The Outlook Add-In (OAI) communicates with the Mail Express Server. The OAI can authenticate with the Mail Express Server using Manual Authentication (Basic) or Single Sign On using Kerberos (Windows Authentication). These methods are configured in the OAI user interface and the Mail Express Server administration interface. For information about Kerberos, refer to http://technet.microsoft.com/en-us/library/bb742516.aspx.
When the manual authentication option is selected, the user must supply a username and password in the OAI. Manual authentication is useful in the following scenarios:
Trial use of the software
User is not logged in to the domain (e.g., using a laptop at the airport)
Only a small number of users will be using the system
A Kerberos infrastructure is not available
Active Directory is not available
Manual authentication is performed between the OAI and the Mail Express Server using basic access authentication (over HTTPS). If the OAI functionality is enabled on the Mail Express Server (i.e., the “Add-In enabled” setting) then the basic authentication option will be provided (instead of the SSO functionality which may be independently disabled). The user account will first be authenticated against the manually created internal user list. If the user account cannot be authenticated against the internal user list, the user will be authenticated against Active Directory if the Active Directory functionality is enabled.
The Single Sign On (SSO) functionality depends on the Active Directory functionality being enabled and configured properly. It will not function without it. Single Sign On uses Kerberos to authenticate the OAI to the Mail Express Server without users having to provide credentials. Single Sign On will not function for clients that are on the same computer as the Mail Express Server. Typically, you will not run Outlook on the same computer as Mail Express Server; however, if you are testing using a local web browser, it will not work. This is a limitation of client's attempting to connect using NTLM when local to the server rather than using Kerberos.
The benefits of using Windows Authentication with Mail Express include:
The Add-In does not need to store any credentials for authenticating.
Aside from ensuring that each user has a domain account, an organization does not need to manually create and maintain additional credentials for each Mail Express user.
The credentials are not passed between the Add-In and the Mail Express Server.