Kerberize MS Exchange? - Kerberos

This is a discussion on Kerberize MS Exchange? - Kerberos ; I'd like to kerberize ms exchange. I found some information about adding a security patch and some settings but not enough for it to work. Are there any pointers someone could give me? Do I have to use some commercial ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Kerberize MS Exchange?

  1. Kerberize MS Exchange?

    I'd like to kerberize ms exchange. I found some information about adding
    a security patch and some settings but not enough for it to work.
    Are there any pointers someone could give me?
    Do I have to use some commercial solution or it can be configured or
    programmed manually?

    Thanks in advance.

  2. Re: Kerberize MS Exchange?

    On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote:
    > I'd like to kerberize ms exchange. I found some information about adding
    > a security patch and some settings but not enough for it to work.
    > Are there any pointers someone could give me?
    > Do I have to use some commercial solution or it can be configured or
    > programmed manually?


    Kerberize it how?

    MS Exchange uses a proprietary communications protocol so it's not
    clear how Kerberos authentication even works in Exchange [1].

    If you're talking about using IMAP4, last I checked MS Exchange does
    not support Kerberos w/ IMAP4 at all.

    Mike

    [1] There is some new "Exchange Protocols" documentation released as
    part of the EU settlement that might include such details.

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  3. RE: Kerberize MS Exchange?

    > Kerberize it how?
    >
    > MS Exchange uses a proprietary communications protocol so it's not
    > clear how Kerberos authentication even works in Exchange [1].
    >
    > If you're talking about using IMAP4, last I checked MS Exchange does
    > not support Kerberos w/ IMAP4 at all.
    >
    > Mike
    >
    > [1] There is some new "Exchange Protocols" documentation released as
    > part of the EU settlement that might include such details.


    Actually the protocol doesn't really include anything for authentication. The core Exchange security mechanism is a named pipe
    connection to the server, and a thread running ImpersonateNamedPipeClient on the server-side to handle requests on behalf of the
    user.

    Microsoft may or may not use Kerberos to authenticate the pipe.

    Eric



  4. Re: Kerberize MS Exchange?

    On Thu, Sep 4, 2008 at 2:26 PM, Eric Hill wrote:
    >> Kerberize it how?
    >>
    >> MS Exchange uses a proprietary communications protocol so it's not
    >> clear how Kerberos authentication even works in Exchange [1].
    >>
    >> If you're talking about using IMAP4, last I checked MS Exchange does
    >> not support Kerberos w/ IMAP4 at all.
    >>
    >> Mike
    >>
    >> [1] There is some new "Exchange Protocols" documentation released as
    >> part of the EU settlement that might include such details.

    >
    > Actually the protocol doesn't really include anything for authentication. The core Exchange security mechanism is a named pipe
    > connection to the server, and a thread running ImpersonateNamedPipeClient on the server-side to handle requests on behalf of the
    > user.
    >
    > Microsoft may or may not use Kerberos to authenticate the pipe.


    I understand. That's good actually because there is quite a bit of
    open code that can do Kerberos over Windows named pipes (including SMB
    named pipes).

    Incidentally, I have been informed off-list that newer versions of
    Exchange's IMAP implementation actually do support Kerberos via
    GSSAPI.

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  5. Re: Kerberize MS Exchange?

    Michael B Allen wrote:

    > Incidentally, I have been informed off-list that newer versions of
    > Exchange's IMAP implementation actually do support Kerberos via
    > GSSAPI.


    And what win32 IMAP clients can authenticate with GSSAPI?


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  6. Re: Kerberize MS Exchange?

    Michael B Allen wrote:
    > On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote:
    >> I'd like to kerberize ms exchange. I found some information about adding
    >> a security patch and some settings but not enough for it to work.
    >> Are there any pointers someone could give me?
    >> Do I have to use some commercial solution or it can be configured or
    >> programmed manually?

    >
    > Kerberize it how?
    >
    > MS Exchange uses a proprietary communications protocol so it's not
    > clear how Kerberos authentication even works in Exchange [1].
    >
    > If you're talking about using IMAP4, last I checked MS Exchange does
    > not support Kerberos w/ IMAP4 at all.
    >
    > Mike
    >
    > [1] There is some new "Exchange Protocols" documentation released as
    > part of the EU settlement that might include such details.
    >


    What I really want to do is use Outlook Web Access.
    Also I would like to have this option for Internet users, not only local
    company users.

  7. Re: Kerberize MS Exchange?

    Walter Sobchak wrote:
    > I'd like to kerberize ms exchange. I found some information about adding
    > a security patch and some settings but not enough for it to work.
    > Are there any pointers someone could give me?
    > Do I have to use some commercial solution or it can be configured or
    > programmed manually?
    >
    > Thanks in advance.



    Maybe kerberos authenticatio could be done with an isapi extension
    (wildcard application map).
    I read something about creating an impersonation token with LsaLogonUser
    function..
    Is this the right way??

  8. Re: Kerberize MS Exchange?



    Victor Sudakov wrote:
    > Michael B Allen wrote:
    >
    >> Incidentally, I have been informed off-list that newer versions of
    >> Exchange's IMAP implementation actually do support Kerberos via
    >> GSSAPI.

    >
    > And what win32 IMAP clients can authenticate with GSSAPI?


    Thunderbird is reported to be able to do this:
    http://kb.mozillazine.org/Network.auth.use-sspi

    I have not tried it, but it looks promising.


    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

  9. Re: Kerberize MS Exchange?

    in article g9qllk$4te$1@news.metronet.hr, Walter Sobchak at
    genijalac@yahoo.com wrote on 9/5/08 2:04 AM:

    > Michael B Allen wrote:
    >> On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote:
    >>> I'd like to kerberize ms exchange. I found some information about adding
    >>> a security patch and some settings but not enough for it to work.
    >>> Are there any pointers someone could give me?
    >>> Do I have to use some commercial solution or it can be configured or
    >>> programmed manually?

    >>
    >> Kerberize it how?
    >>
    >> MS Exchange uses a proprietary communications protocol so it's not
    >> clear how Kerberos authentication even works in Exchange [1].
    >>
    >> If you're talking about using IMAP4, last I checked MS Exchange does
    >> not support Kerberos w/ IMAP4 at all.
    >>
    >> Mike
    >>
    >> [1] There is some new "Exchange Protocols" documentation released as
    >> part of the EU settlement that might include such details.
    >>

    >
    > What I really want to do is use Outlook Web Access.
    > Also I would like to have this option for Internet users, not only local
    > company users.


    OWA is going to be kerberized because it is built on top of IIS.

    Paul Nelson
    Tursby Software Systems, Inc


  10. Re: Kerberize MS Exchange?

    Douglas E. Engert wrote:
    > >
    > >> Incidentally, I have been informed off-list that newer versions of
    > >> Exchange's IMAP implementation actually do support Kerberos via
    > >> GSSAPI.

    > >
    > > And what win32 IMAP clients can authenticate with GSSAPI?


    > Thunderbird is reported to be able to do this:
    > http://kb.mozillazine.org/Network.auth.use-sspi


    > I have not tried it, but it looks promising.


    I have tried Thunderbird 2.0.0.14 for Windows with
    network.auth.use-sspi set to either true or false.

    Ethereal does not see Thunderbird requesting any tickets for
    imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
    does not create any traffic to the DC. Am I missing something?

    The server does support GSSAPI and announces it:
    * OK CommuniGate Pro IMAP Server 5.1.13 at relay2.tomsk.ru ready
    * CAPABILITY IMAP4 IMAP4REV1 ACL NAMESPACE UIDPLUS IDLE LITERAL+ QUOTA ID MULTIAPPEND LISTEXT CHILDREN BINARY LOGIN-REFERRALS UNSELECT STARTTLS AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI
    1 OK completed

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  11. Re: Kerberize MS Exchange?

    Victor Sudakov wrote:
    > > >
    > > >> Incidentally, I have been informed off-list that newer versions of
    > > >> Exchange's IMAP implementation actually do support Kerberos via
    > > >> GSSAPI.
    > > >
    > > > And what win32 IMAP clients can authenticate with GSSAPI?


    > > Thunderbird is reported to be able to do this:
    > > http://kb.mozillazine.org/Network.auth.use-sspi


    > > I have not tried it, but it looks promising.


    > I have tried Thunderbird 2.0.0.14 for Windows with
    > network.auth.use-sspi set to either true or false.


    > Ethereal does not see Thunderbird requesting any tickets for
    > imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
    > does not create any traffic to the DC. Am I missing something?


    Is there anyone for whom Thunderbird with GSSAPI really works?
    I hope it is not just theory, someone is using it or has tested it?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  12. Re: Kerberize MS Exchange?

    I use it against Cyrus IMAP v2.3.12p2 server (both client and server on
    Linux) with AD as kdc.

    * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
    AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR] imap.server.home Cyrus IMAP
    v2.3.12p2 server ready
    1 capability
    * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=PLAIN
    AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS
    NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
    SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
    CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED URLAUTH
    1 OK Completed
    2 authenticate GSSAPI
    + YIIGjwYJKoZIhv....
    + YIGDBgk....
    + YDAGCSqGSIb3EgE....
    2 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte
    QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
    MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
    ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED URLAUTH]
    Success (no protection)

    ..
    ..

    Markus

    "Victor Sudakov" wrote in message
    news:gcs72m$2ci$1@relay.tomsk.ru...
    > Victor Sudakov wrote:
    >> > >
    >> > >> Incidentally, I have been informed off-list that newer versions of
    >> > >> Exchange's IMAP implementation actually do support Kerberos via
    >> > >> GSSAPI.
    >> > >
    >> > > And what win32 IMAP clients can authenticate with GSSAPI?

    >
    >> > Thunderbird is reported to be able to do this:
    >> > http://kb.mozillazine.org/Network.auth.use-sspi

    >
    >> > I have not tried it, but it looks promising.

    >
    >> I have tried Thunderbird 2.0.0.14 for Windows with
    >> network.auth.use-sspi set to either true or false.

    >
    >> Ethereal does not see Thunderbird requesting any tickets for
    >> imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
    >> does not create any traffic to the DC. Am I missing something?

    >
    > Is there anyone for whom Thunderbird with GSSAPI really works?
    > I hope it is not just theory, someone is using it or has tested it?
    >
    > --
    > Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    > 2:5005/49@fidonet http://vas.tomsk.ru/



  13. Re: Kerberize MS Exchange?

    Victor,

    I can also confirm that Thunderbird works with GSSAPI/SSPI on XP against the
    Cyrus IMAP server. ( I just downloaded Thunderbird and did not modify any
    settings other then adding the account details)

    Markus

    "Markus Moeller" wrote in message
    news:2ZWdnVsd_tIAj2_VnZ2dneKdnZydnZ2d@posted.plusn et...
    >I use it against Cyrus IMAP v2.3.12p2 server (both client and server on
    >Linux) with AD as kdc.
    >
    > * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
    > AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR] imap.server.home Cyrus IMAP
    > v2.3.12p2 server ready
    > 1 capability
    > * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
    > AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA
    > MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
    > MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
    > THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT
    > LIST-SUBSCRIBED URLAUTH
    > 1 OK Completed
    > 2 authenticate GSSAPI
    > + YIIGjwYJKoZIhv....
    > + YIGDBgk....
    > + YDAGCSqGSIb3EgE....
    > 2 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte
    > QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
    > CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
    > THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT
    > LIST-SUBSCRIBED URLAUTH] Success (no protection)
    >
    > .
    > .
    >
    > Markus
    >
    > "Victor Sudakov" wrote in message
    > news:gcs72m$2ci$1@relay.tomsk.ru...
    >> Victor Sudakov wrote:
    >>> > >
    >>> > >> Incidentally, I have been informed off-list that newer versions of
    >>> > >> Exchange's IMAP implementation actually do support Kerberos via
    >>> > >> GSSAPI.
    >>> > >
    >>> > > And what win32 IMAP clients can authenticate with GSSAPI?

    >>
    >>> > Thunderbird is reported to be able to do this:
    >>> > http://kb.mozillazine.org/Network.auth.use-sspi

    >>
    >>> > I have not tried it, but it looks promising.

    >>
    >>> I have tried Thunderbird 2.0.0.14 for Windows with
    >>> network.auth.use-sspi set to either true or false.

    >>
    >>> Ethereal does not see Thunderbird requesting any tickets for
    >>> imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
    >>> does not create any traffic to the DC. Am I missing something?

    >>
    >> Is there anyone for whom Thunderbird with GSSAPI really works?
    >> I hope it is not just theory, someone is using it or has tested it?
    >>
    >> --
    >> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    >> 2:5005/49@fidonet http://vas.tomsk.ru/

    >



  14. Re: Kerberize MS Exchange?

    Yep, also confirmed to work with Dovecot IMAP server.

    > Victor Sudakov wrote:
    > Is there anyone for whom Thunderbird with GSSAPI really works?
    > I hope it is not just theory, someone is using it or has tested it?
    >
    > --
    > Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    > 2:5005/49@fidonet http://vas.tomsk.ru/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



  15. Re: Kerberize MS Exchange?

    I can also confirm that outgoing SMTP with GSSAPI auth works with
    Thunderbird against sendmail.

    Markus

    "Luke Scharf" wrote in message
    news:48F4E644.1050408@clusterbee.net...
    >Victor Sudakov wrote:
    >> Is there anyone for whom Thunderbird with GSSAPI really works?
    >> I hope it is not just theory, someone is using it or has tested it?
    >>

    >
    >I use Thunderbird with GSSAPI with Dovecot on my home-network. It works
    >nicely. The only weird thing was that they used the term "Secure
    >Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
    >
    >I haven't figured out if there's a way to have Thunderbird use GSSAPI
    >for SMTP. I haven't looked closely, since I need to unlock my keystore
    >before sending message to retrieve S/MIME keys -- so pulling out a
    >password for smtp authentication isn't an inconvenience. I do like the
    >elegance of making everything Kerberos-happy, though.
    >
    >-Luke
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




  16. Re: Kerberize MS Exchange?


    On 14 Oct 2008, at 23:21, Markus Moeller wrote:

    > I can also confirm that outgoing SMTP with GSSAPI auth works with
    > Thunderbird against sendmail.


    If anyone is having problems with GSSAPI and Thunderbird which they
    believe is a bug in the product, please open a bug in their Bugzilla
    and Cc: me on the bug. I can confirm that (with the exception of
    security layers), POP3, IMAP and SMTP should all work from version
    1.5 onwards.

    Simon
    (who wrote the GSSAPI stuff in Tbird)


  17. Re: Kerberize MS Exchange?

    Luke Scharf schrieb:
    > I use Thunderbird with GSSAPI with Dovecot on my home-network. It works
    > nicely. The only weird thing was that they used the term "Secure
    > Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".

    Thats by design. Technically GSSAPI is only one of the SASL mechanisms
    offered by the server. "secure authentication" just enables the SASL
    negotiation procedure which might result in something completely
    different than GSSAPI (DIGEST-MD5 in my case, or NTLM for Outlook, etc).
    Besides: "GSSAPI" or "Kerberos5" in a general purpose UI? WTF!

    cheers
    Paul


+ Reply to Thread