I'd like to do Kerberos auth of clients (where possible) and SSO to Exchange CAS servers. Today it's set up using Basic+NTLM auth. It works, but I would like to swap NTLM for Kerberos while we're setting up new CAS servers. I don't fully understand the purpose of the Exchange profile, what it exactly does and when. Looking though its settings, there is only Basic and NTLM to choose from for various URIs. For OWA as an example, I'd like to do client kerberos auth by creating an AP with a 401 basic+negotiate agent and following negotiate a Kerberos Auth agent. Would I set the owa options in the Exchange profile to "basic" and then the magic of the exchange profile kicks in when APM does a 401 Basic auth with the client, which hopefully never happens?