Mailing List CGatePro@mail.stalker.com Message #97671
From: Mark Romen <mark.romen@lvh.it>
Subject: AW: Authentication against Windwos domain.
Date: Tue, 31 Mar 2009 09:24:57 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.5.1/1.52.5.3(local)

What about RADIUS authentification?

 

Greetings

Mark

 


Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] Im Auftrag von Bret Miller
Gesendet: Montag, 30. März 2009 19:22
An: CommuniGate Pro Discussions
Betreff: Re: Authentication against Windwos domain.

 

Hi Fred,

I don't know that they have a "recommended" method of authenticating against a windows domain. We tried to get kerberos working, but in the end found that things had to match up too exactly for it to work. And while we finally got the knowledge to make it work, at that point we decided on a different route. Kerberos will work for some things under the right circumstances, but I don't think you can use it for your ONLY authentication method because it will fail if a user is not logged into your domain at the time they need to authenticate. At that point, LDAP authentication works as an alternative as long as you aren't using a challenge/response authentication protocol.

What we opted for here was to use CGPro+LDAP so if the password didn't match CGPro then we'd check against the domain and when correct, reset the CGPro password to match so that future attempts wouldn't require the LDAP lookup until the password changed again.

HTH,
Bret


On 3/26/2009 9:24 AM, Fred Zwarts wrote:

We run CommuniGate Pro on a Linux server.
We also have a Windows cluster, which contains our users database.
We want to authenticate the users of CGP against Windows' Active Directory.
We now do that with an external helper program, which causes some problems now and then.
We read that CGP also supports Kerberos authentication.
Since Windows also supports Kerberos, we thought that maybe we could switch from the 
external helper authentication to Kerberos authentication. Therefore we did some experiments,
but we could not make it work. After reading the CGP documentation concerning Kerberos
authentication in some more detail, we get the impression that this is not what we thought it was.
We thought that the username/password would still be presented to CGP and that CGP
would verify this with Kerberos on the Windows servers, but now we have the impression
that CGP assumes that the users has authenticated already against the Windows server and
has obtained a Kerberos ticket already and that this ticket is sent via IMAP, SMTP, or HTTP
to CGP instead of the username/password and that CGP only verifies the validity of the ticket. 
This would mean that also the clients should support this way of authentication, which means
a severe limitation for the choice of clients for our users.
 
As we are not sure that we understand the documentation correctly, we would like to have
a confirmation that this is indeed how Kerberos authentication is supposed to work.
Further we would like to know what is the recommended method to authenticate users against
Windows' Active Directory, when using a wide variety of mail- and web clients.
 
 
#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
  

#############################################################

This message is sent to you because you are subscribed to

  the mailing list <CGatePro@mail.stalker.com>.

To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>

To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>

To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>

Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster