Mailing List CGatePro@mail.stalker.com Message #96159
From: Marcel Hochuli <mhochuli@a-f.ch>
Subject: Re: Outlook 2007 login method rejected
Date: Fri, 19 Sep 2008 10:52:47 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.928.1)
Thanks a lot. But the problem still persists.

"Use Secure Authentication" on the client was off. If the user turns it on, no communication is possible. He always gets the password dialogbox and in CGP-log I see only the login without domain. So we have switched it back off.

If I switch off the Login Method "DIGEST-MD5" on the server, nothing changes.

As the remaining "problem" is not disturbing communication (just put a lot unnecessary lines in the log), I will not test with the customer anymore. I'll try to set up a test machine inhouse and check all variations. Maybe I come back to this thread if I need assistance or when I have a final solution.


Marcel
_______________________________________


Am 17.09.2008 um 18:20 schrieb Bret Miller:

So we're not really talking about IMAP here, but SMTP and "security password authentication". I hadn't tried sending a message with it, but when I do, there is only one authentication attempt with the correct name. It is possible that Microsoft's Digest-MD5 implementation might be broken in Outlook 2007.  As Graeme stated already, using SSL and standard auth login with the "secure password authentication" might satisfy both the security and the desire for a login that isn't broken.

It took some doing to make Outlook use Digest-MD5 here. Apparently, you have to change it in Domain Defaults, not just in the domain settings. Anyway, yes, it authenticated with just the user name here too. I'd bet it's Digest-MD5 that's doing it.

Bret


Am 17.09.2008 um 16:39 schrieb Graeme Fowler:
On Wed, 2008-09-17 at 16:28 +0200, Marcel Hochuli wrote:
As you can see in this modified log on lines 0009 and 0010, Outlook
2007 is first trying to log in with isolated name (without domain) and
tries again on line 0016 with full e-mail address.

...using two different login methods - DIGEST-MD5 and LOGIN.

If you switch off the methods you don't need (like the digest methods),
does the problem go away?

Alternatively, if you switch of the "Use Secure Authentication" flag in
Outlook, does that help?

Graeme

Marcel Hochuli wrote:
Hi Bret

Two of my clients reported these Versions:

[Microsoft® Office Outlook® 2007 (12.0.4518.1014) MSO (12.0.6213.1000)]

OR

[Microsoft® Office Outlook® 2007 (12.0.6212.100) SP1 MSO (12.0.6213.1000)]

Both tell me, that they use the full e-mail address in both mentioned fields.

As you can see in this modified log on lines 0009 and 0010, Outlook 2007 is first trying to log in with isolated name (without domain) and tries again on line 0016 with full e-mail address.

A similar behaviour is going on with IMAP connections.

They will upgrade her Outlook client and we'll come back to this issue afterwards...


0001 SMTPI-000833 got connection on [myIP]:25(a-f.ch) from [theirIP]:32350
0002 SMTPI-000833 out: 220 a-f.ch ESMTP CommuniGate Pro 5.2.8 is glad to see you!\r\n
0003 SMTPI-000833 inp: EHLO ITCNHPC01
0004 SMTPI-000833 out: 250-a-f.ch domain name should be qualified ITCNHPC01\r\n250-DSN\r\n250-SIZE 104857600\r\n250-STARTTLS\r\n250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN\r\n250-ETRN\r\n250-TURN\r\n250-ATRN\r\n250-NO-SOLICITING\r\n250-8BITMIME\r\n250-HELP\r\n250-PI
0005 SMTPI-000833 inp: AUTH DIGEST-MD5
0006 SMTPI-000833 SASL-0(DIGEST-MD5) out: nonce="887a1846527772aa-f.ch",qop="auth",charset=utf-8,algorithm=md5-sess
0007 SMTPI-000833 out: 334 bm9uY2U4IjgzK2ExMjIyNjI4OFEyKJTtZi5jaBIscA9wPSJhdPYoIixduGFyc7V0PDP0Zi87LGFsD25yaXRogT1tZNRtc2Vzqw==\r\n
0008 SMTPI-000833 inp: dXNlcm4hbEF9ImNuaFIscmVhbG54ImUtbnElbnRfo24uY48tIikdu25jZT5iOJEzYTEyOjE2Sjc4KEJhYS8mLmNoIixkaWdlc3QtdXJpPSJzbXRwL21haWwuZS1udmVudGlvbi5jb40iLGNub87jZE0iNDugNzdmZGEwDjJkGTR0NjkyTGJiNDd1MDU8YWJiZTYiLG5jPTAwMDAwMDAxLHJlc7BvbnNlKJZ1MTDkMzEmNmE7ZTZlMzM6MjU
0009 SMTPI-000833 SASL-0(DIGEST-MD5) inp: username="abc",realm="otherdom.com",nonce="887a1221627772aa-f.ch",digest-uri="smtp/mail.otherdom.com",cnonce="48b77fda362dd34692d2b475057abbe6",nc=00000001,response=a516d34f6a5e6e654651245878f18625,qop=auth,charset=utf-8
0010 SMTPI-000833 failed to open 'abc'. Connection from [theirIP]:32350. Error Code=unknown user account
0011 SMTPI-000833 out: 535 (515) incorrect password or account name\r\n
0012 SMTPI-000833 inp: AUTH LOGIN
0013 SMTPI-000833 SASL-0(LOGIN) out: Username:
0014 SMTPI-000833 out: 334 VXNlcm3hcWR6\r\n
0015 SMTPI-000833 inp: K24oQZRtbnElcuRpb87uY39e
0016 SMTPI-000833 SASL-0(LOGIN) inp: abc@otherdom.com
0017 SMTPI-000833 SASL-1(LOGIN) out: Password:
0018 SMTPI-000833 out: 334 UGUzc7dhfzQ6\r\n
0019 SMTPI-000833 inp: Y87oUeAsMw==
0020 SMTPI-000833 SASL-1(LOGIN) inp: abc6003
0021 SMTPI-000833 'abc@otherdom.com' connected from [theirIP]:32350


Marcel
_______________________________________


Am 16.09.2008 um 17:11 schrieb Bret Miller:

Yes, mine only attempts a single login with the full email address. In both the email address and username fields I have the full email address. Outlook version:

[Microsoft® Office Outlook® 2007 (12.0.6316.5000) SP1 MSO (12.0.6320.5000)]

I'm using port 143 with clear text login on CommuniGate Pro 5.2.7. To be clear, this is IMAP, not MAPI, but I think even with MAPI, it logged in using the full address first if that's what I specified. Make sure you don't have just the account name portion in the user name field in the Outlook account settings.

The behavior you're seeing would indicate that only the account name is in that box and when that fails, Outlook tries the email address field. Please check the Outlook account settings and make sure the full email address is in both email address AND user name.

You might also check your update level. Sometimes bad behaviors are corrected in updates, and I can't check previous versions.

Bret


Marcel Hochuli wrote:
I really don't know, what's going on.

Martin
Changing the port from 143 to 993 or the other way around produces the same errors.

Bret
Do your Outlook 2007 clients log in with the full email address when entered completely? My clients don't. Outlook 2007 always strips off the first part and tries to log in with it. It then get's kicked off (unknown user account) and tries again with the whole email address. This problem is as old as Outlook 2007 (I already wrote about it in the first email).

Bret, I found an old email from you (Feb 8, 2007) about NTLM and MSN login methods:

====
I've disabled NTLM and MSN login methods per your suggestion. I think I had those disabled, but after a recent CGP upgrade, they seem to have come back. That said, we have had no other reports of trouble except from Outlook 2007
users, so it may be a problem specific to the new version of Outlook.  I'll check with the user and see if disabling those fixed the issue.

Upgrading to CGPro 5.1.x moves those settings from SMTP > Receiving to domain settings, but the previous settings are NOT preserved so you return to the defaults. I wish Stalker would do a bit of effort to preserve settings like that between versions so we don't have to read about someone losing them and then remember to note them and re-enter them when we finally get around to updating. It wouldn't seem difficult to note that the first time 5.1.x loads there isn't any domain defaults for those and go looking in the old place. That's not too hard, is it? (Doesn't seem to be to me...)

Bret
====

I've too disabled NTLM and MSN login methods years ago. But I ran into the same problem, that upgrading to CGP 5.1 switched them on again. I turned them off last Friday. The problem with Outlook 2007 from secondary domains is gone! But the fact that Outlook 2007 still tries to log in with the first part of the email address is still the same. This will not hamper their communication, though. It just fills up my log a bit more...

But now I have a new problem: My inhouse Outlook 2003 client cannot get emails anymore. They can send, but not retrieve. They are also connected via MAPI.

As the login methods are domain based now, I turned on MSN (NTLM is not needed per tests) and now the inhouse clients can communicate again.

The cosmetic problem with many thousand lines in the log "failed to open 'abc'. Error Code=unknown user account" remains, but all clients can communicate without problems.

If it helps anyone, great!

If somone has other ideas or explanation, I greatly listen to you.


Marcel


<snip>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster