Mailing List CGatePro@mail.stalker.com Message #92307
From: Andy Kunkle <akunkle@aimengr.com>
Subject: RE: Kerberos - Working!!
Date: Thu, 23 Aug 2007 15:20:01 -0400
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Office Outlook 12.0
Hey!
> Perhaps there's another option to enable more info in the CGPro mapi
> log?

Yes, the logging for this system is a bit convoluted (well, much like the
entire admin interface now that I think of it..)

But I do get a bunch more information in my logs than what you are sending
here, so here's what I have as far as settings go for the logs:

Settings > General >  Server Internals Log: All Info
Settings > Access > IMAP   All info
Settings > Access > WebUser: All Info
Settings > Access > XMPP  All info
Settings > Services > HTTPA  All Info
Settings > Services > HTTPU All info
Settings > Services > LDAP  All Info

Set all of those things (you can probably leave HTTPA and HTTPU out for
now), and then try the Kerberos again.

You should start to see some more information in the logs at this point.
Hopefully...

So as it stands now, you are able to create the ktpass data file and when
you type:
 setspn -L cgateuser

from your 2003 server, does it show up as having imap/mail.domain.com  ?
Also, if you go to the properties of that user, the account name should show
up as imap/mail.domain.com as well...



Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569


> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Bret Miller
> Sent: Thursday, August 23, 2007 1:09 PM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos - Working!!
>
> > You should see more in the logs. Do you see anything about GSSAPI?
>
So
> far, I haven't been able to see anything. The "assertion failed"
> message
> basically implies that the client cannot acquire the credential it
> needs to
> authenticate, so nothing is even attempted in the server connection.
>
> > I've not had any luck w/ the kvno stuff either. So how are
> > you currently authenticating? Are you using CGP in production?
>
> Yes, in production for a few years now. I've been "testing" the
> kerberos
> stuff since it was first introduced and have never had any success at
> it.
> Always the same error. And so far, no one has an explanation for it. Of
> course, my understanding of kerberos is limited to begin with, which
> doesn't
> help in the troubleshooting area. Still, the log seems slim on
> information
> about what happened. Basically we know it was attempted and failed. It
> would
> be nice to have a little more information about what was attempted and
> what
> it didn't find that it expected. But perhaps that information isn't
> even
> available to CGPro mapi.
>
> For authentication (besides my own testing), we have the users set
> their
> password in Outlook every time they change the network password. Then
> we use
> an LDAP external authentication module that when successful syncs the
> CGPro
> password to the network password thus bypassing the external
> authentication
> until the next time the password changes. For myself, I have the "use
> windows integrated authentication" option checked and the option to
> "use
> this if not successful". So you see the attempt to use kerberos (the
> two
> lines I previously pasted) followed by a login with the "use this if it
> fails" credentials. So the session is successful in spite of the
> failure,
> but only because I have alternate authentication to use.
>
> So... Here is the limited start of the mapi log:
>
> 8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build 2600 Service
> Pack 2
> 8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
> Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
> 8/23/2007 8:55:27 AM [D9C/d7c]  Dll: C:\WINDOWS\system32\cgmxui32.dll,
> version 1.2.12.0
> 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::DllMain: dwReason = 1
> 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::ABProviderInit:
> ulMAPIVer
> = 0x10010
> 8/23/2007 8:55:27 AM [D9C/d7c]  CABProvider(0x1a54040)::CABProvider()
> 8/23/2007 8:55:27 AM [D9C/d7c]  CABProvider(0x1a54040)::Logon()
> profileName=Outlook, flags=0
> 8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build 2600 Service
> Pack 2
> 8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
> Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
> 8/23/2007 8:55:27 AM [D9C/d7c]  Dll: C:\WINDOWS\system32\cgmxp32.dll,
> version 1.2.12.0
> 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1a60000)::DllMain: dwReason = 1
> 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::CImapXP
> 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Connect
> 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Dial
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * OK CommuniGate Pro IMAP Server
> 5.1.11 at mail.wcg.org ready
> 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
> 0x80090303:
> 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> 0x80040119:
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000001 LOGIN
> "bret.miller@wcg.org"
> {9+}
> Tr@nsf0rm
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000001 OK completed
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000002 ENABLE EXTENSIONS
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000002 OK completed
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000003 GETMAILTRAILER
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000003 OK completed
> 8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc --
> starting 0x38c(908)
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000004 READCLIENTSETTINGS
> (UserFrom
> RealName AccountName)
> 8/23/2007 8:55:27 AM [D9C/a60]  CImapXP(0x1327e0)::WorkerThreadProc --
> starting 0xa60(2656)
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * CLIENTSETTINGS (RealName "Bret
> Miller")(AccountName bret.miller@wcg.org)
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000004 OK completed
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000005 GETACCOUNTRULES
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * ACCOUNTRULES .... <snip>
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000005 OK completed
> 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::~CImapXP
> 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Disconnect
> 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000006 LOGOUT
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * BYE CommuniGate Pro IMAP
> closing
> connection
> 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000006 OK completed
> 8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc --
> exiting
> 0x38c(908) - 0
> 8/23/2007 8:55:27 AM [D9C/a60]  CImapXP(0x1327e0)::WorkerThreadProc --
> exiting 0xa60(2656) - 0
>
> Bret
>
> > >
> > > Thanks for the offer, but I just downloaded a new version from
> > > Microsoft
> > > that had it. However, with any of the crypto and
> > TrustEncryp options, I
> > > still get:
> > >
> > > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
> > > 0x80090303:
> > > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> > > 0x80040119:
> > >
> > > I didn't try overriding the kvno, but that hasn't helped in
> > the past.
> > >
> > > Oh well, it was worth another try.
> > >
> > > Bret
> > >
> > >
> > > > What version of ktpass does your machine show? Mine is
> > 5.2.3790.1830.
> > > >
> > > > I'm wondering if it's something to do with that. If I type:
> > > >
> > > > Ktpass -?  It lists the following:
> > > >
> > > > ---------------------most useful args
> > > > [- /]          out : Keytab to produce
> > > > [- /]        princ : Principal name (user@REALM)
> > > > [- /]         pass : password to use
> > > >                      use "*" to prompt for password.
> > > > [- +]      rndPass : ... or use +rndPass to generate a random
> > > password
> > > > [- /]      minPass : minimum length for random password (def:15)
> > > > [- /]      maxPass : maximum length for random password (def:256)
> > > > ---------------------less useful stuff
> > > > [- /]      mapuser : map princ (above) to this user account
> > > > (default: don't)
> > > > [- /]        mapOp : how to set the mapping attribute
> > > > (default: add it)
> > > > [- /]        mapOp :  is one of:
> > > > [- /]        mapOp :        add : add value (default)
> > > > [- /]        mapOp :        set : set value
> > > > [- +]      DesOnly : Set account for des-only encryption
> > > > (default:don't)
> > > > [- /]           in : Keytab to read/digest
> > > > ---------------------options for key generation
> > > > [- /]       crypto : Cryptosystem to use
> > > > [- /]       crypto :  is one of:
> > > > [- /]       crypto : DES-CBC-CRC : for compatibility
> > > > [- /]       crypto : DES-CBC-MD5 : for compatibliity
> > > > [- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
> > > > [- /]        ptype : principal type in question
> > > > [- /]        ptype :  is one of:
> > > > [- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype--
> > > > recommended
> > > > [- /]        ptype : KRB5_NT_SRV_INST : user service instance
> > > > [- /]        ptype : KRB5_NT_SRV_HST : host service instance
> > > > [- /]         kvno : Override Key Version Number
> > > >                      Default: query DC for kvno.  Use /kvno 1
> > > > for Win2K
> > > > compat.
> > > > [- +]       Answer : +Answer answers YES to prompts.  -Answer
> > > > answers NO.
> > > > [- /]       Target : Which DC to use.  Default:detect
> > > > ---------------------options for trust attributes (Windows
> > > > Server 2003 Sp1
> > > > Only
> > > > [- /] MitRealmName : MIT Realm which we want to enable
> > RC4 trust on.
> > > > [- /]  TrustEncryp : Trust Encryption to use; DES is default
> > > > [- /]  TrustEncryp :  is one of:
> > > > [- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
> > > > [- /]  TrustEncryp :        DES : go back to DES
> > > >
> > > > So I have the option for a -crypto RC4-HMAC-NT
> > > >
> > > > If you don't have this, I can upload the file to my site for
> > > > you to grab...
> > > >
> > > > Andy Kunkle
> > > > IT Administrator
> > > > AIM Engineering & Surveying, Inc.
> > > > 5300 Lee Blvd
> > > > Lehigh Acres, FL 33971
> > > > 239-332-4569
> > > >
> > > > > -----Original Message-----
> > > > > From: CommuniGate Pro Discussions
> > > > [mailto:CGatePro@mail.stalker.com] On
> > > > > Behalf Of Bret Miller
> > > > > Sent: Wednesday, August 22, 2007 2:01 PM
> > > > > To: CommuniGate Pro Discussions
> > > > > Subject: Re: Kerberos - Working!!
> > > > >
> > > > > > Ok, so in case anyone is interested, or was having the same
> > > > > > problems I was
> > > > > > with getting Kerberos to work, here's the solution:
> > > > > >
> > > > > > I had to go through every combination of ptypes and
> > crypto's and
> > > > > > -TrustEncryp to get it to work.
> > > > > >
> > > > > > The key was to run kerbtray from your AD machine. This gives
> > > > > > you a clue as
> > > > > > to what kind of encryption it is expecting. If you run that
> > > > > > command (Start >
> > > > > > Run > kerbtray), and then open the Tray Icon it creates,
> > > > > > you'll see a tab
> > > > > > for "Encryption Types". On the server that was working, it
> > > > > > says etype 0, but
> > > > > > on my production AD server it says RSADSI RC4-HMAC.
> > So this means
> > > > > it's
> > > > > > looking for a HMAC key. Then the money shot if you will was
> > > > > > the following
> > > > > > line:
> > > > > >
> > > > > > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > > > > > cgatepro@server.com
> > > > > > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > > > > > KRB5_NT_SRV_HST
> > > > > > -TrustEncryp RC4
> > > > >
> > > > > Nice thought. How do I get a ktpass command that
> > accepts RC4-HMAC-
> > > NT
> > > > > and the
> > > > > -TrustEncryp option? Is that part of Win2K3 SP2? We're
> > > > currently at SP1
> > > > > here.
> > > > >
> > > > >
> > > > > >
> > > > > > Once that was run, I was able to launch Outlook and it logged
> > > > > > me in using
> > > > > > Kerberos.
> > > > > >
> > > > > > Now I just have to figure out how to get the webmail to work
> > > > > > in the same, or
> > > > > > similar fashion...
> > > > > >
> > > > > > Hope this helps.
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster