Kerberos ticket access to MS Exchange - Kerberos

This is a discussion on Kerberos ticket access to MS Exchange - Kerberos ; Are there ANY mail client programs besides MS Outlook on any OS which support kerberos ticket authentication to Microsoft exchange? Does MS even use the standard gssapi sasl for IMAP? -Christopher Nebergall ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Kerberos ticket access to MS Exchange

  1. Kerberos ticket access to MS Exchange

    Are there ANY mail client programs besides MS Outlook on any OS which support kerberos ticket authentication to Microsoft exchange?
    Does MS even use the standard gssapi sasl for IMAP?

    -Christopher Nebergall
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos ticket access to MS Exchange

    Em Sexta 29 Julho 2005 13:41, Nebergall, Christopher escreveu:
    > Are there ANY mail client programs besides MS Outlook on any OS which

    support kerberos ticket authentication to Microsoft exchange?
    > Does MS even use the standard gssapi sasl for IMAP?


    I don't know the specifics regarding Exchange, but there are several mail
    clients which can use IMAP with GSSAPI authentication. To list a few:
    - mutt
    - pine
    - kmail
    - evolution
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos ticket access to MS Exchange

    At 12:41 PM 7/29/2005, Nebergall, Christopher wrote:
    >Are there ANY mail client programs besides MS Outlook on any OS which
    >support kerberos ticket authentication to Microsoft exchange?


    No.

    >Does MS even use the standard gssapi sasl for IMAP?


    No. Exchange IMAP isn't Kerberized.

    We rock and rolled with Microsoft on this very issue. In fact, Exchange is
    almost useless for use with Kerberos (especially cross realm trusts). That
    is unless you have Exchange installed on the very same AD domain as the one
    you are trying to use kerberized access to.

    (IMHO) I don't think Microsoft really cares about Kerberos. In almost all
    cases if you stop storing real passwords on the AD domain you will always
    have your conceived ideas of Kerberized grandure fall apart on you. "Want
    to try it this way? Nope can't do that!" "Want to try it the other
    way? Nope, can't do that either!"

    The best you can ever hope for is password syncronization schemes under ID
    management suites.

    Rodney

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Kerberos ticket access to MS Exchange

    Rodney M Dyer wrote:

    > At 12:41 PM 7/29/2005, Nebergall, Christopher wrote:
    >
    >> Are there ANY mail client programs besides MS Outlook on any OS which
    >> support kerberos ticket authentication to Microsoft exchange?

    >
    >
    > No.
    >
    >> Does MS even use the standard gssapi sasl for IMAP?

    >
    >
    > No. Exchange IMAP isn't Kerberized.
    >
    > We rock and rolled with Microsoft on this very issue. In fact,
    > Exchange is almost useless for use with Kerberos (especially cross
    > realm trusts). That is unless you have Exchange installed on the very
    > same AD domain as the one you are trying to use kerberized access to.
    >
    > (IMHO) I don't think Microsoft really cares about Kerberos. In
    > almost all cases if you stop storing real passwords on the AD domain
    > you will always have your conceived ideas of Kerberized grandure fall
    > apart on you. "Want to try it this way? Nope can't do that!" "Want
    > to try it the other way? Nope, can't do that either!"
    >
    > The best you can ever hope for is password syncronization schemes
    > under ID management


    Or, you could ditch Microsoft.

    Michael

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Kerberos ticket access to MS Exchange

    Rodney M Dyer wrote:

    > At 12:41 PM 7/29/2005, Nebergall, Christopher wrote:
    >
    >> Are there ANY mail client programs besides MS Outlook on any OS which
    >> support kerberos ticket authentication to Microsoft exchange?

    >


    How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10
    on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook
    Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard
    that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free.

    (sigh) I wish Mozilla had GSSAPI.

    Nix.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Kerberos ticket access to MS Exchange

    At 02:31 PM 7/31/2005, Nikola Milutinovic wrote:

    >How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10
    >on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook
    >Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard
    >that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free.


    Sure, you can find several Kerberized IMAP servers and clients. And you
    can use Microsoft's Active Directory for your Kerberos KDC, no
    problem. You just can't use Outlook, or Microsoft Exchange IMAP with
    anyone elses KDC. Microsoft has made sure that in setting up a Kerberized
    network environment you should always use "their" server products as your
    KDCs. Use anything else and you will not be forgiven. You want to use MIT
    KDC, or Hesiod, forget it. You will expend to much time and effort on
    something that will eventually not work anyway. The funny thing is, if you
    are going to store passwords on your Microsoft AD server acting as a KDC,
    then what is the point of having a KDC in the first place...in terms of
    Microsoft authentication? This is why I say that Microsoft uses Kerberos
    just to appease the 'nix natives. It certainly has little use in their own
    products.

    Rodney

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Kerberos ticket access to MS Exchange

    Nikola Milutinovic wrote:
    > How about IMAP kerberized client in general?


    I'm working with David Bienvenu and others on GSSAPI support for
    Thunderbird. It should support both MIT Kerberos for Windows, and
    Microsoft's SSPI.

    Simon.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Kerberos ticket access to MS Exchange


    Rodney M Dyer wrote:
    >
    > Sure, you can find several Kerberized IMAP servers and clients. And you
    > can use Microsoft's Active Directory for your Kerberos KDC, no
    > problem. You just can't use Outlook, or Microsoft Exchange IMAP with
    > anyone elses KDC. Microsoft has made sure that in setting up a Kerberized
    > network environment you should always use "their" server products as your
    > KDCs. Use anything else and you will not be forgiven. You want to use MIT
    > KDC, or Hesiod, forget it. You will expend to much time and effort on
    > something that will eventually not work anyway. The funny thing is, if you
    > are going to store passwords on your Microsoft AD server acting as a KDC,
    > then what is the point of having a KDC in the first place...in terms of
    > Microsoft authentication? This is why I say that Microsoft uses Kerberos
    > just to appease the 'nix natives. It certainly has little use in their own
    > products.
    >
    > Rodney
    >

    I agree it was quite disappointing when exchange2003 came with some
    kerberos support but not extended to IMAP. I think the problem is
    outlook/exchange design itself, they just have way too many MAPI hooks
    together so it is difficult to extend that to IMAP. I used outlook web
    access with kerberos with some small degree of success (using mozilla
    and exchange new mail notification). the main issue for me are some of
    the nice features in OWA are off on mozilla (e.g. search folders). BTW,
    MAPI is using kerberos just not IMAP support ;-(

    -peter


  9. Re: Kerberos ticket access to MS Exchange

    >something that will eventually not work anyway. The funny thing is, if you
    >are going to store passwords on your Microsoft AD server acting as a KDC,
    >then what is the point of having a KDC in the first place...in terms of
    >Microsoft authentication? This is why I say that Microsoft uses Kerberos
    >just to appease the 'nix natives. It certainly has little use in their own
    >products.


    To be fair to Microsoft ... they do seem to use Kerberos in a number of
    places. E.g., their instant messaging protocol is Kerberized (I verified
    that with a network sniffer). From my conversations with Microsoft people,
    the reason Exchange doesn't do GSSAPI-authenticate IMAP really seems to
    be more tied up in lack of interest in the Exchange group (for what
    reason, I dunno).

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Kerberos ticket access to MS Exchange

    Em Sexta 29 Julho 2005 13:41, Nebergall, Christopher escreveu:
    > Are there ANY mail client programs besides MS Outlook on any OS which

    support kerberos ticket authentication to Microsoft exchange?
    > Does MS even use the standard gssapi sasl for IMAP?


    I don't know the specifics regarding Exchange, but there are several mail
    clients which can use IMAP with GSSAPI authentication. To list a few:
    - mutt
    - pine
    - kmail
    - evolution
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread