Mailing List CGatePro@mail.stalker.com Message #92302
From: Andy Kunkle <akunkle@aimengr.com>
Subject: RE: Kerberos - Working!!
Date: Thu, 23 Aug 2007 08:15:42 -0400
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Office Outlook 12.0
What version of ktpass does your machine show? Mine is 5.2.3790.1830.

I'm wondering if it's something to do with that. If I type:

Ktpass -?  It lists the following:

---------------------most useful args
[- /]          out : Keytab to produce
[- /]        princ : Principal name (user@REALM)
[- /]         pass : password to use
                     use "*" to prompt for password.
[- +]      rndPass : ... or use +rndPass to generate a random password
[- /]      minPass : minimum length for random password (def:15)
[- /]      maxPass : maximum length for random password (def:256)
---------------------less useful stuff
[- /]      mapuser : map princ (above) to this user account (default: don't)
[- /]        mapOp : how to set the mapping attribute (default: add it)
[- /]        mapOp :  is one of:
[- /]        mapOp :        add : add value (default)
[- /]        mapOp :        set : set value
[- +]      DesOnly : Set account for des-only encryption (default:don't)
[- /]           in : Keytab to read/digest
---------------------options for key generation
[- /]       crypto : Cryptosystem to use
[- /]       crypto :  is one of:
[- /]       crypto : DES-CBC-CRC : for compatibility
[- /]       crypto : DES-CBC-MD5 : for compatibliity
[- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
[- /]        ptype : principal type in question
[- /]        ptype :  is one of:
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /]        ptype : KRB5_NT_SRV_INST : user service instance
[- /]        ptype : KRB5_NT_SRV_HST : host service instance
[- /]         kvno : Override Key Version Number
                     Default: query DC for kvno.  Use /kvno 1 for Win2K
compat.
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[- /]       Target : Which DC to use.  Default:detect
---------------------options for trust attributes (Windows Server 2003 Sp1
Only
[- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
[- /]  TrustEncryp : Trust Encryption to use; DES is default
[- /]  TrustEncryp :  is one of:
[- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
[- /]  TrustEncryp :        DES : go back to DES

So I have the option for a -crypto RC4-HMAC-NT

If you don't have this, I can upload the file to my site for you to grab...

Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569

> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Bret Miller
> Sent: Wednesday, August 22, 2007 2:01 PM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos - Working!!
>
> > Ok, so in case anyone is interested, or was having the same
> > problems I was
> > with getting Kerberos to work, here's the solution:
> >
> > I had to go through every combination of ptypes and crypto's and
> > -TrustEncryp to get it to work.
> >
> > The key was to run kerbtray from your AD machine. This gives
> > you a clue as
> > to what kind of encryption it is expecting. If you run that
> > command (Start >
> > Run > kerbtray), and then open the Tray Icon it creates,
> > you'll see a tab
> > for "Encryption Types". On the server that was working, it
> > says etype 0, but
> > on my production AD server it says RSADSI RC4-HMAC. So this means
> it's
> > looking for a HMAC key. Then the money shot if you will was
> > the following
> > line:
> >
> > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > cgatepro@server.com
> > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > KRB5_NT_SRV_HST
> > -TrustEncryp RC4
>
> Nice thought. How do I get a ktpass command that accepts RC4-HMAC-NT
> and the
> -TrustEncryp option? Is that part of Win2K3 SP2? We're currently at SP1
> here.
>
>
> >
> > Once that was run, I was able to launch Outlook and it logged
> > me in using
> > Kerberos.
> >
> > Now I just have to figure out how to get the webmail to work
> > in the same, or
> > similar fashion...
> >
> > Hope this helps.
>
>
> Thanks,
> Bret
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster