RE: Kerberos ticket access to MS Exchange
Did anyone have any luck with GSSAPI in SMTP and POP? This suggests that they support it. http://www.msexchange.org/tutorials/Telnet-Exchange2003-POP3-SMTP-Troubl eshooting.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Hornstein Sent: Monday, August 01, 2005 12:34 PM To: kerberos@mit.edu Subject: Re: Kerberos ticket access to MS Exchange something that will eventually not work anyway. The funny thing is, if you are going to store passwords on your Microsoft AD server acting as a KDC, then what is the point of having a KDC in the first place...in terms of Microsoft authentication? This is why I say that Microsoft uses Kerberos just to appease the 'nix natives. It certainly has little use in their own products. To be fair to Microsoft ... they do seem to use Kerberos in a number of places. E.g., their instant messaging protocol is Kerberized (I verified that with a network sniffer). From my conversations with Microsoft people, the reason Exchange doesn't do GSSAPI-authenticate IMAP really seems to be more tied up in lack of interest in the Exchange group (for what reason, I dunno). --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos ticket access to MS Exchange
something that will eventually not work anyway. The funny thing is, if you are going to store passwords on your Microsoft AD server acting as a KDC, then what is the point of having a KDC in the first place...in terms of Microsoft authentication? This is why I say that Microsoft uses Kerberos just to appease the 'nix natives. It certainly has little use in their own products. To be fair to Microsoft ... they do seem to use Kerberos in a number of places. E.g., their instant messaging protocol is Kerberized (I verified that with a network sniffer). From my conversations with Microsoft people, the reason Exchange doesn't do GSSAPI-authenticate IMAP really seems to be more tied up in lack of interest in the Exchange group (for what reason, I dunno). --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos ticket access to MS Exchange
Rodney M Dyer wrote: At 12:41 PM 7/29/2005, Nebergall, Christopher wrote: Are there ANY mail client programs besides MS Outlook on any OS which support kerberos ticket authentication to Microsoft exchange? How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10 on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free. (sigh) I wish Mozilla had GSSAPI. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos ticket access to MS Exchange
Nikola Milutinovic wrote: How about IMAP kerberized client in general? I'm working with David Bienvenu and others on GSSAPI support for Thunderbird. It should support both MIT Kerberos for Windows, and Microsoft's SSPI. Simon. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos ticket access to MS Exchange
Rodney M Dyer wrote: At 12:41 PM 7/29/2005, Nebergall, Christopher wrote: Are there ANY mail client programs besides MS Outlook on any OS which support kerberos ticket authentication to Microsoft exchange? No. Does MS even use the standard gssapi sasl for IMAP? No. Exchange IMAP isn't Kerberized. We rock and rolled with Microsoft on this very issue. In fact, Exchange is almost useless for use with Kerberos (especially cross realm trusts). That is unless you have Exchange installed on the very same AD domain as the one you are trying to use kerberized access to. (IMHO) I don't think Microsoft really cares about Kerberos. In almost all cases if you stop storing real passwords on the AD domain you will always have your conceived ideas of Kerberized grandure fall apart on you. Want to try it this way? Nope can't do that! Want to try it the other way? Nope, can't do that either! The best you can ever hope for is password syncronization schemes under ID management Or, you could ditch Microsoft. Michael Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos