This section describes how to configure an appliance to optimize in an environment where there are:

There are also CLI commands available that serve as a troubleshooting tool to identify, diagnose, and report possible problems with an appliance within a Windows domain environment. For details, see the Riverbed Command-Line Interface Reference Manual, the SteelHead Deployment Guide, and the SteelHead User Guide.

These configuration options are available:

Displays the controls to add a user with trusted delegation rights to a domain. You can only add one delegate user per domain. A delegate user is required in each of the domains where a server is going to be optimized.

Specifies the delegation domain in which you want to make the delegate user a trusted member. For example, SIGNING.TEST. You can’t specify a single-label domain name (a name without anything after the dot), as in riverbed instead of riverbed.com.

Specifies the delegate username. The maximum length is 20 characters. The username can’t contain any of these characters: / \ [ ] : ; | = , + * ? < > @ "

The system translates the username into uppercase to match the registered server realm information.

Specifies the user account password.

Confirms the user account password.

Adds the user.

These configuration options are available:

Enables transparent authentication using NTLM and provide more control to specify the exact servers to perform optimization for. When you select this mode, you must specify each server on which to delegate and sign for each domain using the Delegate-Only and Delegate-All-Except controls. This is the default setting.

Enables delegate user authentication and automatically discover the servers on which to delegate and sign. Automatic discovery eliminates the need to set up the servers on which to delegate and sign for each domain. This mode requires additional configuration. For details, see autodelegation mode.

A delegate user is required in each of the domains where a server is going to be optimized.

Intercepts the connections destined for the servers in this list. By default, this setting is enabled. Specify the file server IP addresses for SMB signed or MAPI encrypted traffic in the text box, separated by commas.

Intercepts all of the connections except those destined for the servers in this list. Specify the file server IP addresses that don’t require SMB signing or MAPI encryption in the text box, separated by commas. By default, this setting is disabled. Only the file servers that don’t appear in the list are signed or encrypted.

Kerberos end-to-end authentication relies on Active Directory replication to obtain machine credentials for any servers that require secure protocol optimization. Joining the managed appliance to a Windows domain is no longer necessary to enable Kerberos authentication.

The RiOS replication mechanism requires a domain user with AD replication privileges, and involves the same AD protocols used by Windows domain controllers. These procedures explain how to configure replication to use Kerberos authentication for these features:

These configuration options are available:

Displays the controls to add a user with replication privileges to a domain.

You can add one replication user per forest.

Specifies the AD domain in which you want to make the replication user a trusted member. For example, SIGNING.TEST. The SteelHead replicates accounts from this domain. To facilitate configuration, you can use wildcards in the domain name. For example, *.nbttech.com. You can’t specify a single-label domain name (a name without anything after the dot), as in riverbed. instead of riverbed.com.

Specifies the domain the user belongs to, if different from the Active Directory domain name. We recommend that you configure the user domain as close to the root as possible.

Specifies the replication username. The user must have privileges to change the replicate directory. The username can be an administrator. A replicate user that’s an administrator already has the necessary replication privileges. The maximum username length is 20 characters. The username can’t contain any of these characters:

/ \ [ ] : ; | = , + * ? < > @ "

The system translates the username into uppercase to match the registered server realm information.

Specifies the user account password.

Confirms the user account password.

The PRP is essentially a set rules describing which accounts the server is allowed to replicate. When PRP is enabled, the server-side SteelHead only replicates accounts that it is allowed to as determined by PRP settings for the domain. When a user account isn’t cached locally, the server forwards the authentication to a writeable domain controller that does the authentication. If you allow the users password to be cached, then the server pulls that through a replication request. After the user is authenticated, the server caches the user password and handles any subsequent logins locally.

Enabling a password replication policy (PRP) requires additional configuration in Windows:

Specifies the Windows 2008 or later DC name, which is required when enabling PRP support.

Adds the user.

Enables Kerberos support for restricted trust environments. Kerberos restricted trust includes trust models with split resource and management Active Directory domains such as Office 365 or other managed service providers. For details about restricted trust configurations, see the SteelHead Deployment Guide - Protocols.

Windows XP clients must use TCP for Kerberos in a one-way trust configuration. By default, Kerberos uses UDP. You must change UDP to TCP in a Registry setting.