Thank you to Paul & Al for the replies. So, from client browser, username & password are sent to exchange server in clear (with SSL to secure them) and on behalf of the user, exchange will use kerberos to authenticate the user to AD ? What settings do I need to ensure this flow ? When I set the authentication of exchange folder to basic authentication in IIS, I see that the username & passwords are sent to exchange, but no kerberos authentication between exchange & AD, there are many ldap requests instead. If I set the authentication to integrated windows authentication, the client browser sends AS-REQ & TGS-REQ directly to AD, which is not how it supposed to work right ? I only have 1 exchange server, so no front end / back end configuration. How can I configure exchange server to use kerberos authentication to AD ? thanks