How about this: Setup a mock FE/BE scenario and run a network trace. Keep in mind that regardless of the forms based vs. pop-up auth you use, the only expected difference in the process is that your clients will be able to cache credentials on the local workstation if they wanted. Forms based auth prevents that. The authentication mechanisms you're after live in IIS, so that's the next place to get to. The choices it has are to locally auth, domain auth using domain policy (either NTLM or Kerb), but because it's a member of the domain already, Kerb would be expected to the Active Directory. Not necessarily to the BE server. One other thing that may be helpful here: Tell us why you want kerberos auth vs. any other? What's the risk you're trying to mitigate here, because there may be another way that doesn't take so much of your time. If that fails to get the results you need, it might be worthwhile to open a support call with Microsoft to have them research it and give you a definitive answer. I suspect that for your purposes, you'll still end up testing it on the wire though :) Al -----Original Message----- From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] Sent: Tuesday, August 31, 2004 7:52 AM To: [ExchangeList] Subject: [exchangelist] RE: form based auth using kerberos ? http://www.MSExchange.org/ > You would need a front-end/back-end solution IIRC. The use of > Kerberos authentication occurs after you set integrated > authentication, but you can't do that for the anonymous users on the > internet. Hence, clear-text auth is usually recommended. Yes, I agree. I have to use basic authentication with SSL enabled between browser and exchange. > Have you checked out some of the docs on > http://www.microsoft.com/exchange/library for some additional > deployment suggestions for this scenario? As suggested, I have read some docs in the microsoft library. Kerberos auth is used by front-end to send user cred to back-end to get the mailbox, but front end still needs to authenticate user to AD, and so does back end. so the flow will be: front end -- ? --> AD front end -- kerberos --> back end back end -- ? --> AD (based on article: http://www.winnetmag.com/Article/ArticleID/40371/40371.html) From the net, I can only know that RPC call is used for communication from front end to AD. But how does the user authentication process work actually ? I'm still clueless about the "? protocol" used here. What is the default ? Can I use kerberos ? So if my understanding is right, even using FE/BE won't guarantee that I can authenticate users using kerberos, right ? If kerberos can't work with form based auth, what about non form-based auth, can exchange uses kerberos to authenticate user to AD ? once again, thanks for your help lara ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx