ESP, you can use Client Authentication mode "Basic" instead of "NTLM" for your EWS & MAPI Sub Virtual Services. This is usually a suitable method for most environments because the traffic is encrypted from end to end, and credentials can be saved on the Outlook Anywhere client.
1.1 Navigate to your Exchange Virtual Service > EWS SubVS.
Enable NTLM in Client Authentication Mode or Basic
Enable KCD in Server Authentication Mode and select your configured Server Side configuration.
If using Basic Authentication for Client Side, Server Side Configuration will default to "Basic"
1.2 Navigate to your Exchange Virtual Service > MAPI SubVS > Advanced Settings.
Set "Additional L7 Headers" to NONE.
1.3 Navigate to ESP Options
Enable NTLM in Client Authentication Mode or Basic.
Enable KCD in Server Authentication Mode or it will default to Basic if using Basic Authentication for Client Side.
2. Specify Outlook Authentication Method for External Client
2.1 Log into ECP as an Exchange Administrator > Servers > Open (Double Click) Exchange Server > Outlook Anywhere > Specify Authentication Method for External Clients to use. Set to NTLM and Save. Or Select Basic if ESP Client Side Mode is set to "Basic".