Kerber'izing Microsoft Exchange...

[Jeffrey Altman]

Rodney M Dyer wrote:

> Hi,
> 
> We are in the process of trying to Kerberize everything we can in our IT 
> shop.  Recently we've tried to Kerberize Microsoft Exchange 2003 and 
> have run into a wall.  The wall is simply due to lack of documentation 
> on the subject.

I've never tried to do this but I will attempt to help.


> We run a fairly simple setup.  We have two Sun machines acting as KDCs 
> running Solaris 9 with MIT Kerberos 5 v1.3.1.  Our Microsoft Active 
> Directory Domain is in a cross realm trust with the MIT realm.  Our 
> users can logon to our XP workstations that are members of the AD domain 
> using their MIT Kerberos realm credentials.
> 
> We "can" run Outlook and Exchange in Kerberos mode "if" we run the 
> Exchange server on the AD domain.  Our users can successfully logon to 
> the Exchange server using Outlook using their credentials from the MIT 
> KDC.  This is because of the cross realm setup.  However, this is 
> obviously not the case for XP workstations in other AD domains, or 
> workstations that don't belong to any domains.
> 
> Some of the problems appear to be:
> 
>      a.  The Outlook email client can only view tickets in Microsoft's 
> SSPI credentials cache.

This is correct.  Outlook can only use the Microsoft Kerberos SSP so
that is where the credentials must be obtained from.  Therefore, all
client machines whether or not they are part of a domain must be 
configured using KSETUP to provide the Realm and KDC information
for both the MIT realm and the Active Directory realm

>      b.  The Exchange service principles are created during Exchange 
> setup on the AD.

as well they should be.  These service principals require access to the
PAC data which is provided only by AD and not the MIT KDC

>      c.  There is no documentation on how to create, extract, and import 
> Exchange service keys from a MIT KDC to a Microsoft server running 
> Exchange.

This is because the Exchange Service Keys belong to the AD realm not
the MIT KDC realm.

>      d.  Assuming we could import MIT service keytabs into Microsoft 
> server for Exchange, can we do this without disturbing the existing 
> service keys generated during Exchange setup...so that they will still 
> be valid???

Unlikely.  Microsoft services do not use keytabs.  Instead they use
passwords just like user principals do.  After determining which service
name the client is using to communicate with the service, the service
computes the appropriate key on the fly.

>      e.  What about encryption types, will we be out of luck?

You want to use RC4-HMAC

>      f.  Outlook web access would have to act via delegation to obtain 
> Kerberos TGT and service tickets for the user during the web session 
> from the MIT KDC???

from the AD KDC via cross-realm from the MIT KDC

>      g.  IMAP clients with and without kerberos credentials would also 
> be an annoyance.
> 
> I'm sure there are other problems that don't immediately come to mind.  
> I'm not even sure this can be done.  I currently have Microsoft support 
> looking at the issues to let me know if any of this is possible.  
> However I'd like to know if anyone else has looked into this same 
> subject and have any thoughts.
> 
> Thanks,
> 
> Rodney
> 
> Rodney M. Dyer
> Windows Systems Programmer
> Mosaic Computing Group
> William States Lee College of Engineering
> University of North Carolina at Charlotte
> Email: rmdyer at uncc.edu
> Web: http://www.coe.uncc.edu/~rmdyer
> Phone: (704)687-3518
> Help Desk Line: (704)687-3150
> FAX: (704)687-2352
> Office:  267 Smith Building
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu