Mailing List CGatePro@mail.stalker.com Message #92293
From: Andy Kunkle <akunkle@aimengr.com>
Subject: RE: Kerberos - Working!!
Date: Wed, 22 Aug 2007 12:03:02 -0400
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Office Outlook 12.0
Ok, so in case anyone is interested, or was having the same problems I was
with getting Kerberos to work, here's the solution:

I had to go through every combination of ptypes and crypto's and
-TrustEncryp to get it to work.

The key was to run kerbtray from your AD machine. This gives you a clue as
to what kind of encryption it is expecting. If you run that command (Start >
Run > kerbtray), and then open the Tray Icon it creates, you'll see a tab
for "Encryption Types". On the server that was working, it says etype 0, but
on my production AD server it says RSADSI RC4-HMAC. So this means it's
looking for a HMAC key. Then the money shot if you will was the following
line:

ktpass -princ imap/mail.server.com@SERVER.COM -mapuser cgatepro@server.com
-pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype KRB5_NT_SRV_HST
-TrustEncryp RC4

Once that was run, I was able to launch Outlook and it logged me in using
Kerberos.

Now I just have to figure out how to get the webmail to work in the same, or
similar fashion...

Hope this helps.

Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569


> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Andy Kunkle
> Sent: Tuesday, August 21, 2007 9:30 AM
> To: CommuniGate Pro Discussions
> Subject: Kerberos - Again!!
>
> Hey Guys (and Tech support??)
>
> I'm back trying to get Kerberos working on my existing Windows 2003 AD
> server and I cannot get it working. If you recall, I was able to get
> Kerberos to function when I installed a new Win2k3 server and set
> things up.
> My question is, what's the difference?
>
> Below is the log I get when I try to log in. I set everything up the
> same
> exact way that I did on the test machine but it won't work.
>
> Help!!!!
>
> Andy
>
>
> 09:23:24.320 5 IMAP-000001([192.168.0.132]) out: * OK CommuniGate Pro
> IMAP
> Server 5.1.11 at mail.aimengr.com ready\r\n
> 09:23:24.320 5 IMAP-000001([192.168.0.132]) inp: 00000001 STARTTLS
> 09:23:24.320 5 IMAP-000001([192.168.0.132]) out: 00000001 OK begin TLS
> negotiation\r\n
> 09:23:24.329 5 IMAP-000001([192.168.0.132]) TLS inp 22: (65) 01 00 00
> 3D 03
> 01 46 CA E7 88 75 8C 62 7A 26 40 92 21 4B 56 DD 63 05 75 60 BD 0C 65 40
> DB
> B1 96 38 0A 74 42 D2 85 00 00 16 00 04 00 05 00 0A 00 09 00 64 00 62 00
> 03
> 00 06 00 13 00 12 00 63 01 00
>
> 09:23:24.329 4 IMAP-000001([192.168.0.132]) TLSv1 client hello:
> method=RC4_MD5, residual=0, session=3 < 00 00 00 03 46 CA E7 4C 87 5B
> 37 79
> 38 52 A9 5C D0 F8 30 EB 47 9D 0C D0 0C 1E CF EF ED 4E 88 66>
> 09:23:24.329 4 IMAP-000001([192.168.0.132]) TLS handshake: sending
> 'server_hello'
> 09:23:24.329 5 IMAP-000001([192.168.0.132]) TLS out 22: (74) 02 00 00
> 46 03
> 01 46 B2 E7 4C 30 30 30 30 A5 BA BE 51 11 11 11 91 CD BA BE 51 11 11 11
> 8A
> D2 D6 8E 11 D2 C6 47 44 20 00 00 00 03 46 CA E7 4C 87 5B 37 79 38 52 A9
> 5C
> D0 F8 30 EB 47 9D 0C D0 0C 1E CF EF ED 4E 88 66 00 04 00
> 09:23:24.329 4 IMAP-000001([192.168.0.132]) TLS handshake: sending the
> certificate
> 09:23:24.329 5 IMAP-000001([192.168.0.132]) TLS out 22: (559) 0B 00 02
> 2B 00
> 02 28 00 02 25 30 82 02 21 30 82 01 CB 02 02 1E 61 30 0D 06 09 2A 86 48
> 86
> F7 0D 01 01 04 05 00 30 81 B0 31 22 30 20 06 03 55 04 0A 13 19 43 6F 6D
> 6D
> 75 6E 69 47 61 74 65 20 53 79 73 74 65 6D 73 2C 20 49 6E 63 2E 31 0B 30
> 09:23:24.329 4 IMAP-000001([192.168.0.132]) TLS handshake: sending
> 'hello_done'
> 09:23:24.329 5 IMAP-000001([192.168.0.132]) TLS out 22: (4) 0E 00 00 00
> 09:23:24.471 5 IMAP-000001([192.168.0.132]) TLS inp 22: (70) 10 00 00
> 42 00
> 40 AD 44 D3 CA 24 D9 77 FA 7E 61 B8 6B EA C1 57 67 4C D2 C0 B1 F6 E6 B3
> BF
> B2 A4 22 CF 7A CA BD 90 AE 9C 7F C2 AB B8 F1 6B D2 E7 39 AB FC D8 B3 25
> AE
> 36 15 AA 62 84 A3 BE BE 30 83 F3 F8 38 15 FC
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS client key exchange
> processed
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) security initiated
> 09:23:24.472 5 IMAP-000001([192.168.0.132]) TLS inp 20: (1) 01
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS 'change cipher'
> processed
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS 'change cipher' sending
> 09:23:24.472 5 IMAP-000001([192.168.0.132]) TLS out 20: (1) 01
> 09:23:24.472 5 IMAP-000001([192.168.0.132]) TLS inp 22: (32) FF 2A 6C
> FE 0C
> DB 7D 56 9F C5 F0 45 5A DE 16 29 6D C6 E1 48 6B 4F 0F 96 A2 0E 08 4D 5F
> AD
> E6 0C
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS 'finish handshake'
> processed
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS handshake: sending
> 'finished'
> 09:23:24.472 5 IMAP-000001([192.168.0.132]) TLS out 22: (32) 8E 15 3E
> 7E C3
> E2 FD 93 53 4B 7D 9A 29 E5 60 CB C6 EA 18 AB 88 09 A0 4F 6B 35 63 96 A3
> 41
> 1A F2
> 09:23:24.472 4 IMAP-000001([192.168.0.132]) TLS(RC4_MD5) connection
> accepted
> for 'mail.aimengr.com', session 3
> 09:23:24.743 5 IMAP-000001([192.168.0.132]) TLS inp 23: (1791) 00 6B 7E
> DC
> 2C C9 5D C9 6F B2 4F 75 3C 4E 1C E7 9C 8F 72 6A 7A A1 0D 5A 3A 55 10 86
> B4
> E5 C3 BE 69 71 90 68 91 B6 10 0A 0E 11 EC 2F 7B 8D 9F 49 B3 CE 77 5A B3
> 2E
> 5E E5 5F 1D 32 27 84 D6 29 24 00 98 85 85 74 D1 B1 77 92 84 51 13 21 81
> C5
> 09:23:24.744 5 IMAP-000001([192.168.0.132]) inp: 00000002 AUTHENTICATE
> GSSAPI
> YIIFGAYJKoZIhvcSAQICAQBuggUHMIIFA6ADAgEFoQMCAQ6iBwMFACAAAACjggQzYYIELzC
> CBCug
> AwIBBaENGwtBSU1FTkdSLkNPTaIjMCGgAwIBAqEaMBgbBGltYXAbEG1haWwuYWltZW5nci5
> jb22j
> ggPuMIID6qADAgEDoQMCAQKiggPcBIID2ByQ3NuBV+tBj6mzg0zfoguf49eDQirC124mWF
> 09:23:24.744 5 IMAP-000001([192.168.0.132]) SASL(GSSAPI) ini: 60 82 05
> 18 06
> 09 2A 86 48 86 F7 12 01 02 02 01 00 6E 82 05 07 30 82 05 03 A0 03 02 01
> 05
> A1 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 33 61 82 04 2F 30 82
> 04
> 2B A0 03 02 01 05 A1 0D 1B 0B 41 49 4D 45 4E 47 52 2E 43 4F 4D A2 23 30
> 09:23:24.744 5 IMAP-000001([192.168.0.132]) s-out: 00000002 NO
> Kerberos:
> failed to verify data integrity\r\n
> 09:23:24.744 5 IMAP-000001([192.168.0.132]) TLS out 23: (71) 13 FC 08
> 04 74
> C0 0A E5 6D 5F 16 84 7F 10 9B 54 3D 05 6D 6B 88 6B 09 1E CF E1 2B 33 26
> 80
> C0 05 9D 92 5D 70 23 C4 9F C4 15 D0 40 57 7F C8 59 2D F8 FE D6 7D 35 37
> 52
> F3 4B DE 03 2D 96 DD F1 D1 10 2C 1C A1 C0 96 27
> 09:23:24.744 3 IMAP-000001([192.168.0.132]) read failed. Error
> Code=connection closed by peer
>
> Andy Kunkle
> IT Administrator
> AIM Engineering & Surveying, Inc.
> 5300 Lee Blvd
> Lehigh Acres, FL 33971
> 239-332-4569
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster