Kerberize MS Exchange?

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Oct 15 10:42:53 EDT 2008 

>Luke Scharf schrieb:
>> I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works 
>> nicely.  The only weird thing was that they used the term "Secure 
>> Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
>Thats by design. Technically GSSAPI is only one of the SASL mechanisms 
>offered by the server. "secure authentication" just enables the SASL 
>negotiation procedure which might result in something completely 
>different than GSSAPI (DIGEST-MD5 in my case, or NTLM for Outlook, etc). 
>Besides: "GSSAPI" or "Kerberos5" in a general purpose UI? WTF!

Urrrrk.  I STRONGLY disagree with you on this!  Here are my reasons:

- From the programmer/network protocol perspective, being able to write one
  program or define one protocol that negotiates a whole group of SASL
  mechanisms is great.  But from an administrator perspective, it
  bites.  I don't want to have users fall back to DIGEST-MD5 if
  Kerberos fails, I want to fix the Kerberos problem!  (And very likely
  if GSSAPI fails, DIGEST-MD5 isn't going to work for that user anyway;
  of course that depends on your site, but I think that's more true
  than not).  If the user explicitly picks a mechanism to use, these
  problems are eliminated.  Since many mainstream apps have each SASL
  mechanism coded explicitly (Thunderbird among them) there's not even
  a programming reason to obfuscate the choice of SASL mechanism (and
  explicitly picking the mechanism prevents a downgrade attack).

- From a user and administrator perspective, the whole situation with
  Thunderbird bites.  Note: I've talked with Simon about this; I
  understand the situation he was faced with regarding Thunderbird and
  GSSAPI support, and I'm glad he was able to get it in there.  But I
  believe even he would admit the current situation is not ideal (and
  I know that it would be tough for him to address it).

  I've helped a number of people get GSSAPI with Thunderbird working.
  The general flow of questions looks like this:

  - Uh, does it support Kerberos?  I don't see anything where I can enable
    it under Preferences.

  - So, uh, if it supports Kerberos, how do I turn it on?

  - Okay, I checked "Secure Authentication", but that didn't work, and
    it asked me for a password.  I typed in my Kerberos password, but that
    failed.

  First off, "Secure Authentication" is a SHITTY checkbox.  What this
  means is not clear, even to me.  Does this mean "Use TLS?"  Does this
  mean "Negotiate SASL?"  Does it mean both?  It's confusing to the
  user.  If it was one user, I would say that this confusion is an
  anomaly, but it seems like EVERYONE that tries to use Thunderbird
  here has problems with this.

  Secondly, the "attempt to negotiate all mechanisms" problem generates
  a number of practical issues.  The first is error reporting - let's
  say you try GSSAPI, and that fails.  Should you then report GSSAPI
  errors back to the user?  Well, in Thunderbird that doesn't happen; I
  can sort-of understand why Thunderbird doesn't do that, because most
  of the users don't use GSSAPI and any GSSAPI errors would be the
  "wrong" errors, but this illustrates the problem with multi-mechanism
  negotiation: which errors do you report to the user when you try
  multiple mechanisms?
  
  Another problem with multi-mechanism negotiation is that they have
  different user interactions.  For example, CRAM-MD5 and DIGEST-MD5
  likely want to prompt the user for a password, but of course for
  GSSAPI/Kerberos you normally wouldn't have the app do that; it would
  be done via a Kerberos application (or perhaps the GSSAPI library
  would do that).  So should an application prompt for a password no
  matter what the mechanism?  Probably not, but I've seen cases where
  that happens; again, more confusion for the user.

  Now, to be fair part of the problem with Thunderbird seems to spring
  from the fact that at least on Windows it's using third-party GSSAPI
  libraries (at least when we want to use it), and many of the problems
  come from finding those GSSAPI libraries.  And I know that it is
  possible to get the GSSAPI errors by setting some arcane environment
  variables.  It kinda bites that you have to go through this crappy
  process to GET those errors; like I said, I understand why this is
  the case, but it still sucks.

  Part of the confusion may be historical; many of our users were
  previously using Eudora, and that had a weird dance where you in some
  cases EXPLICITLY had to not turn on the "Use secure authentication"
  dialog (but it also had an explicit Kerberos configuration dialog).

I can contrast this with people who use Apple Mail, which has a very
clear configuration dialog which explicitly says, "Use Kerberos 5
(GSSAPI)".  No one ever asks me if Apple Mail supports Kerberos, or how
to turn it on.  The Kerberos errors (in most cases) are presented to
the user.  It just works better.  Presenting the SASL mechanism to the
user is a clear win.  A lot has to happen under the scenes to make
it all work, but I cannot see any reason why presenting this to the
user is bad.

--Ken

More information about the Kerberos mailing list