Configuring Optimization Features : Windows domain authentication
  
Windows domain authentication
This section describes how to configure a SteelHead to optimize in an environment where there are:
Microsoft Windows file servers using signed SMB or signed SMB2/3 for file sharing to Microsoft Windows clients.
Microsoft Exchange Servers providing an encrypted MAPI communication to Microsoft Outlook clients.
Microsoft Internet Information Services (IIS) web servers running HTTP or HTTP-based web applications such as SharePoint 2007.
Optimization in a secure Windows environment has changed with each software version of RiOS. For details, go to Knowledge Base article S25759.
RiOS 8.5 and later support:
Kerberos trust authentication as an alternative to creating and using a specific Kerberos replication user. This alternative is useful in trust models with split resource and management Active Directory domains such as Office 365 or other managed service providers.
A set of domain health status commands that serves as a troubleshooting tool to identify, diagnose, and report possible problems with a SteelHead within a Windows domain environment. For details, see Checking domain health.
A set of widgets that simplify the SteelHead configuration necessary to optimize traffic in a secure environment.
SteelHeads support end-to-end Kerberos authentication for these secure protocols:
SMB signing
SMB2/3 signing
Encrypted MAPI/Outlook Anywhere
HTTP
SteelHeads protect authentication credentials for delegate and replication users by storing them in the SteelHead secure vault. The secure vault contains sensitive information about your SteelHead configuration.
You must unlock the secure vault to view, add, remove, or edit any replication or delegate user configuration details that are stored on the SteelHeads. The system initially locks the secure vault on a new SteelHead with a default password known only to RiOS. This lock allows the SteelHead to automatically unlock the vault during system start up. You can change the password, but the secure vault doesn’t automatically unlock on start up.
For details, see Unlocking the secure vault.
To migrate previously configured authentication credentials to the secure vault after upgrading from a RiOS version of 6.5.x or earlier, unlock the secure vault and then enter this CLI command at the system prompt:
protocol domain-auth migrate
For details, see the Riverbed Command-Line Interface Reference Manual.
Windows 7 clients can use Kerberos authentication for maximum security. Kerberos authentication requires both NTLM authentication (either transparent mode) along with Kerberos authentication (if desired).