For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kayjay88's avatar
Kayjay88
Icon for Altostratus rankAltostratus
Oct 21, 2025
Solved

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Hi Team,   We’re running Microsoft Exchange Server 2016 CU24 on Windows Server 2019, and have enabled Kerberos (Negotiate) authentication due to NTLM being deprecated in F5 Cloud WAF.   Environme...
authentication
cloud
email
exchange2016
management
  • Codebydv's avatar
    Codebydv
    Oct 25, 2025

    To enable authentication externally via XC/WAF, configure F5 APM to use Entra ID (or another external IdP) for user auth via SAML or OAuth, instead of negotiating NTLM/Kerberos at the front end — since the WAF will interfere with that exchange.

    Once APM consumes the SAML/OAuth token, it can extract the user’s identity and use Kerberos Constrained Delegation (KCD) to request service tickets (TGTs) and present them to Exchange on behalf of the user.

    APM acts as the SAML SP for Entra ID and uses Kerberos Constrained Delegation to grab tickets on behalf of the user.

    If you haven’t seen it, check out the lab below — it walks through the F5 APM ↔ Entra ID ↔ KCD setup step-by-step: 

    https://clouddocs.f5.com/training/community/iam/html/class1/module3/lab01.html#task-1-publish-and-protect-bluesky-app

Melissa_C's avatar
Melissa_C
Icon for Moderator rankModerator
Nov 18, 2025

Hello Kayjay88​

Thanks for posting to our community! I noticed that there was a good amount of information provided from members and wanted to see if there was an update you can provide or if you were needing additional assistance. If the answers you have received did get you the details needed, we would love to see the post marked as solved with what got you there. This will help you and others that may come across this in the future. 

-Melissa