Kerber'izing Microsoft Exchange...
Rodney M Dyer
rmdyer at uncc.edu
Wed May 26 18:01:08 EDT 2004
Hi,
We are in the process of trying to Kerberize everything we can in our IT
shop. Recently we've tried to Kerberize Microsoft Exchange 2003 and have
run into a wall. The wall is simply due to lack of documentation on the
subject.
We run a fairly simple setup. We have two Sun machines acting as KDCs
running Solaris 9 with MIT Kerberos 5 v1.3.1. Our Microsoft Active
Directory Domain is in a cross realm trust with the MIT realm. Our users
can logon to our XP workstations that are members of the AD domain using
their MIT Kerberos realm credentials.
We "can" run Outlook and Exchange in Kerberos mode "if" we run the Exchange
server on the AD domain. Our users can successfully logon to the Exchange
server using Outlook using their credentials from the MIT KDC. This is
because of the cross realm setup. However, this is obviously not the case
for XP workstations in other AD domains, or workstations that don't belong
to any domains.
Some of the problems appear to be:
a. The Outlook email client can only view tickets in Microsoft's
SSPI credentials cache.
b. The Exchange service principles are created during Exchange setup
on the AD.
c. There is no documentation on how to create, extract, and import
Exchange service keys from a MIT KDC to a Microsoft server running Exchange.
d. Assuming we could import MIT service keytabs into Microsoft
server for Exchange, can we do this without disturbing the existing service
keys generated during Exchange setup...so that they will still be valid???
e. What about encryption types, will we be out of luck?
f. Outlook web access would have to act via delegation to obtain
Kerberos TGT and service tickets for the user during the web session from
the MIT KDC???
g. IMAP clients with and without kerberos credentials would also be
an annoyance.
I'm sure there are other problems that don't immediately come to mind. I'm
not even sure this can be done. I currently have Microsoft support looking
at the issues to let me know if any of this is possible. However I'd like
to know if anyone else has looked into this same subject and have any thoughts.
Thanks,
Rodney
Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer at uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: 267 Smith Building
More information about the Kerberos
mailing list