For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kayjay88's avatar
Kayjay88
Icon for Nimbostratus rankNimbostratus
Oct 21, 2025

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Hi Team,   We’re running Microsoft Exchange Server 2016 CU24 on Windows Server 2019, and have enabled Kerberos (Negotiate) authentication due to NTLM being deprecated in F5 Cloud WAF.   Environme...
authentication
cloud
email
exchange2016
management
Codebydv's avatar
Codebydv
Icon for Nimbostratus rankNimbostratus
Oct 25, 2025

To enable authentication externally via XC/WAF, configure F5 APM to use Entra ID (or another external IdP) for user auth via SAML or OAuth, instead of negotiating NTLM/Kerberos at the front end — since the WAF will interfere with that exchange.

Once APM consumes the SAML/OAuth token, it can extract the user’s identity and use Kerberos Constrained Delegation (KCD) to request service tickets (TGTs) and present them to Exchange on behalf of the user.

APM acts as the SAML SP for Entra ID and uses Kerberos Constrained Delegation to grab tickets on behalf of the user.

If you haven’t seen it, check out the lab below — it walks through the F5 APM ↔ Entra ID ↔ KCD setup step-by-step: 

https://clouddocs.f5.com/training/community/iam/html/class1/module3/lab01.html#task-1-publish-and-protect-bluesky-app