Mailing List CGatePro@mail.stalker.com Message #92299
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Kerberos - Working!!
Date: Wed, 22 Aug 2007 11:00:43 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> Ok, so in case anyone is interested, or was having the same
> problems I was
> with getting Kerberos to work, here's the solution:
>
> I had to go through every combination of ptypes and crypto's and
> -TrustEncryp to get it to work.
>
> The key was to run kerbtray from your AD machine. This gives
> you a clue as
> to what kind of encryption it is expecting. If you run that
> command (Start >
> Run > kerbtray), and then open the Tray Icon it creates,
> you'll see a tab
> for "Encryption Types". On the server that was working, it
> says etype 0, but
> on my production AD server it says RSADSI RC4-HMAC. So this means it's
> looking for a HMAC key. Then the money shot if you will was
> the following
> line:
>
> ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> cgatepro@server.com
> -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> KRB5_NT_SRV_HST
> -TrustEncryp RC4

Nice thought. How do I get a ktpass command that accepts RC4-HMAC-NT and the
-TrustEncryp option? Is that part of Win2K3 SP2? We're currently at SP1
here.


>
> Once that was run, I was able to launch Outlook and it logged
> me in using
> Kerberos.
>
> Now I just have to figure out how to get the webmail to work
> in the same, or
> similar fashion...
>
> Hope this helps.


Thanks,
Bret



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster