Mailing List CGatePro@mail.stalker.com Message #92304
From: Andy Kunkle <akunkle@aimengr.com>
Subject: RE: Kerberos - Working!!
Date: Thu, 23 Aug 2007 12:30:39 -0400
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Office Outlook 12.0
You should see more in the logs. Do you see anything about GSSAPI?

I've not had any luck w/ the kvno stuff either. So how are you currently
authenticating? Are you using CGP in production?

Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569


> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Bret Miller
> Sent: Thursday, August 23, 2007 11:59 AM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos - Working!!
>
> Thanks for the offer, but I just downloaded a new version from
> Microsoft
> that had it. However, with any of the crypto and TrustEncryp options, I
> still get:
>
> 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
> 0x80090303:
> 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> 0x80040119:
>
> I didn't try overriding the kvno, but that hasn't helped in the past.
>
> Oh well, it was worth another try.
>
> Bret
>
>
> > What version of ktpass does your machine show? Mine is 5.2.3790.1830.
> >
> > I'm wondering if it's something to do with that. If I type:
> >
> > Ktpass -?  It lists the following:
> >
> > ---------------------most useful args
> > [- /]          out : Keytab to produce
> > [- /]        princ : Principal name (user@REALM)
> > [- /]         pass : password to use
> >                      use "*" to prompt for password.
> > [- +]      rndPass : ... or use +rndPass to generate a random
> password
> > [- /]      minPass : minimum length for random password (def:15)
> > [- /]      maxPass : maximum length for random password (def:256)
> > ---------------------less useful stuff
> > [- /]      mapuser : map princ (above) to this user account
> > (default: don't)
> > [- /]        mapOp : how to set the mapping attribute
> > (default: add it)
> > [- /]        mapOp :  is one of:
> > [- /]        mapOp :        add : add value (default)
> > [- /]        mapOp :        set : set value
> > [- +]      DesOnly : Set account for des-only encryption
> > (default:don't)
> > [- /]           in : Keytab to read/digest
> > ---------------------options for key generation
> > [- /]       crypto : Cryptosystem to use
> > [- /]       crypto :  is one of:
> > [- /]       crypto : DES-CBC-CRC : for compatibility
> > [- /]       crypto : DES-CBC-MD5 : for compatibliity
> > [- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
> > [- /]        ptype : principal type in question
> > [- /]        ptype :  is one of:
> > [- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype--
> > recommended
> > [- /]        ptype : KRB5_NT_SRV_INST : user service instance
> > [- /]        ptype : KRB5_NT_SRV_HST : host service instance
> > [- /]         kvno : Override Key Version Number
> >                      Default: query DC for kvno.  Use /kvno 1
> > for Win2K
> > compat.
> > [- +]       Answer : +Answer answers YES to prompts.  -Answer
> > answers NO.
> > [- /]       Target : Which DC to use.  Default:detect
> > ---------------------options for trust attributes (Windows
> > Server 2003 Sp1
> > Only
> > [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
> > [- /]  TrustEncryp : Trust Encryption to use; DES is default
> > [- /]  TrustEncryp :  is one of:
> > [- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
> > [- /]  TrustEncryp :        DES : go back to DES
> >
> > So I have the option for a -crypto RC4-HMAC-NT
> >
> > If you don't have this, I can upload the file to my site for
> > you to grab...
> >
> > Andy Kunkle
> > IT Administrator
> > AIM Engineering & Surveying, Inc.
> > 5300 Lee Blvd
> > Lehigh Acres, FL 33971
> > 239-332-4569
> >
> > > -----Original Message-----
> > > From: CommuniGate Pro Discussions
> > [mailto:CGatePro@mail.stalker.com] On
> > > Behalf Of Bret Miller
> > > Sent: Wednesday, August 22, 2007 2:01 PM
> > > To: CommuniGate Pro Discussions
> > > Subject: Re: Kerberos - Working!!
> > >
> > > > Ok, so in case anyone is interested, or was having the same
> > > > problems I was
> > > > with getting Kerberos to work, here's the solution:
> > > >
> > > > I had to go through every combination of ptypes and crypto's and
> > > > -TrustEncryp to get it to work.
> > > >
> > > > The key was to run kerbtray from your AD machine. This gives
> > > > you a clue as
> > > > to what kind of encryption it is expecting. If you run that
> > > > command (Start >
> > > > Run > kerbtray), and then open the Tray Icon it creates,
> > > > you'll see a tab
> > > > for "Encryption Types". On the server that was working, it
> > > > says etype 0, but
> > > > on my production AD server it says RSADSI RC4-HMAC. So this means
> > > it's
> > > > looking for a HMAC key. Then the money shot if you will was
> > > > the following
> > > > line:
> > > >
> > > > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > > > cgatepro@server.com
> > > > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > > > KRB5_NT_SRV_HST
> > > > -TrustEncryp RC4
> > >
> > > Nice thought. How do I get a ktpass command that accepts RC4-HMAC-
> NT
> > > and the
> > > -TrustEncryp option? Is that part of Win2K3 SP2? We're
> > currently at SP1
> > > here.
> > >
> > >
> > > >
> > > > Once that was run, I was able to launch Outlook and it logged
> > > > me in using
> > > > Kerberos.
> > > >
> > > > Now I just have to figure out how to get the webmail to work
> > > > in the same, or
> > > > similar fashion...
> > > >
> > > > Hope this helps.
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster