Mailing List CGatePro@mail.stalker.com Message #98967
From: Mark Romen <mark.romen@lvh.it>
Subject: AW: Kerberos Problems
Date: Thu, 10 Dec 2009 16:22:58 +0100
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.13.1/1.52.5.3(local)

Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] Im Auftrag von Bret Miller
Gesendet: Donnerstag, 12. November 2009 16:12
An: CommuniGate Pro Discussions
Betreff: Re: Kerberos Problems

 

Mark Romen wrote:

Hello

 

I’m trying to authenticate my outlook users using kerberos. The goal would be an Outlook that has no need to change the password when a user password is changed in Active Directory.

I’ve exported the Kerberos key on the domain controller of my active directory and imported it into CGP.

Basically I followed the steps described on http://www.umail.ru/Guide/Security.html#Kerberos

 

On CGP I’ve enabled external authentication, that authenticates my users in Active Directory using RADIUS (which is working).

The problem is that when I enable Windows integrated Authentication on Outlook I get “Aquiring credentials failed [0x80090303]”

 

In my AD event log I get an entry

 

Successful Network Logon:

                User Name:             DOMAINTESTER$

                Domain:                  <domain-netbiosname>

                Logon ID:                               (0x0,0x10F09C6)

                Logon Type:           3

                Logon Process:       Kerberos

                Authentication Package:        Kerberos

                Workstation Name:

                Logon GUID:          {bdd37a50-17df-5275-d112-d024f2ad82e8}

                Caller User Name:   -

                Caller Domain:         -

                Caller Logon ID:      -

                Caller Process ID: -

                Transited Services: -

                Source Network Address:       192.168.10.52

                Source Port:            0

 

DOMAINTESTER$ is the name of the client computer that executes Outlook

 

I’ve exported the key as follows:

C:\Documents and Settings\Administrator\Desktop>ktpass -princ imap/MAILDOMAIN.TLD@ADDOMAIN.TLD -mapuser DOMAIN-NETBIOSNAME\cgatepro -pass PASS -out keytab.data -cry

pto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST

Targeting domain controller: DC.ADDOMAIN.TLD

Using legacy password setting method

Successfully mapped imap/MAILDOMAIN.TLD to cgatepro.

WARNING: pType and account type do not match. This might cause  problems.

Key created.

Output keytab to keytab.data:

Keytab version: 0x502

keysize 52 imap/MAILDOMAIN.TLD@ADDOMAIN.TLD ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x3 (

DES-CBC-MD5) keylength 8 (0xc454c18ad398cd62)

 

 

 

I have no idea what the problem could be :-/

Any hints?

 

Mark

 

Mark,
It's been a while since I sorted this out here, but my issue here was essentially that the mail server was a member of the active directory domain, but the name used to access it in the MAPI connector didn't use the AD domain. To be clear: here's an example of how it looked:

Server name: MAIL
AD fqdn: mail.office.example.com where office.example.com was the AD domain

In the MAPI connector:
Server name: mail.example.com (that is, the public DNS name of the server)

What happens is that CGPro passes the name configured in the MAPI connector to the domain controller, which sees the domain mismatch and refuses to authenticate.

To solve this, I had to change the server name in the MAPI connector to mail.office.example.com so the domain portion matched the active directory domain.

There are people on this list with considerably more experience troubleshooting the kerberos stuff, but in the end, that's what my problem ended up being.

Bret

 

Hi Bret

It’s been a while since my last post, but now i’m newly confronted with this problem.
The main goal is to run Outlook without need to change the profile password every time a user changes the Active Directory pass.

I searched a lot on google and how it seems the approach to use Windows Integrated Authentication is the only way to accomplish this.
We’re running CGP on Linux, so this means that I have to join the AD domain using Samba or set up my own Kerberos KeyDist Center? CGP usernames have to be the same as AD usernames, but this is the minor problem.

I played a bit with servernames/usernames in the profile, without success. Is someone out there who has some experience doing this?

#############################################################

This message is sent to you because you are subscribed to

  the mailing list <CGatePro@mail.stalker.com>.

To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>

To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>

To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>

Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster