Policy Pages Reference : Optimization Policy Settings : Windows Domain Authentication
  
Windows Domain Authentication
This section describes how to configure an appliance to optimize in an environment where there are:
•  Microsoft Windows file servers using signed SMB or signed SMB2 for file sharing to Microsoft Windows clients.
•  Microsoft Exchange Servers providing an encrypted MAPI communication to Microsoft Outlook clients.
•  Microsoft Internet Information Services (IIS) web servers running HTTP or HTTP-based web applications, such as SharePoint 2007 or BPOS-D.
Optimization in a secure Windows environment has changed with each release of the RiOS software. If you are running a version of RiOS software earlier than 5.5, consult the appropriate documentation for that software release.
RiOS 8.0 and later features a set of domain health status commands that serve as a troubleshooting tool to identify, diagnose, and report possible problems with an appliance within a Windows domain environment. For details, see the Riverbed Command-Line Interface Reference Manual, the SteelHead Deployment Guide, and the SteelHead Management Console User’s Guide.
These table describes authentication methods for clients with SteelHeads running RiOS 6.0 and later.
Client OS
Authentication Method
RiOS 6.0/6.5
(Delegation)
RiOS 7.0
(Kerberos)
RiOS 7.0
(SteelHead Joined As a BDC or RODC)
XP/Vista
Password authentication/NTLM
Optimized
Optimized
Optimized
Windows 7
Password authentication/NTLM
Optimized in delegation mode
Optimized in delegation mode
Optimized
XP/Vista
Negotiate authentication/Simple And Protected Negotiate (SPNEGO)
Optimized using NTLM
Optimized using Kerberos
Optimized using NTLM
Windows 7
Negotiate authentication/SPNEGO
Optimized using NTLM in delegation mode
Optimized using Kerberos
Optimized using NTLM
Any client
Kerberos
Passthrough
Optimized
Passthrough
For details, see the SteelHead Management Console User’s Guide for SteelHead CX.
NTLM
Complete the configuration as described in this table.
Control
Description
Add a New User
Displays the controls to add a user with trusted delegation rights to a domain.
Note: You can only add one delegate user per domain. A delegate user is required in each of the domains where a server is going to be optimized.
Active Directory Domain Name
Specify the delegation domain in which you want to make the delegate user a trusted member, for example
SIGNING.TEST
 
Note: You cannot specify a single-label domain name (a name without anything after the dot), as in riverbed instead of riverbed.com.
Username
Specify the delegate username. The maximum length is 20 characters. The username cannot contain any of these characters:
/ \ [ ] : ; | = , + * ? < > @ "
Note: The system translates the username into uppercase to match the registered server realm information.
Password
Specify the user account password.
Password Confirm
Confirm the user account password.
Add
Adds the user.
Delegation Mode
Complete the configuration as described in this table.
Control
Description
Delegation Mode: Manual
Select to enable transparent authentication using NTLM and provide more control to specify the exact servers to perform optimization for. When you select this mode, you must specify each server on which to delegate and sign for each domain using the Delegate-Only and Delegate-All-Except controls.
This is the default setting in RiOS 6.0 and later.
Delegation Mode: Auto
Select to enable delegate user authentication and automatically discover the servers on which to delegate and sign. Automatic discovery eliminates the need to set up the servers on which to delegate and sign for each domain. This mode requires additional configuration. For details, see autodelegation mode.
A delegate user is required in each of the domains where a server is going to be optimized.
Allow delegated authentication to these servers (Delegate-Only)
Click to intercept the connections destined for the servers in this list. By default, this setting is enabled. Specify the file server IP addresses for SMB signed or MAPI encrypted traffic in the text box, separated by commas.
Note: You can switch between the Delegate-Only and Delegate-All-Except controls without losing the list of IP addresses for the control. Only one list is active at a time.
Allow delegated authentication to all servers except the following (Delegate-All-Except)
Click to intercept all of the connections except those destined for the servers in this list. Specify the file server IP addresses that do not require SMB signing or MAPI encryption in the text box, separated by commas. By default, this setting is disabled. Only the file servers that do not appear in the list are signed or encrypted.
Note: You must register any servers not on this list with the domain controller or be using autodelegation mode.
Apply
Applies your settings.
Kerberos
Kerberos end-to-end authentication in RiOS 7.0 and later relies on Active Directory replication to obtain machine credentials for any servers that require secure protocol optimization. The RiOS replication mechanism requires a domain user with AD replication privileges, and involves the same AD protocols used by Windows domain controllers. These procedures explain how to configure replication to use
For detailed information, see the SteelHead Management Console User’s Guide for SteelHead CX.
Kerberos authentication for the following features:
•  SMB signing
•  SMB2 signing
•  Encrypted MAPI and encrypted Outlook Anywhere
•  HTTP or HTTP-based traffic
Complete the configuration as described in this table.
Control
Description
Add a New User
Displays the controls to add a user with replication privileges to a domain.
You can add one replication user per forest.
Active Directory Domain Name
Specify the AD domain in which you want to make the replication user a trusted member. For example:
SIGNING.TEST
 
The SteelHead replicates accounts from this domain.
To facilitate configuration, you can use wildcards in the domain name; for example, *.nbttech.com.
You cannot specify a single-label domain name (a name without anything after the dot), as in riverbed instead of riverbed.com.
User Domain
Specify the domain the user belongs to, if different from the Active Directory domain name. Riverbed recommends that you configure the user domain as close to the root as possible.
Username
Specify the replication username. The user must have privileges to change the replicate directory.
The username can be an administrator. A replicate user that is an administrator already has the necessary replication privileges.
The maximum username length is 20 characters. The username cannot contain any of these characters:
/ \ [ ] : ; | = , + * ? < > @ "
Note: The system translates the username into uppercase to match the registered server realm information.
Password
Specify the user account password.
Password Confirm
Confirm the user account password.
Enable Password Replication Policy Support
When you deploy the server-side SteelHead for optimizing traffic in a native Kerberos environment, and configure it in Active Directory integrated mode, you can optionally limit its scope when you configure a PRP in the Windows domain. In this way, the SteelHead can only replicate accounts as permitted by the PRP rules. However, this can create additional administrative overhead in managing the PRP.
You cannot configure PRP in Windows 2003 domains.
A Windows server using Active Directory integration caches user and computer accounts performing authentication locally. The PRP is essentially a set rules describing which accounts the server is allowed to replicate.
When PRP is enabled, the server-side SteelHead only replicates accounts that it is allowed to as determined by PRP settings for the domain. When a user account is not cached locally, the server forwards the authentication to a writeable domain controller that does the authentication. If you allow the users password to be cached, then the server pulls that through a replication request. After the user is authenticated, the server caches the user password and handles any subsequent logins locally.
Enabling a password replication policy (PRP) requires additional configuration in Windows:
•  Configure the replication user on the DC.
•  Check the domain functional level.
•  Configure PRP support on the DC.
DC Name
Specify the Windows 2008 or later DC name, which is required when enabling PRP support.
Add
Adds the user.
Enable Kerberos support for restricted trust environments
Enables Kerberos support for restricted trust environments. Kerberos restricted trust includes trust models with split resource and management Active Directory domains such as Office 365 or other managed service providers. For details about restricted trust configurations, see the SteelHead Deployment Guide - Protocols.
Windows XP clients must use TCP for Kerberos in a one-way trust configuration. By default, Kerberos uses UDP. You must change UDP to TCP in a Registry setting.