Mailing List CGatePro@mail.stalker.com Message #92305
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Kerberos - Working!!
Date: Thu, 23 Aug 2007 10:09:11 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> You should see more in the logs. Do you see anything about GSSAPI?

Perhaps there's another option to enable more info in the CGPro mapi log? So
far, I haven't been able to see anything. The "assertion failed" message
basically implies that the client cannot acquire the credential it needs to
authenticate, so nothing is even attempted in the server connection.

> I've not had any luck w/ the kvno stuff either. So how are
> you currently authenticating? Are you using CGP in production?

Yes, in production for a few years now. I've been "testing" the kerberos
stuff since it was first introduced and have never had any success at it.
Always the same error. And so far, no one has an explanation for it. Of
course, my understanding of kerberos is limited to begin with, which doesn't
help in the troubleshooting area. Still, the log seems slim on information
about what happened. Basically we know it was attempted and failed. It would
be nice to have a little more information about what was attempted and what
it didn't find that it expected. But perhaps that information isn't even
available to CGPro mapi.

For authentication (besides my own testing), we have the users set their
password in Outlook every time they change the network password. Then we use
an LDAP external authentication module that when successful syncs the CGPro
password to the network password thus bypassing the external authentication
until the next time the password changes. For myself, I have the "use
windows integrated authentication" option checked and the option to "use
this if not successful". So you see the attempt to use kerberos (the two
lines I previously pasted) followed by a login with the "use this if it
fails" credentials. So the session is successful in spite of the failure,
but only because I have alternate authentication to use.

So... Here is the limited start of the mapi log:

8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build 2600 Service Pack 2
8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
8/23/2007 8:55:27 AM [D9C/d7c]  Dll: C:\WINDOWS\system32\cgmxui32.dll,
version 1.2.12.0
8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::DllMain: dwReason = 1
8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::ABProviderInit: ulMAPIVer
= 0x10010
8/23/2007 8:55:27 AM [D9C/d7c]  CABProvider(0x1a54040)::CABProvider()
8/23/2007 8:55:27 AM [D9C/d7c]  CABProvider(0x1a54040)::Logon()
profileName=Outlook, flags=0
8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build 2600 Service Pack 2
8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
8/23/2007 8:55:27 AM [D9C/d7c]  Dll: C:\WINDOWS\system32\cgmxp32.dll,
version 1.2.12.0
8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1a60000)::DllMain: dwReason = 1
8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::CImapXP
8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Connect
8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Dial
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * OK CommuniGate Pro IMAP Server
5.1.11 at mail.wcg.org ready
8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
0x80090303:
8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed 0x80040119:
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000001 LOGIN "bret.miller@wcg.org"
{9+}
Tr@nsf0rm
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000001 OK completed
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000002 ENABLE EXTENSIONS
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000002 OK completed
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000003 GETMAILTRAILER
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000003 OK completed
8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc --
starting 0x38c(908)
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000004 READCLIENTSETTINGS (UserFrom
RealName AccountName)
8/23/2007 8:55:27 AM [D9C/a60]  CImapXP(0x1327e0)::WorkerThreadProc --
starting 0xa60(2656)
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * CLIENTSETTINGS (RealName "Bret
Miller")(AccountName bret.miller@wcg.org)
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000004 OK completed
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000005 GETACCOUNTRULES
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * ACCOUNTRULES .... <snip>
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000005 OK completed
8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::~CImapXP
8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Disconnect
8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000006 LOGOUT
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * BYE CommuniGate Pro IMAP closing
connection
8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000006 OK completed
8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc -- exiting
0x38c(908) - 0
8/23/2007 8:55:27 AM [D9C/a60]  CImapXP(0x1327e0)::WorkerThreadProc --
exiting 0xa60(2656) - 0

Bret

> >
> > Thanks for the offer, but I just downloaded a new version from
> > Microsoft
> > that had it. However, with any of the crypto and
> TrustEncryp options, I
> > still get:
> >
> > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
> > 0x80090303:
> > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> > 0x80040119:
> >
> > I didn't try overriding the kvno, but that hasn't helped in
> the past.
> >
> > Oh well, it was worth another try.
> >
> > Bret
> >
> >
> > > What version of ktpass does your machine show? Mine is
> 5.2.3790.1830.
> > >
> > > I'm wondering if it's something to do with that. If I type:
> > >
> > > Ktpass -?  It lists the following:
> > >
> > > ---------------------most useful args
> > > [- /]          out : Keytab to produce
> > > [- /]        princ : Principal name (user@REALM)
> > > [- /]         pass : password to use
> > >                      use "*" to prompt for password.
> > > [- +]      rndPass : ... or use +rndPass to generate a random
> > password
> > > [- /]      minPass : minimum length for random password (def:15)
> > > [- /]      maxPass : maximum length for random password (def:256)
> > > ---------------------less useful stuff
> > > [- /]      mapuser : map princ (above) to this user account
> > > (default: don't)
> > > [- /]        mapOp : how to set the mapping attribute
> > > (default: add it)
> > > [- /]        mapOp :  is one of:
> > > [- /]        mapOp :        add : add value (default)
> > > [- /]        mapOp :        set : set value
> > > [- +]      DesOnly : Set account for des-only encryption
> > > (default:don't)
> > > [- /]           in : Keytab to read/digest
> > > ---------------------options for key generation
> > > [- /]       crypto : Cryptosystem to use
> > > [- /]       crypto :  is one of:
> > > [- /]       crypto : DES-CBC-CRC : for compatibility
> > > [- /]       crypto : DES-CBC-MD5 : for compatibliity
> > > [- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
> > > [- /]        ptype : principal type in question
> > > [- /]        ptype :  is one of:
> > > [- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype--
> > > recommended
> > > [- /]        ptype : KRB5_NT_SRV_INST : user service instance
> > > [- /]        ptype : KRB5_NT_SRV_HST : host service instance
> > > [- /]         kvno : Override Key Version Number
> > >                      Default: query DC for kvno.  Use /kvno 1
> > > for Win2K
> > > compat.
> > > [- +]       Answer : +Answer answers YES to prompts.  -Answer
> > > answers NO.
> > > [- /]       Target : Which DC to use.  Default:detect
> > > ---------------------options for trust attributes (Windows
> > > Server 2003 Sp1
> > > Only
> > > [- /] MitRealmName : MIT Realm which we want to enable
> RC4 trust on.
> > > [- /]  TrustEncryp : Trust Encryption to use; DES is default
> > > [- /]  TrustEncryp :  is one of:
> > > [- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
> > > [- /]  TrustEncryp :        DES : go back to DES
> > >
> > > So I have the option for a -crypto RC4-HMAC-NT
> > >
> > > If you don't have this, I can upload the file to my site for
> > > you to grab...
> > >
> > > Andy Kunkle
> > > IT Administrator
> > > AIM Engineering & Surveying, Inc.
> > > 5300 Lee Blvd
> > > Lehigh Acres, FL 33971
> > > 239-332-4569
> > >
> > > > -----Original Message-----
> > > > From: CommuniGate Pro Discussions
> > > [mailto:CGatePro@mail.stalker.com] On
> > > > Behalf Of Bret Miller
> > > > Sent: Wednesday, August 22, 2007 2:01 PM
> > > > To: CommuniGate Pro Discussions
> > > > Subject: Re: Kerberos - Working!!
> > > >
> > > > > Ok, so in case anyone is interested, or was having the same
> > > > > problems I was
> > > > > with getting Kerberos to work, here's the solution:
> > > > >
> > > > > I had to go through every combination of ptypes and
> crypto's and
> > > > > -TrustEncryp to get it to work.
> > > > >
> > > > > The key was to run kerbtray from your AD machine. This gives
> > > > > you a clue as
> > > > > to what kind of encryption it is expecting. If you run that
> > > > > command (Start >
> > > > > Run > kerbtray), and then open the Tray Icon it creates,
> > > > > you'll see a tab
> > > > > for "Encryption Types". On the server that was working, it
> > > > > says etype 0, but
> > > > > on my production AD server it says RSADSI RC4-HMAC.
> So this means
> > > > it's
> > > > > looking for a HMAC key. Then the money shot if you will was
> > > > > the following
> > > > > line:
> > > > >
> > > > > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > > > > cgatepro@server.com
> > > > > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > > > > KRB5_NT_SRV_HST
> > > > > -TrustEncryp RC4
> > > >
> > > > Nice thought. How do I get a ktpass command that
> accepts RC4-HMAC-
> > NT
> > > > and the
> > > > -TrustEncryp option? Is that part of Win2K3 SP2? We're
> > > currently at SP1
> > > > here.
> > > >
> > > >
> > > > >
> > > > > Once that was run, I was able to launch Outlook and it logged
> > > > > me in using
> > > > > Kerberos.
> > > > >
> > > > > Now I just have to figure out how to get the webmail to work
> > > > > in the same, or
> > > > > similar fashion...
> > > > >
> > > > > Hope this helps.



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster