Kerberos Authentication with 2003 Server
Andy Kunkle
I've been fighting with setting up Kerberos authentication for over a week
now, and I'm not having any luck. I have looked at every email in the forum
archive regarding this, and have tried many settings on my own as well with
no luck. I'm hoping someone there can help shed some light on this problem.
I'm working on a brand new installed Windows 2003 server for the AD
controller. It's setup with a domain of aimengineering.com. I'm also working
with a fresh install of CentOS 5 with CGP installed on it. I have also setup
a fresh Windows XP Pro machine and joined it to the aimengineering.com
domain.
I then setup a user (cgp) on the AD server, and then created the keytab.data
file by using the following command:
ktpass -princ imap/mail.aimeng...@AIMENGINEERING.COM -mapuser
c...@aimengineering.com -pass xxxxxx -out keytab-imap.data -crypto
DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
When I run this I get a warning about pType doesn't match the crypto key...
but it creates the key anyway.
I have also tried to create a keytab file using a -crypto of RC4-HMAC-NT
with no luck as well.
I then upload that .data file to the mail server (mail.aimengineering.com)
and try to open Outlook with the MAPI connecter configured and I get an
error Acquiring Credentials and it doesn't let me in. I am also unable to
connect using the web interface.
If I turn back on the Communigate Password in the admin interface I am then
able to log in to the account using the other password (not the one in AD).
So, I looked at the klist tickets on the AD server and it creates some
tickets, but I don't see one for the mail server, or the client server. All
I see is:
C:\Program Files\Support Tools>klist tickets
Cached Tickets: (2)
Server: krbtgt/AIMENGINE...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/11/2007 18:36:51
Renew Time: 6/18/2007 8:36:51
Server: host/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/11/2007 18:36:51
Renew Time: 6/18/2007 8:36:51
And when I do a klist tgt I get:
C:\Program Files\Support Tools>klist tgt
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: Administrator
DomainName: AIMENGINEERING.COM
TargetDomainName: AIMENGINEERING.COM
AltTargetDomainName: AIMENGINEERING.COM
TicketFlags: 0x40e00000
KeyExpirationTime: 0/38/4 0:00:10776
StartTime: 6/11/2007 8:36:51
EndTime: 6/11/2007 18:36:51
RenewUntil: 6/18/2007 8:36:51
TimeSkew: 6/18/2007 8:36:51
Any suggestions would be most appreciated!
Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>
Graeme Fowler
> I'm working on a brand new installed Windows 2003 server for the AD
> controller. It's setup with a domain of aimengineering.com. I'm also working
> with a fresh install of CentOS 5 with CGP installed on it. I have also setup
> a fresh Windows XP Pro machine and joined it to the aimengineering.com
> domain.
OK, all good so far.
> I then setup a user (cgp) on the AD server, and then created the keytab.data
> file by using the following command:
>
> ktpass -princ imap/mail.aimeng...@AIMENGINEERING.COM -mapuser
> c...@aimengineering.com -pass xxxxxx -out keytab-imap.data -crypto
> DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
>
> When I run this I get a warning about pType doesn't match the crypto key...
> but it creates the key anyway.
Hrm... I recollect something about that type of error, but not the
detail at the moment. I'll dig back for that later.
> I then upload that .data file to the mail server (mail.aimengineering.com)
> and try to open Outlook with the MAPI connecter configured and I get an
> error Acquiring Credentials and it doesn't let me in. I am also unable to
> connect using the web interface.
If you're trying to use kerberos for the IMAP service alone, have
switched off the CommuniGate password, then the web interface won't let
you in - it uses a different SPN per the documentation.
> If I turn back on the Communigate Password in the admin interface I am then
> able to log in to the account using the other password (not the one in AD).
As expected.
> So, I looked at the klist tickets on the AD server and it creates some
> tickets, but I don't see one for the mail server, or the client server. All
> I see is:
You need to look at the the "klist tickets" output on the *client
machine*, not the server. Fire up Outlook, let it fail to acquire
credentials, then run "klist tickets" from a command prompt on the
client you ran Outlook on.
Make sure, in your case, that Outlook is configured as follows:
1. Server name: mail.aimengineering.com.
2. "Use Windows Integrated Authentication" is ticked.
3. (possibly not necessary, but...) "Use Secure Authentication" is
unticked.
Let us know how you get on.
Graeme
Darren Sundborg
> I then setup a user (cgp) on the AD server, and then created the
keytab.data
> file by using the following command:
>
> ktpass -princ imap/mail.aimeng...@AIMENGINEERING.COM -mapuser
> c...@aimengineering.com -pass xxxxxx -out keytab-imap.data -crypto
> DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
>
> When I run this I get a warning about pType doesn't match the crypto
key...
> but it creates the key anyway.
I to have had this problem but have never found a solution.
Even on AD Kb's!.
So I look on with interest and hope someone does have a solution.
--
Disclaimer
================================================================
This email (which includes any files transmitted with it) is
confidential and may also be legally privileged.
It is intended solely for the use of the individual to whom it is
addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of UKIP Media & Events
Ltd.
If you are not the intended recipient, be advised that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you have received this message in error, do not
open any attachment but please notify the sender (above) deleting this
message from your system. Please rely on your own anti-virus system, no
responsibility is taken by the sender for any damage rising out of virus
infection.
UKIP Media & Events Ltd.
Registered Address: 82 St John Street, London EC1M 4JN VAT No. GB879
4451 71 Registration Number: 5893940 Company registered in England and
Wales
Andy Kunkle
wearing me out!!!
> > So, I looked at the klist tickets on the AD server and it creates
> some
> > tickets, but I don't see one for the mail server, or the client
> server. All
> > I see is:
>
> You need to look at the the "klist tickets" output on the *client
> machine*, not the server. Fire up Outlook, let it fail to acquire
> credentials, then run "klist tickets" from a command prompt on the
> client you ran Outlook on.
Ok, I did this. I installed the resource kit on the XP client and ran the
klist tickets after opening outlook and getting the Acquiring Credentials
Failed error 0x80090303 and here's what it outputs:
C:\Documents and Settings\andy.AIMENGINEERING>klist tickets
Cached Tickets: (5)
Server: krbtgt/AIMENGINE...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/12/2007 21:35:47
Renew Time: 6/19/2007 11:35:47
Server: krbtgt/AIMENGINE...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/12/2007 21:35:47
Renew Time: 6/19/2007 11:35:47
Server: cifs/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/12/2007 21:35:47
Renew Time: 6/19/2007 11:35:47
Server:
ldap/payme.aimengineering.com/aimengine...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/12/2007 21:35:47
Renew Time: 6/19/2007 11:35:47
Server: LDAP/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/12/2007 21:35:47
Renew Time: 6/19/2007 11:35:47
I'm not really sure where it's getting those tickets from. I never created
any of those servers like cifs... but I am aware of the complete lack of
IMAP, HTTP or mail tickets that I did create, so something is definitely not
working right.
I also ran klist tgt to see what that would do and here's what I got:
C:\Documents and Settings\andy.AIMENGINEERING>klist tgt
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: andy
DomainName: AIMENGINEERING.COM
TargetDomainName: AIMENGINEERING.COM
AltTargetDomainName: AIMENGINEERING.COM
TicketFlags: 0x40e00000
KeyExpirationTime: 0/39/4 0:00:10776
StartTime: 6/12/2007 11:35:47
EndTime: 6/12/2007 21:35:47
RenewUntil: 6/19/2007 11:35:47
TimeSkew: 6/19/2007 11:35:47
Outlook is configured as you said below.
> Make sure, in your case, that Outlook is configured as follows:
>
> 1. Server name: mail.aimengineering.com.
> 2. "Use Windows Integrated Authentication" is ticked.
> 3. (possibly not necessary, but...) "Use Secure Authentication" is
> unticked.
Too strange. I hope you have more insight!
Thanks for your help!!
Andy Kunkle
AIM Engineering
Graeme Fowler
> Thanks for the response! I hope we're getting close as this whole issue is
> wearing me out!!!
Me too :-/
I need to find out why our setup is so different to everyone else's, in
that ours works and everyone else's doesn't seem to!
> Ok, I did this. I installed the resource kit on the XP client and ran the
> klist tickets after opening outlook and getting the Acquiring Credentials
> Failed error 0x80090303 and here's what it outputs:
As expected; there's no imap/blahblahblah ticket there. Which means,
unsurprisingly enough, that the workstation couldn't fetch appropriate
credentials for imap/mail.aimeng...@AIMENGINEERING.COM
> I'm not really sure where it's getting those tickets from. I never created
> any of those servers like cifs... but I am aware of the complete lack of
> IMAP, HTTP or mail tickets that I did create, so something is definitely not
> working right.
The other tickets are created as part of the Active Directory's normal
setup and operation. It uses kerberos for just about everything.
> I also ran klist tgt to see what that would do and here's what I got:
>
> C:\Documents and Settings\andy.AIMENGINEERING>klist tgt
>
> Cached TGT:
>
> ServiceName: krbtgt
> TargetName: krbtgt
> FullServiceName: andy
> DomainName: AIMENGINEERING.COM
> TargetDomainName: AIMENGINEERING.COM
> AltTargetDomainName: AIMENGINEERING.COM
> TicketFlags: 0x40e00000
> KeyExpirationTime: 0/39/4 0:00:10776
> StartTime: 6/12/2007 11:35:47
> EndTime: 6/12/2007 21:35:47
> RenewUntil: 6/19/2007 11:35:47
> TimeSkew: 6/19/2007 11:35:47
Well, that's good - it proves you're logged in to the right domain.
> Outlook is configured as you said below.
Also good.
Now for the good bit - on your domain controller, open up Active
Directory Users and Computers and navigate your way to the user (cgp)
that holds the SPN for imap/.
Open up the user, click the "Account" pane and check that:
1. "User logon name" is "imap/mail.aimengineering.com"
2. The domain is "@aimengineering.com"
3. In "Account options" the "Use DES encryption types for this account"
is ticked.
4. THE ACCOUNT IS NOT LOCKED OUT.
I cannot *begin* to stress how important that last bit is, I really
can't. If it's locked out, no amount of wrangling will make Kerberos
work for CGP!
I'm guessing here that Bret et al might need to check that one out, too,
just in case...
Graeme
Andy Kunkle
> Directory Users and Computers and navigate your way to the user (cgp)
> that holds the SPN for imap/.
>
> Open up the user, click the "Account" pane and check that:
>
> 1. "User logon name" is "imap/mail.aimengineering.com"
> 2. The domain is "@aimengineering.com"
> 3. In "Account options" the "Use DES encryption types for this account"
> is ticked.
> 4. THE ACCOUNT IS NOT LOCKED OUT.
The 3rd step here was not the case with that account. I checked that, and
then tried rebooting the client computer. After coming back up, I logged in
and it still didn't work. I have loaded about 4 different .data files into
the CGP server now. Some I have configured with DES-CBC-MD5, others using
RC4-HMAC-NT just to cover my basis. I still get nothing mentioning
imap/mail... when I run klist tickets on the client machine.
I also found in some other documents around the forum where them mentioned
the "Delegation" tab in the user account. It said to select the "trust this
user for delegation to any service". So I did that as well.
I think the problem I'm having is that there's no real drawn out map of how
Kerberos works with the mail server. I'm guessing the mail server is
supposed to get the ticket from the AD server, which in turn is given to the
client when Outlook is opened. Is there a way to get better logs both from
the Windows side as well as CGP on what is really going on inside that box?
I have even gone so far as to run the network analyzer on the AD server
while the transaction takes place, but even that nets no useful data.
It really seems like I'm missing just one step for this to work. I think CG
would sell a million copies of their product if they had a tried and true
method of authenticating against the AD server, don't you?
Anyway, I hope I haven't exhausted your resource yet!! Oh, we're using
CentOS 5 for our Unix machine... what do you guys use? What about the AD
server? I'm just using 2003 standard with SP1 (not R2).
Thanks again!!
Andy Kunkle
AIM Engineering
> I cannot *begin* to stress how important that last bit is, I really
> can't. If it's locked out, no amount of wrangling will make Kerberos
> work for CGP!
>
> I'm guessing here that Bret et al might need to check that one out,
> too,
> just in case...
>
> Graeme
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Graeme Fowler
> The 3rd step here was not the case with that account. I checked that, and
> then tried rebooting the client computer. After coming back up, I logged in
> and it still didn't work. I have loaded about 4 different .data files into
> the CGP server now. Some I have configured with DES-CBC-MD5, others using
> RC4-HMAC-NT just to cover my basis. I still get nothing mentioning
> imap/mail... when I run klist tickets on the client machine.
I'd suggest that you remove all the SPN tickets you've created from that
user, remove all the tickets from the CGP server, recreate one and
re-import it. A user account of this type (IIRC) must only be a service
principal for a single service, ie. hold one SPN ticket and no more.
Now you've set that user for DES encryption I'd surmise that you find
you run the ktpass utility without generating any errors... who knows?
> I also found in some other documents around the forum where them mentioned
> the "Delegation" tab in the user account. It said to select the "trust this
> user for delegation to any service". So I did that as well.
>
> I think the problem I'm having is that there's no real drawn out map of how
> Kerberos works with the mail server. I'm guessing the mail server is
> supposed to get the ticket from the AD server, which in turn is given to the
> client when Outlook is opened. Is there a way to get better logs both from
> the Windows side as well as CGP on what is really going on inside that box?
> I have even gone so far as to run the network analyzer on the AD server
> while the transaction takes place, but even that nets no useful data.
It's all encrypted, that's why.
> It really seems like I'm missing just one step for this to work. I think CG
> would sell a million copies of their product if they had a tried and true
> method of authenticating against the AD server, don't you?
They do have a tried and true method - I believe the problem is that
there is no such thing as a "standard" active directory setup. Patch
levels differ, releases differ, service packs differ. All of these can
affect operation, and especially inter-operation.
Unfortunately I've not much else to offer - I'm a
Unix/Linux/mail/hosting person more than an AD person. You need some
sort of debug tool at the AD end to see what your client is requesting,
and I've no idea what that would be. Sorry.
> Anyway, I hope I haven't exhausted your resource yet!! Oh, we're using
> CentOS 5 for our Unix machine... what do you guys use? What about the AD
> server? I'm just using 2003 standard with SP1 (not R2).
We're using RHEL4 on HP Intel hardware, for what it's worth. Not very
much use really :)
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Graeme Fowler
> then tried rebooting the client computer. After coming back up, I logged in
> and it still didn't work. I have loaded about 4 different .data files into
> the CGP server now. Some I have configured with DES-CBC-MD5, others using
> RC4-HMAC-NT just to cover my basis. I still get nothing mentioning
> imap/mail... when I run klist tickets on the client machine.
One more thing: you are importing them to the CGPro domain
"aimengineering.com" or "mail.aimengineering.com", aren't you? Just
checking :)
It isn't important at the moment - the problem lies between the client
and the AD - but it could be later!
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Andy Kunkle
Well, I did what you said, I removed the cgp account from the AD server and
then re-created another account called cgatepro. I then removed all of the
.data files from the CGPro server and stopped and restarted the server.
After that, I ran this command:
ktpass -princ imap/mail.aimeng...@AIMENGINEERING.COM -mapuser
cgat...@aimengineering.com -pass xxxxx -out imap-work.data -crypto
DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
I reset the client machine and now I'm getting a ticket for imap/mail. See
below:
C:\Documents and Settings\andy.AIMENGINEERING.000>klist tickets
Cached Tickets: (9)
Server: krbtgt/AIMENGINE...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: krbtgt/AIMENGINE...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: ProtectedStorage/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: imap/mail.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: cifs/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server:
ldap/payme.aimengineering.com/aimengine...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: cifs/PA...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: LDAP/payme.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
Server: host/aim-1.aimeng...@AIMENGINEERING.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/13/2007 0:49:44
Renew Time: 6/19/2007 14:49:44
So now I'm getting 2 tickets that I wasn't getting before.. one for the
client host machine and the other for the imap/mail.
I had been using just AIMENGINEERING.COM but should I be using
MAIL.AIMENGINEERING.COM instead? The error I'm getting in outlook now is:
Kerberos: Failed to verify data integrity
That's progress?!?
Andy Kunkle
AIM Engineering
> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGat...@mail.stalker.com] On
> Behalf Of Graeme Fowler
> Sent: Tuesday, June 12, 2007 2:26 PM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos Authentication with 2003 Server
>
> On Tue, 2007-06-12 at 13:19 -0400, Andy Kunkle wrote:
> > The 3rd step here was not the case with that account. I checked that,
> and
> > then tried rebooting the client computer. After coming back up, I
> logged in
> > and it still didn't work. I have loaded about 4 different .data files
> into
> > the CGP server now. Some I have configured with DES-CBC-MD5, others
> using
> > RC4-HMAC-NT just to cover my basis. I still get nothing mentioning
> > imap/mail... when I run klist tickets on the client machine.
