Choosing an Authentication Mode for the Server-Side SteelHead
There are many combinations and settings for the Windows client operating system, Windows domain level, Windows authentication method, and RiOS version. You can choose from several different configuration options on the server-side SteelHead. In some cases, you can select multiple options to provide the best possible flexibility for your deployment. The options are as follows:
Transparent mode - Authenticate using NTLM pass-through authentication to the Windows domain controller. This option is considered the easiest to deploy with the minimum of administrative overhead. With RiOS v7.0 and later, you can join as Active Directory integrated (Windows 2008/2003). With this join type, the server-side SteelHead supports a much wider selection of Windows client types than with earlier RiOS releases.End-to-end Kerberos - When you need the authentication between Windows clients and servers to be Kerberos from end to end, the server-side SteelHead can make use of a replication user account in the Windows domain. While this is the only choice available when the authentication is required to be end-to-end Kerberos, you can combine it with Transparent mode to provide the most flexibility in the event that some clients still negotiate NTLM authentication.Delegation mode - This is a legacy configuration option within RiOS on the SteelHead. Riverbed does not recommend that you use the configuration for deployments using versions later than RiOS v7.0. Riverbed does recommend that you use delegation mode in deployments with RiOS v7.0 and earlier that have corner-case requirements. For information, see Legacy Delegate User Configurations.