Mailing List CGatePro@mail.stalker.com Message #92318
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Kerberos - Working (not)
Date: Fri, 24 Aug 2007 10:48:12 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
In the interest in completeness in debugging this, I turned on every option in the client-side logging and started Outlook. So here is all we get for startup. Note there are only the two errors between establishing the IMAP connection and issuing the LOGIN command for alternate credentials. Then on the server side, basically all we see is the login command for alternate credentials.

Client:

8/24/2007 10:01:26 AM [EA0/a94]  OS: Windows NT 5.1 Build 2600 Service Pack 2
8/24/2007 10:01:26 AM [EA0/a94]  App: C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
8/24/2007 10:01:26 AM [EA0/a94]  Dll: C:\WINDOWS\system32\cgmxui32.dll, version 1.2.12.0
8/24/2007 10:01:26 AM [EA0/a94]  CGMXP(0x1970000)::DllMain: dwReason = 1
8/24/2007 10:01:26 AM [EA0/a94]  CGMXP(0x1970000)::ABProviderInit: ulMAPIVer = 0x10010
8/24/2007 10:01:26 AM [EA0/a94]  CABProvider(0x1a54040)::CABProvider()
8/24/2007 10:01:26 AM [EA0/a94]  CABProvider(0x1a54040)::Logon() profileName=Outlook, flags=0
8/24/2007 10:01:26 AM [EA0/a94]  OS: Windows NT 5.1 Build 2600 Service Pack 2
8/24/2007 10:01:26 AM [EA0/a94]  App: C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE, version 11.0.8118.0
8/24/2007 10:01:26 AM [EA0/a94]  Dll: C:\WINDOWS\system32\cgmxp32.dll, version 1.2.12.0
8/24/2007 10:01:26 AM [EA0/a94]  CGMXP(0x1a60000)::DllMain: dwReason = 1
8/24/2007 10:01:26 AM [EA0/a94]  MMConvInit
8/24/2007 10:01:26 AM [EA0/a94]  CMIMEUnit::Init
8/24/2007 10:01:26 AM [EA0/a94]  CMMBodyConverter::InitLibrary
8/24/2007 10:01:26 AM [EA0/a94]  CImapXP(0x1327e0)::CImapXP
8/24/2007 10:01:26 AM [EA0/a94]  CImapXP(0x1327e0)::Connect
8/24/2007 10:01:26 AM [EA0/a94]  CImapXP(0x1327e0)::Dial
8/24/2007 10:01:26 AM [EA0/a94]  >>>>>> * OK CommuniGate Pro IMAP Server 5.1.11 at mail.wcg.org ready
8/24/2007 10:01:26 AM [EA0/a94]  ImapXP.cpp(2017) : assertion failed 0x80090303:
8/24/2007 10:01:26 AM [EA0/a94]  ImapXP.cpp(2217) : check failed 0x80040119:
8/24/2007 10:01:26 AM [EA0/a94]  <<<<<< 00000001 LOGIN "bret.miller@wcg.org" {9+}

Server:

10:01:02.196 4 IMAP-001192([208.57.205.126]) got connection on [10.99.3.100]:143(wcg.org) from [208.57.205.126]:14906
10:01:02.196 5 IMAP-001192([208.57.205.126]) out: * OK CommuniGate Pro IMAP Server 5.1.11 at mail.wcg.org ready\r\n
10:01:02.258 5 IMAP-001192([208.57.205.126]) inp: 00000001 LOGIN "bret.miller@wcg.org" {9+}

That's it. It just can't get the kerberos ticket, so it uses the alternate credentials. If I remove the alternate credentials from the client config, Outlook fails to open at this point since there are no working authentication methods available.

Also, previously mentioned for debugging this was that there might be duplicate SPN's. I got into the AD LDAP browswer and searched on SPN and only the one user was returned.

So, going further, I researched the error a bit more, and according to Microsoft, 0x80090303 means "Target Unknown. Typically, this error occurs when a security function fails... Another area where you can see this is with Kerberos when the Service Principal Name that is being requested is not listed in the database...."

**Which is why I keep asking why the attempted SPN isn't being logged so that we can see what isn't found.**

So... My configuration-- AD domain is HQ.WCG.ORG. CGPro server is mail.wcg.org-- that's also what is specified for the server name in the mapi client configuration. Users exist on the cgpro server in the wcg.org domain, and NOT in the mail.wcg.org domain. In theory, as I understand it, this should mean that the client should be requesting a ticket for imap/mail.wcg.org. That's the assumption, and that's the ticket that is created. But there's no way for me to verify that's actually what's being requested since that info isn't logged by anything.

Bret



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster