locked
Enable Kerberos or use TLS 1.2? RRS feed

  • Question

  • I have an Exchange 2016 environment with a mix of Outlook 2010 and Outlook 2016 clients on Windows 7. All clients connect with Mapi over HTTP.

    I've successfully setup the clients to connect with TLS 1.2 but I'm wondering should I also setup Kerberos (https://technet.microsoft.com/en-us/library/ff808312(v=exchg.160).aspx) ? The servers are load balanced with a Citrix Netscaler.

    Thursday, June 14, 2018 9:34 PM

Answers

  • Having looked into this further I found that the Outlook clients will show the connection as 'negotiate' by default in Exchange 2016, but this doesn't mean Kerberos is being used. Instead you need to follow the article and then check by running klist on the server.

    In my case it was further complicated because the DNS record was actually a CNAME record for a different name, so I had to add both to the ASA account SPNs.

    Enable Kerberos article - https://technet.microsoft.com/en-us/library/ff808312(v=exchg.160).aspx


    • Marked as answer by DPFY Tuesday, July 24, 2018 9:16 PM
    • Edited by DPFY Tuesday, July 24, 2018 9:16 PM typo
    Tuesday, July 24, 2018 9:16 PM

All replies

  • Hi,

    Begin to answer your question, I recommend to view below article about Kerberos, SSL and TLS:
    Kerberos vs. SSL/TLS. What’s the Buzz?
    Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    In Exchange side, if you want to configure Exchange with same namespaces and URLs, please follow the step in your provide link to configure ASA and SPN for Exchange service, and deploy kerberos for LB.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, June 15, 2018 7:43 AM
  • I'm aware of the differences between TLS and Kerberos. Really I'm asking if there is still an issue with NTLM and scalability on Exchange 2016?
    Friday, June 15, 2018 6:10 PM
  • NTLM works fine with Exchange 2016.

    Do you experience any special problem with it?

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, June 20, 2018 9:46 AM
  • To answer my own question, Exchange 2016 appears to have Kerberos by default.
    • Marked as answer by DPFY Wednesday, June 20, 2018 10:44 PM
    • Unmarked as answer by DPFY Tuesday, July 24, 2018 9:16 PM
    Wednesday, June 20, 2018 10:44 PM
  • Having looked into this further I found that the Outlook clients will show the connection as 'negotiate' by default in Exchange 2016, but this doesn't mean Kerberos is being used. Instead you need to follow the article and then check by running klist on the server.

    In my case it was further complicated because the DNS record was actually a CNAME record for a different name, so I had to add both to the ASA account SPNs.

    Enable Kerberos article - https://technet.microsoft.com/en-us/library/ff808312(v=exchg.160).aspx


    • Marked as answer by DPFY Tuesday, July 24, 2018 9:16 PM
    • Edited by DPFY Tuesday, July 24, 2018 9:16 PM typo
    Tuesday, July 24, 2018 9:16 PM