Outlook Anywhere with ESP Exchange 2013 &2016


Enable Kerberos Contained Delegation (KCD) with the Edge Security Pack (ESP) for Outlook Anywhere.

Note: For Exchange 2013 you will need to configure Exchange to use MAPI over HTTP. 





1. Configure EWS and MAPI Sub-Virtual Services (SubVSs) with NTLM for Client Side Authentication and KCD for the Server Side Authentication.  

You will need to have a functioning KCD environment previously in place. Please refer to our KCD documentation for further information:




1. Exchange Mailbox Profile needs to be preexisting on Client system. It's not possible to create a user profile going through ESP with NTLM. 

2. Depending on the number of external users, you could end up generating hundreds or thousands of Kerberos tickets per second. Please keep an eye on your Load Masters resources found under Statistics > Realtime Statistics or configure SNMP monitoring

3. The Load Master won't request Kerberos tickets using Sam Account Name, only UPN Name. 

4. Outlook must be operating in "Cached Mode". 

5. Currently not support with Windows 10 "Credential Guard".


SNMP Monitoring


1.1 Navigate to your Exchange Virtual Service > EWS SubVS.

Enable NTLM in Client Authentication Mode.

Enable KCD in Server Authentication Mode and select your configured Server Side configuration.



1.2 Navigate to your Exchange Virtual Service > MAPI SubVS > Advanced Settings. 

Set "Additional L7 Headers" to NONE.


1.3 Navigate to ESP Options 

Enable NTLM in Client Authentication Mode.

Enable KCD in Server Authentication Mode.


2.   Configure Outlook Anywhere for client side NTLM Authentication using ECP.

2.1 Log into ECP as an Exchange Administrator > Servers > Open (Double Click) Exchange Server > Outlook Anywhere > Specify Authentication Method for External Clients to use. Set to NTLM and Save.


Was this article helpful?

0 out of 0 found this helpful