Setting up delegation mode for encrypted MAPI when using Windows 7 platforms

Categories: Principal Article, MAPI, SteelHead (Appliance)
Solution Number: S14828


When enabling optimization for encrypted MAPI on Windows 7 clients, you need to perform some additional configuration steps.

To get started with the process, follow the steps in the article Optimizing Encrypted MAPI Traffic. Beyond those basic steps, if you are optimizing MAPI clients on newer Windows versions, such as Windows 7, you need to use delegation mode. Delegation Mode enables optimization of encrypted MAPI RPC traffic by authenticating using Kerberos delegation architecture.

Configuring Delegation Mode
Configuring Delegation Mode requires configuring an Active Directory user on the Windows Domain Controller. Typical steps when setting up a Service Principal Name (SPN) for a domain user for encrypted MAPI include this command (run from a command prompt after installing Windows support tools):

setspn -A exchangeMDB/delegate delegate_user 

where delegate_user identifies the user account. This creates an extra tab on that user's account in Active Directory Users and Computers, named Delegation:

Configuring permissions for the delegate user
For detailed information on configuring permissions for the delegate user, see pages 151-155 in the Steelhead Management Console User's Guide.

Scenario 1
You are already using Delegation mode for CIFS SMB signing and want to use the same account for Delegation mode while optimizing encrypted MAPI from Windows 7.
You can use the existing account. You do not need to run other Windows commands for this account. You do need to add the service type of exchangeMDB for the required MS Exchange server. To do this:

  1. Access the properties of the delegate user account and navigate to the Delegation tab.
  2. Click Add and click Users or Computers.
  3. Specify the MS Exchange servers that require the access from the Windows 7 clients.
  4. Select the service type of exchangeMDB and click OK. This displays the selected servers.


Scenario 2
You do not use Delegation mode or are using Transparent mode for CIFS Signing. Windows 7 encrypted MAPI needs to use Delegation mode. Install the Windows support tools to a domain controller. Once installed on the domain controller, from a Windows command prompt, run the setspn command against the Active Directory user designated for encrypted MAPI (in this example, delegate_user):

setspn -A exchangeMDB/delegate delegate_user

Note: The default install location for the Windows support tools is: c:\program files\support tools>. You can access a Windows command prompt from Start > Programs > Windows Support Tools menu to this location. From here, follow the last steps from scenario one, adding the service type of exchangeMDB for each MS Exchange server that will be accessed by a Windows 7 client.

Note: If you have multiple domain controllers, you will need to wait for the changes to propagate or you can force a syncronization.

From the server-side Steelhead, go to the MAPI page in the Steelhead web interface and specify delegation mode:

Add this account to the server-side Steelhead in the Windows Domain Auth page:


Add the specific MS Exchange servers to the appropriate fields under the Server Rules section. Save the policy and restart the service. Optimization for Windows 7 clients and encrypted MAPI is now enabled.

Additional Information
You can use separate accounts for CIFS SMB signing and Windows 7 Encrypted MAPI optimization. For an account to be used for SMB signing only, use the setspn syntax:

setspn -A cifs/delegate delegate_user
Specify the account and CIFS serves to use with this account on the Windows Domain Auth page in the Steelhead web interface. For an account to be used for Encrypted MAPI only, use the setspn syntax:
setspn -A exchangeMDB/delegate delegate_user
Specify the account and Exchange servers to use with this account on the Windows Domain Auth page in the Steelhead web interface.

Note: The differences between these accounts appears in Active Directory Users and Computers - Delegation tab.


Product Version(s): 6.1.0 and above

NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2020-06-17
Can't find an answer? Create a case