Windows Domain Authentication

• Microsoft Windows file servers using signed SMB or signed SMB2/3 for file sharing to Microsoft Windows clients.

• Microsoft Internet Information Services (IIS) web servers running HTTP or HTTP-based web applications such as SharePoint 2007.

Optimization in a secure Windows environment has changed with each release of RiOS.

For details, go to Optimizing in a Secure Windows Environment and the SteelHead Deployment Guide - Protocols.

RiOS 8.5 and later support:

• Kerberos trust authentication as an alternative to creating and using a specific Kerberos replication user. This alternative is useful in trust models with split resource and management Active Directory domains such as Office 365 or other managed service providers.

• A set of domain health status commands that serves as a troubleshooting tool to identify, diagnose, and report possible problems with a SteelHead within a Windows domain environment. For details, see Checking Domain Health.

• A set of widgets that simplify the SteelHead configuration necessary to optimize traffic in an secure environment.

This table shows the different combinations of Windows clients and authentication methods with the required minimum version of RiOS and Windows configuration (delegation, Kerberos, Active Directory integrated) for the server-side SteelHead.

Client OS	Authentication Method	RiOS 7.0 Active Directory Integrated Mode	RiOS 7.0 Kerberos	RiOS 9.x Active Directory Integrated Mode
Windows 7	Negotiate authentication/SPNEGO	Optimized using NTLM	Optimized using Kerberos	Optimized transparent
Any client up to Windows 7	Kerberos	Optimized	Optimized	Optimized
Windows 8 and 8.1	NTLM	Optimized	Optimized	Optimized
Windows 8 and 8.1	Kerberos	Optimized (fallback)	Optimized	Optimized

For Windows 8 clients behavior, use Windows 7 information in the above table, and RiOS 8.5 or later. For Windows 8.1 and Windows 10 clients, use RiOS 9.0 or later.

RiOS 7.0 and later support end-to-end Kerberos authentication for these secure protocols:

When you configure the server-side SteelHead to support end-to-end Kerberos authentication, you can join it to the domain in Active Directory integrated mode to support other clients that might be using NTLM authentication. This configuration can provide flexible and broad support for multiple combinations of Windows authentication types in use within the Active Directory environment.

RiOS 7.0 and later protect authentication credentials for delegate and replication users by storing them in the SteelHead secure vault. The secure vault contains sensitive information about your SteelHead configuration.

You must unlock the secure vault to view, add, remove, or edit any replication or delegate user configuration details that are stored on the SteelHeads. In RiOS 7.0 and later, the system initially locks the secure vault on a new SteelHead with a default password known only to RiOS. This lock allows the SteelHead to automatically unlock the vault during system start up. You can change the password, but the secure vault doesn’t automatically unlock on start up. RiOS also locks the secure vault on a SteelHead that is upgraded to RiOS 7.0 and later.

For details, see Unlocking the Secure Vault.

To migrate previously configured authentication credentials to the secure vault after upgrading to RiOS 7.0 or later from 6.5.x or earlier, unlock the secure vault and then enter this CLI command at the system prompt:

For details, see the Riverbed Command-Line Interface Reference Manual.

Windows 7 clients with RiOS 7.0 and later can use Kerberos authentication for maximum security. Kerberos authentication doesn’t require delegation mode configuration, but you must configure both NTLM authentication (either transparent mode or delegation mode) along with Kerberos authentication (if desired).