Kerber'izing Microsoft Exchange...

Rodney M Dyer rmdyer at uncc.edu
Wed May 26 18:01:08 EDT 2004 

Hi,

We are in the process of trying to Kerberize everything we can in our IT 
shop.  Recently we've tried to Kerberize Microsoft Exchange 2003 and have 
run into a wall.  The wall is simply due to lack of documentation on the 
subject.

We run a fairly simple setup.  We have two Sun machines acting as KDCs 
running Solaris 9 with MIT Kerberos 5 v1.3.1.  Our Microsoft Active 
Directory Domain is in a cross realm trust with the MIT realm.  Our users 
can logon to our XP workstations that are members of the AD domain using 
their MIT Kerberos realm credentials.

We "can" run Outlook and Exchange in Kerberos mode "if" we run the Exchange 
server on the AD domain.  Our users can successfully logon to the Exchange 
server using Outlook using their credentials from the MIT KDC.  This is 
because of the cross realm setup.  However, this is obviously not the case 
for XP workstations in other AD domains, or workstations that don't belong 
to any domains.

Some of the problems appear to be:

      a.  The Outlook email client can only view tickets in Microsoft's 
SSPI credentials cache.
      b.  The Exchange service principles are created during Exchange setup 
on the AD.
      c.  There is no documentation on how to create, extract, and import 
Exchange service keys from a MIT KDC to a Microsoft server running Exchange.
      d.  Assuming we could import MIT service keytabs into Microsoft 
server for Exchange, can we do this without disturbing the existing service 
keys generated during Exchange setup...so that they will still be valid???
      e.  What about encryption types, will we be out of luck?
      f.  Outlook web access would have to act via delegation to obtain 
Kerberos TGT and service tickets for the user during the web session from 
the MIT KDC???
      g.  IMAP clients with and without kerberos credentials would also be 
an annoyance.

I'm sure there are other problems that don't immediately come to mind.  I'm 
not even sure this can be done.  I currently have Microsoft support looking 
at the issues to let me know if any of this is possible.  However I'd like 
to know if anyone else has looked into this same subject and have any thoughts.

Thanks,

Rodney

Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer at uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office:  267 Smith Building

More information about the Kerberos mailing list