When using KCD with NTLM, the recommended best practice is to enable NTLM Proxy Mode in the System Configuration > Miscellaneous Options > L7 Configuration settings. NTLM Proxy Mode increases the security of Client Authentication by proxying NTLM Authentication with the Real Server. Authentication is verified by validating that a successful NTLM handshake has taken place with the Real Server before performing the proceeding steps (such as performing the required Server Side Kerberos Authentication where the Server Side configuration is set to KCD). This requires that the Real Server support NTLM Authentication. The legacy “NTLM” user authentication mode verified user credentials through a configured LDAP endpoint. With NTLM Proxy Mode, the Client Side SSO configuration only requires an LDAP endpoint in the case where Permitted Groups or Steering Groups are in use.