About Windows domain authentication
Enabling secure traffic optimization requires communication between server-side SteelHeads and domain controllers. When properly configured, SteelHead can accelerate secure connections in Microsoft environments where:
• Windows file servers use signed SMB (or SMB2/3) for file sharing to Microsoft Windows clients.
• Microsoft Exchange Servers provide encrypted MAPI connections to Microsoft Outlook clients.
• Microsoft Internet Information Services (IIS) servers serve HTTP or HTTP-based web applications.
We recommend WinSec Controller for controller-to-SteelHead communication. However, if you’re using NTLM authentication, you’ll need to join your server-side SteelHead as a trusted entity on the relevant domains.
Active Directory automatic configuration provides a set of Management Console widgets that help simplify the SteelHead configuration necessary to accelerate traffic in a secure environment, and a set of domain health status commands help to troubleshoot and report possible problems with an appliance within a Windows domain environment.
Easy Config configures the appliance to join the Windows Active Directory Domain.
Auto Config configures the following accounts and privileges:
Configure Delegation Account
Configures the deployed delegation account with AD delegation privileges. This is a legacy configuration that has been deprecated.
Add Delegation Servers
Configures a list of Exchange and CIFS servers with permission to delegate AD access privileges.
Remove Delegation Servers
Removes Exchange and CIFS servers from the list. This is a legacy configuration that has been deprecated.
Before you join SteelHead to a domain, verify these items:
• Fully qualified domain name (FQDN), which must be the same as the name that appears in your domain name service (DNS).
• Domain’s short (NetBIOS) name. You must explicitly specify the short name if it doesn’t match the far left portion of the FQDN.
• Primary or auxiliary interface for the server-side SteelHead is routable to the DNS and the domain controller.
• For CIFS, ping the server-side SteelHead, by name, from a CIFS server joined to the same domain that the SteelHead has joined.
• For CIFS, You must be able to ping the domain controller, by name, from the server-side SteelHead. If you can’t, ensure that the appliance’s host settings for DNS are correct.
After you raise the domain level, you may not be able to lower it.
When joining an appliance to a domain, it is vital to set the correct time zone. The most common reason for failing to join a domain is a significant difference in the system time between the Windows domain controller and the SteelHead. When the time on the domain controller and the appliance don’t match, this error message appears:
lt-kinit: krb5_get_init_creds: Clock skew too great
We recommend using Network Time Protocol (NTP) servers for synchronization.
For details, go to Knowledge Base article
S25759.