Hi Don,
On Sun, 2013-05-12 at 22:06 -0700, Don Camp wrote:
> I am attempting to deploy mapiproxy but I am running into some
> problems. I'm trying to proxy between an Outlook 2010 client and an
> Exchange 2010 server using delegated credentials.
The delegated credentials use case is a mapiproxy caveat. They are
"supposed" to work but they are like the big foot, I have no evidence of
it.
> I have joined samba as a domain controller to the exchange server's
> domain. Outlook is able to connect to the exchange server, through the
> proxy, and download the profile. But when I launch Outlook it never
> successfully connects. The outlook status reports "trying to connect"
> or "disconnected".
The last time I investigated delegated credentials, this was the
scenario with the most potential and percentage of successful outcomes.
To make it simple:
1. delegated credentials can't work with NTLM authentication,
because the hash is salted and we can't proxify this.
2. The only to authenticate users on behalf of the Windows
server is to use Kerberos.
3. To get delegated credentials working, you need to tell the
Windows server running your Exchange than your Samba service is
trusted to authenticate users on behalf of the Windows KDC. You
can achieve this by using setspn.
The problem I encountered was related to TGS-REQ/REPL where it appeared
that we were not able to issue the ticket properly. I must say it makes
quite some time so I wouldn't be able to get into further details.
Kind Regards,
Julien.
--
Julien Kerihuel
[email protected]
OpenChange Project Founder
GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
_______________________________________________
devel mailing list
[email protected]
http://mailman.openchange.org/listinfo/devel
