Mailing List CGatePro@mail.stalker.com Message #92303
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Kerberos - Working!!
Date: Thu, 23 Aug 2007 08:58:57 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
Thanks for the offer, but I just downloaded a new version from Microsoft
that had it. However, with any of the crypto and TrustEncryp options, I
still get:

8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
0x80090303:
8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed 0x80040119:

I didn't try overriding the kvno, but that hasn't helped in the past.

Oh well, it was worth another try.

Bret


> What version of ktpass does your machine show? Mine is 5.2.3790.1830.
>
> I'm wondering if it's something to do with that. If I type:
>
> Ktpass -?  It lists the following:
>
> ---------------------most useful args
> [- /]          out : Keytab to produce
> [- /]        princ : Principal name (user@REALM)
> [- /]         pass : password to use
>                      use "*" to prompt for password.
> [- +]      rndPass : ... or use +rndPass to generate a random password
> [- /]      minPass : minimum length for random password (def:15)
> [- /]      maxPass : maximum length for random password (def:256)
> ---------------------less useful stuff
> [- /]      mapuser : map princ (above) to this user account
> (default: don't)
> [- /]        mapOp : how to set the mapping attribute
> (default: add it)
> [- /]        mapOp :  is one of:
> [- /]        mapOp :        add : add value (default)
> [- /]        mapOp :        set : set value
> [- +]      DesOnly : Set account for des-only encryption
> (default:don't)
> [- /]           in : Keytab to read/digest
> ---------------------options for key generation
> [- /]       crypto : Cryptosystem to use
> [- /]       crypto :  is one of:
> [- /]       crypto : DES-CBC-CRC : for compatibility
> [- /]       crypto : DES-CBC-MD5 : for compatibliity
> [- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
> [- /]        ptype : principal type in question
> [- /]        ptype :  is one of:
> [- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype--
> recommended
> [- /]        ptype : KRB5_NT_SRV_INST : user service instance
> [- /]        ptype : KRB5_NT_SRV_HST : host service instance
> [- /]         kvno : Override Key Version Number
>                      Default: query DC for kvno.  Use /kvno 1
> for Win2K
> compat.
> [- +]       Answer : +Answer answers YES to prompts.  -Answer
> answers NO.
> [- /]       Target : Which DC to use.  Default:detect
> ---------------------options for trust attributes (Windows
> Server 2003 Sp1
> Only
> [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
> [- /]  TrustEncryp : Trust Encryption to use; DES is default
> [- /]  TrustEncryp :  is one of:
> [- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
> [- /]  TrustEncryp :        DES : go back to DES
>
> So I have the option for a -crypto RC4-HMAC-NT
>
> If you don't have this, I can upload the file to my site for
> you to grab...
>
> Andy Kunkle
> IT Administrator
> AIM Engineering & Surveying, Inc.
> 5300 Lee Blvd
> Lehigh Acres, FL 33971
> 239-332-4569
>
> > -----Original Message-----
> > From: CommuniGate Pro Discussions
> [mailto:CGatePro@mail.stalker.com] On
> > Behalf Of Bret Miller
> > Sent: Wednesday, August 22, 2007 2:01 PM
> > To: CommuniGate Pro Discussions
> > Subject: Re: Kerberos - Working!!
> >
> > > Ok, so in case anyone is interested, or was having the same
> > > problems I was
> > > with getting Kerberos to work, here's the solution:
> > >
> > > I had to go through every combination of ptypes and crypto's and
> > > -TrustEncryp to get it to work.
> > >
> > > The key was to run kerbtray from your AD machine. This gives
> > > you a clue as
> > > to what kind of encryption it is expecting. If you run that
> > > command (Start >
> > > Run > kerbtray), and then open the Tray Icon it creates,
> > > you'll see a tab
> > > for "Encryption Types". On the server that was working, it
> > > says etype 0, but
> > > on my production AD server it says RSADSI RC4-HMAC. So this means
> > it's
> > > looking for a HMAC key. Then the money shot if you will was
> > > the following
> > > line:
> > >
> > > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > > cgatepro@server.com
> > > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > > KRB5_NT_SRV_HST
> > > -TrustEncryp RC4
> >
> > Nice thought. How do I get a ktpass command that accepts RC4-HMAC-NT
> > and the
> > -TrustEncryp option? Is that part of Win2K3 SP2? We're
> currently at SP1
> > here.
> >
> >
> > >
> > > Once that was run, I was able to launch Outlook and it logged
> > > me in using
> > > Kerberos.
> > >
> > > Now I just have to figure out how to get the webmail to work
> > > in the same, or
> > > similar fashion...
> > >
> > > Hope this helps.



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster