Mailing List CGatePro@mail.stalker.com Message #92315
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Kerberos - Working!!
Date: Fri, 24 Aug 2007 08:53:19 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> Hey!
> > Perhaps there's another option to enable more info in the CGPro mapi
> > log?
>
> Yes, the logging for this system is a bit convoluted (well,
> much like the
> entire admin interface now that I think of it..)
>
> But I do get a bunch more information in my logs than what
> you are sending
> here, so here's what I have as far as settings go for the logs:
>
> Settings > General >  Server Internals Log: All Info
> Settings > Access > IMAP   All info
> Settings > Access > WebUser: All Info
> Settings > Access > XMPP  All info
> Settings > Services > HTTPA  All Info
> Settings > Services > HTTPU All info
> Settings > Services > LDAP  All Info
>
> Set all of those things (you can probably leave HTTPA and
> HTTPU out for
> now), and then try the Kerberos again.
>
> You should start to see some more information in the logs at
> this point.
> Hopefully...

Actually, that affects the server-side logging. Since the client side fails to acquire credentials, it never even attempts kerberos authentication to the server. It's not a matter of client/server data mismatch, the client simply CAN'T acquire a ticket to authenticate with for some reason. And as I understand it, none of the client logging options get you any more information that what is shown already for this.

>
> So as it stands now, you are able to create the ktpass data
> file and when
> you type:
>  setspn -L cgateuser
>
> from your 2003 server, does it show up as having
> imap/mail.domain.com  ?

Yes and yes.

> Also, if you go to the properties of that user, the account
> name should show
> up as imap/mail.domain.com as well...

And yes.

But after you attempt the authentication, klist doesn't show the client having acquired a ticket for the imap/mail.wcg.org service beause that failed for some reason supposedly explained by the error code, but I've not had any luck figuring out what the "assertion failed 0x80090303" error means.

To clarify-- this affects kerberos authentication only. I can use OS authentication and external LDAP authentication, but both those require that the password stored in Outlook MATCH the current network password, which then requires the user to change both passwords at the same time and as you can imagine generates quite a few help desk calls every time the users have to change their passwords. So, from a workload reduction standpoint, it would be good if we could get "windows integrated authentication" working. So, every time someone posts that they found the answer to making it work, I try. :) And I hope. :) But so far, no luck. :(

Bret



> > > You should see more in the logs. Do you see anything about GSSAPI?
> >
> So
> > far, I haven't been able to see anything. The "assertion failed"
> > message
> > basically implies that the client cannot acquire the credential it
> > needs to
> > authenticate, so nothing is even attempted in the server connection.
> >
> > > I've not had any luck w/ the kvno stuff either. So how are
> > > you currently authenticating? Are you using CGP in production?
> >
> > Yes, in production for a few years now. I've been "testing" the
> > kerberos
> > stuff since it was first introduced and have never had any
> success at
> > it.
> > Always the same error. And so far, no one has an
> explanation for it. Of
> > course, my understanding of kerberos is limited to begin with, which
> > doesn't
> > help in the troubleshooting area. Still, the log seems slim on
> > information
> > about what happened. Basically we know it was attempted and
> failed. It
> > would
> > be nice to have a little more information about what was
> attempted and
> > what
> > it didn't find that it expected. But perhaps that information isn't
> > even
> > available to CGPro mapi.
> >
> > For authentication (besides my own testing), we have the users set
> > their
> > password in Outlook every time they change the network
> password. Then
> > we use
> > an LDAP external authentication module that when successful
> syncs the
> > CGPro
> > password to the network password thus bypassing the external
> > authentication
> > until the next time the password changes. For myself, I
> have the "use
> > windows integrated authentication" option checked and the option to
> > "use
> > this if not successful". So you see the attempt to use kerberos (the
> > two
> > lines I previously pasted) followed by a login with the
> "use this if it
> > fails" credentials. So the session is successful in spite of the
> > failure,
> > but only because I have alternate authentication to use.
> >
> > So... Here is the limited start of the mapi log:
> >
> > 8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build
> 2600 Service
> > Pack 2
> > 8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
> > Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
> > 8/23/2007 8:55:27 AM [D9C/d7c]  Dll:
> C:\WINDOWS\system32\cgmxui32.dll,
> > version 1.2.12.0
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::DllMain:
> dwReason = 1
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1970000)::ABProviderInit:
> > ulMAPIVer
> > = 0x10010
> > 8/23/2007 8:55:27 AM [D9C/d7c]  
> CABProvider(0x1a54040)::CABProvider()
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CABProvider(0x1a54040)::Logon()
> > profileName=Outlook, flags=0
> > 8/23/2007 8:55:27 AM [D9C/d7c]  OS: Windows NT 5.1 Build
> 2600 Service
> > Pack 2
> > 8/23/2007 8:55:27 AM [D9C/d7c]  App: C:\Program Files\Microsoft
> > Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
> > 8/23/2007 8:55:27 AM [D9C/d7c]  Dll:
> C:\WINDOWS\system32\cgmxp32.dll,
> > version 1.2.12.0
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CGMXP(0x1a60000)::DllMain:
> dwReason = 1
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::CImapXP
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Connect
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Dial
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * OK CommuniGate Pro
> IMAP Server
> > 5.1.11 at mail.wcg.org ready
> > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) : assertion failed
> > 0x80090303:
> > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> > 0x80040119:
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000001 LOGIN
> > "bret.miller@wcg.org"
> > {9+}
> > Tr@nsf0rm
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000001 OK completed
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000002 ENABLE EXTENSIONS
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000002 OK completed
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000003 GETMAILTRAILER
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000003 OK completed
> > 8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc --
> > starting 0x38c(908)
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000004 READCLIENTSETTINGS
> > (UserFrom
> > RealName AccountName)
> > 8/23/2007 8:55:27 AM [D9C/a60]  
> CImapXP(0x1327e0)::WorkerThreadProc --
> > starting 0xa60(2656)
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * CLIENTSETTINGS
> (RealName "Bret
> > Miller")(AccountName bret.miller@wcg.org)
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000004 OK completed
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000005 GETACCOUNTRULES
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * ACCOUNTRULES .... <snip>
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000005 OK completed
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::~CImapXP
> > 8/23/2007 8:55:27 AM [D9C/d7c]  CImapXP(0x1327e0)::Disconnect
> > 8/23/2007 8:55:27 AM [D9C/d7c]  <<<<<< 00000006 LOGOUT
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> * BYE CommuniGate Pro IMAP
> > closing
> > connection
> > 8/23/2007 8:55:27 AM [D9C/d7c]  >>>>>> 00000006 OK completed
> > 8/23/2007 8:55:27 AM [D9C/38c]  CImapXP(0x1327e0)::IdleThreadProc --
> > exiting
> > 0x38c(908) - 0
> > 8/23/2007 8:55:27 AM [D9C/a60]  
> CImapXP(0x1327e0)::WorkerThreadProc --
> > exiting 0xa60(2656) - 0
> >
> > Bret
> >
> > > >
> > > > Thanks for the offer, but I just downloaded a new version from
> > > > Microsoft
> > > > that had it. However, with any of the crypto and
> > > TrustEncryp options, I
> > > > still get:
> > > >
> > > > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2017) :
> assertion failed
> > > > 0x80090303:
> > > > 8/23/2007 8:55:27 AM [D9C/d7c]  ImapXP.cpp(2217) : check failed
> > > > 0x80040119:
> > > >
> > > > I didn't try overriding the kvno, but that hasn't helped in
> > > the past.
> > > >
> > > > Oh well, it was worth another try.
> > > >
> > > > Bret
> > > >
> > > >
> > > > > What version of ktpass does your machine show? Mine is
> > > 5.2.3790.1830.
> > > > >
> > > > > I'm wondering if it's something to do with that. If I type:
> > > > >
> > > > > Ktpass -?  It lists the following:
> > > > >
> > > > > ---------------------most useful args
> > > > > [- /]          out : Keytab to produce
> > > > > [- /]        princ : Principal name (user@REALM)
> > > > > [- /]         pass : password to use
> > > > >                      use "*" to prompt for password.
> > > > > [- +]      rndPass : ... or use +rndPass to generate a random
> > > > password
> > > > > [- /]      minPass : minimum length for random
> password (def:15)
> > > > > [- /]      maxPass : maximum length for random
> password (def:256)
> > > > > ---------------------less useful stuff
> > > > > [- /]      mapuser : map princ (above) to this user account
> > > > > (default: don't)
> > > > > [- /]        mapOp : how to set the mapping attribute
> > > > > (default: add it)
> > > > > [- /]        mapOp :  is one of:
> > > > > [- /]        mapOp :        add : add value (default)
> > > > > [- /]        mapOp :        set : set value
> > > > > [- +]      DesOnly : Set account for des-only encryption
> > > > > (default:don't)
> > > > > [- /]           in : Keytab to read/digest
> > > > > ---------------------options for key generation
> > > > > [- /]       crypto : Cryptosystem to use
> > > > > [- /]       crypto :  is one of:
> > > > > [- /]       crypto : DES-CBC-CRC : for compatibility
> > > > > [- /]       crypto : DES-CBC-MD5 : for compatibliity
> > > > > [- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
> > > > > [- /]        ptype : principal type in question
> > > > > [- /]        ptype :  is one of:
> > > > > [- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype--
> > > > > recommended
> > > > > [- /]        ptype : KRB5_NT_SRV_INST : user service instance
> > > > > [- /]        ptype : KRB5_NT_SRV_HST : host service instance
> > > > > [- /]         kvno : Override Key Version Number
> > > > >                      Default: query DC for kvno.  Use /kvno 1
> > > > > for Win2K
> > > > > compat.
> > > > > [- +]       Answer : +Answer answers YES to prompts.  -Answer
> > > > > answers NO.
> > > > > [- /]       Target : Which DC to use.  Default:detect
> > > > > ---------------------options for trust attributes (Windows
> > > > > Server 2003 Sp1
> > > > > Only
> > > > > [- /] MitRealmName : MIT Realm which we want to enable
> > > RC4 trust on.
> > > > > [- /]  TrustEncryp : Trust Encryption to use; DES is default
> > > > > [- /]  TrustEncryp :  is one of:
> > > > > [- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
> > > > > [- /]  TrustEncryp :        DES : go back to DES
> > > > >
> > > > > So I have the option for a -crypto RC4-HMAC-NT
> > > > >
> > > > > If you don't have this, I can upload the file to my site for
> > > > > you to grab...
> > > > >
> > > > > Andy Kunkle
> > > > > IT Administrator
> > > > > AIM Engineering & Surveying, Inc.
> > > > > 5300 Lee Blvd
> > > > > Lehigh Acres, FL 33971
> > > > > 239-332-4569
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: CommuniGate Pro Discussions
> > > > > [mailto:CGatePro@mail.stalker.com] On
> > > > > > Behalf Of Bret Miller
> > > > > > Sent: Wednesday, August 22, 2007 2:01 PM
> > > > > > To: CommuniGate Pro Discussions
> > > > > > Subject: Re: Kerberos - Working!!
> > > > > >
> > > > > > > Ok, so in case anyone is interested, or was
> having the same
> > > > > > > problems I was
> > > > > > > with getting Kerberos to work, here's the solution:
> > > > > > >
> > > > > > > I had to go through every combination of ptypes and
> > > crypto's and
> > > > > > > -TrustEncryp to get it to work.
> > > > > > >
> > > > > > > The key was to run kerbtray from your AD machine.
> This gives
> > > > > > > you a clue as
> > > > > > > to what kind of encryption it is expecting. If
> you run that
> > > > > > > command (Start >
> > > > > > > Run > kerbtray), and then open the Tray Icon it creates,
> > > > > > > you'll see a tab
> > > > > > > for "Encryption Types". On the server that was working, it
> > > > > > > says etype 0, but
> > > > > > > on my production AD server it says RSADSI RC4-HMAC.
> > > So this means
> > > > > > it's
> > > > > > > looking for a HMAC key. Then the money shot if
> you will was
> > > > > > > the following
> > > > > > > line:
> > > > > > >
> > > > > > > ktpass -princ imap/mail.server.com@SERVER.COM -mapuser
> > > > > > > cgatepro@server.com
> > > > > > > -pass xxxx -out imapadc.data -crypto RC4-HMAC-NT -ptype
> > > > > > > KRB5_NT_SRV_HST
> > > > > > > -TrustEncryp RC4
> > > > > >
> > > > > > Nice thought. How do I get a ktpass command that
> > > accepts RC4-HMAC-
> > > > NT
> > > > > > and the
> > > > > > -TrustEncryp option? Is that part of Win2K3 SP2? We're
> > > > > currently at SP1
> > > > > > here.
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > Once that was run, I was able to launch Outlook
> and it logged
> > > > > > > me in using
> > > > > > > Kerberos.
> > > > > > >
> > > > > > > Now I just have to figure out how to get the
> webmail to work
> > > > > > > in the same, or
> > > > > > > similar fashion...
> > > > > > >
> > > > > > > Hope this helps.



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster