Mailing List CGatePro@mail.stalker.com Message #98823
From: Mark Romen <mark.romen@lvh.it>
Subject: Kerberos Problems
Date: Wed, 11 Nov 2009 16:03:18 +0100
To: CGatePro@mail.stalker.com <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.13.1/1.52.5.3(local)

Hello

 

I’m trying to authenticate my outlook users using kerberos. The goal would be an Outlook that has no need to change the password when a user password is changed in Active Directory.

I’ve exported the Kerberos key on the domain controller of my active directory and imported it into CGP.

Basically I followed the steps described on http://www.umail.ru/Guide/Security.html#Kerberos

 

On CGP I’ve enabled external authentication, that authenticates my users in Active Directory using RADIUS (which is working).

The problem is that when I enable Windows integrated Authentication on Outlook I get “Aquiring credentials failed [0x80090303]”

 

In my AD event log I get an entry

 

Successful Network Logon:

                User Name:             DOMAINTESTER$

                Domain:                  <domain-netbiosname>

                Logon ID:                               (0x0,0x10F09C6)

                Logon Type:           3

                Logon Process:       Kerberos

                Authentication Package:        Kerberos

                Workstation Name:

                Logon GUID:          {bdd37a50-17df-5275-d112-d024f2ad82e8}

                Caller User Name:   -

                Caller Domain:         -

                Caller Logon ID:      -

                Caller Process ID: -

                Transited Services: -

                Source Network Address:       192.168.10.52

                Source Port:            0

 

DOMAINTESTER$ is the name of the client computer that executes Outlook

 

I’ve exported the key as follows:

C:\Documents and Settings\Administrator\Desktop>ktpass -princ imap/MAILDOMAIN.TLD@ADDOMAIN.TLD -mapuser DOMAIN-NETBIOSNAME\cgatepro -pass PASS -out keytab.data -cry

pto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST

Targeting domain controller: DC.ADDOMAIN.TLD

Using legacy password setting method

Successfully mapped imap/MAILDOMAIN.TLD to cgatepro.

WARNING: pType and account type do not match. This might cause  problems.

Key created.

Output keytab to keytab.data:

Keytab version: 0x502

keysize 52 imap/MAILDOMAIN.TLD@ADDOMAIN.TLD ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x3 (

DES-CBC-MD5) keylength 8 (0xc454c18ad398cd62)

 

 

 

I have no idea what the problem could be :-/

Any hints?

 

Mark

 

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster