Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Exchange Extended Protection and Kerberos Constrained Delegation Authentication

 

Information

 

Summary:

Where Windows Authentication is in use, Microsoft recommends enabling Extended Protection or has been enabling Extended Protection through the latest CU updates for Exchange server. This article outlines what is supported and not supported when using Extended Protection on Exchange and using the Edge Security Pack (ESP) on the LoadMaster, particularly Kerberos Constrained Delegation (KCD).

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Exchange

Question/Problem Description:

Is it possible to have Extended Protection enabled on Exchange and use KCD authentication on the LoadMaster via ESP?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

Extended protection enhances the existing Windows authentication functionality to mitigate authentication relay or "man in the middle" attacks. This newly recommended feature may cause Kerberos authentication to stop working when using the LoadMaster, despite the Kerberos ticket being generated successfully from the LoadMaster's perspective. Typically, Extended Protection is set to "Required" by default. On the Windows Security logs (via Event Viewer), there may be "Audit Failure" log errors with a Failure Reason "%%2304". Please consult Microsoft for further guidance on the particular error.

Resolution:

 

Workaround: Changing Extended Protection to "Accept" instead of "Required" will allow Kerberos authentication to function again with no errors in the Windows Security logs. The explanation for "Accept" versus "Required" according to Microsoft is: "Select Accept if you want to enable extended protection while providing down-level support for clients that do not support extended protection. Select Required if you want to enable extended protection without providing down-level support."
Notes:

More information on Extended Protection:

https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/extendedprotection/

https://support.kemptechnologies.com/hc/en-us/articles/8448969062157-Extended-Protection-for-Microsoft-Exchange-Server-KB5017260


Was this article helpful?
0 out of 0 found this helpful

Comments