Hi, Can anyone help me to confirm whether the following flow of kerberos authentication for OWA 2003 is correct ? I can only In the directory security tab, I only enabled integrated windows authentication for exchange web site. Let's say there are 3 parties involved: - AD (in windows 2000 server) - Exchange Server 2003 - Windows XP as a testing client The three machines are in the same windows domain Since IE that user uses to access his/her mailbox and IIS in exchange server are all kerberized, when a user tries to open the owa website, first of all, he / she will need to authenticate him / herself to the exchange webserver using kerberos. This is done by getting a ticket for the webserver from KDC. On behalf of the user, the web server will then send TGS-REQ to windows kdc to get a ticket for ldap service. The ldap service ticket is used as GSSAPI in ldap-request from exchange to AD to get information about the user mail account. Briefly, this is what happens: 1. AS-REQ from user to tgs service to get a tgt 2. AS-REP from tgs service 3. TGS-REQ from user to get a ticket for service http service of the web server 4. TGS-REP from tgs service 5. TGS-REQ from web server for service ldap to access AD 6. TGS-REP from tgs service which contains a ticket for service ldap 7. ldap request to get user account info like the mailbox location etc. The ticket for service ldap is used as GSSAPI token for ldap authentication. It's really important for me to understand how the flow of kerberos actually works for owa 2003....can anybody share his / her ideas ? thanks