>
> One more thing: you are importing them to the CGPro domain
> "aimengineering.com" or "mail.aimengineering.com", aren't you? Just
> checking :)
>
> It isn't important at the moment - the problem lies between the client
> and the AD - but it could be later!
>
> Graeme
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Graeme Fowler
> Well, I did what you said, I removed the cgp account from the AD server and
> then re-created another account called cgatepro. I then removed all of the
> .data files from the CGPro server and stopped and restarted the server.
I'd have hoped a server restart wasn't necessary, but it doesn't hurt!
> After that, I ran this command:
>
> ktpass -princ imap/mail.aimeng...@AIMENGINEERING.COM -mapuser
> cgat...@aimengineering.com -pass xxxxx -out imap-work.data -crypto
> DES-CBC-MD5 -ptype KRB5_NT_SRV_HST
>
> I reset the client machine and now I'm getting a ticket for imap/mail. See
> below:
>
> C:\Documents and Settings\andy.AIMENGINEERING.000>klist tickets
<snip>
> Server: imap/mail.aimeng...@AIMENGINEERING.COM
> KerbTicket Encryption Type: Kerberos DES-CBC-MD5
> End Time: 6/13/2007 0:49:44
> Renew Time: 6/19/2007 14:49:44
Aha! Excellent. Now your workstation can get a ticket. Definitely good,
as we can now turn up debugging.
> So now I'm getting 2 tickets that I wasn't getting before.. one for the
> client host machine and the other for the imap/mail.
You just need to concentrate on the imap/ one. The rest will float in
and out as necessary, and Windows will DTRT with them.
> I had been using just AIMENGINEERING.COM but should I be using
> MAIL.AIMENGINEERING.COM instead? The error I'm getting in outlook now is:
>
> Kerberos: Failed to verify data integrity
>
> That's progress?!?
For sure it is, yes.
If you now:
1. Stop Outlook on the client (File... Exit)
2. Turn up the logging level for Settings/Access/IMAP to "all info"
3. Turn up the logging level for
Users/Domains/aimengineering.com/Accoung Log Level to "all info"
4. Restart Outlook
You should now get a bunch of Kerberos stuff in your logs. You may not
want to post it all here, mind you, so feel free to forward it to me
off-list.
Getting closer!
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Graeme Fowler
> MAIL.AIMENGINEERING.COM instead? The error I'm getting in outlook now is:
>
> Kerberos: Failed to verify data integrity
I just dug back through my email archive to find the correspondence I
had over this exact issue last year (Aug/Sept) with the list.
The problem was that I had managed to get more than one SPN into the
Active Directory for the same service (imap), and had imported more than
one into the CGP domain.
Once I cleared the whole lot at both ends, I was able to get a single
defined SPN mapping into the AD, and import that keytab alone into my
CGP domain. That's when it all started to work.
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Andy Kunkle
show that imap/mail.... in it's klist tickets. Should it?
Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569
> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGat...@mail.stalker.com] On
> Behalf Of Graeme Fowler
> Sent: Tuesday, June 12, 2007 4:09 PM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos Authentication with 2003 Server
>
> On Tue, 2007-06-12 at 15:01 -0400, Andy Kunkle wrote:
> > I had been using just AIMENGINEERING.COM but should I be using
> > MAIL.AIMENGINEERING.COM instead? The error I'm getting in outlook now
> is:
> >
> > Kerberos: Failed to verify data integrity
>
> I just dug back through my email archive to find the correspondence I
> had over this exact issue last year (Aug/Sept) with the list.
>
> The problem was that I had managed to get more than one SPN into the
> Active Directory for the same service (imap), and had imported more
> than
> one into the CGP domain.
>
> Once I cleared the whole lot at both ends, I was able to get a single
> defined SPN mapping into the AD, and import that keytab alone into my
> CGP domain. That's when it all started to work.
>
> Graeme
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Graeme Fowler
On Tue, 2007-06-12 at 15:01 -0400, Andy Kunkle wrote:
> Well, I did what you said, I removed the cgp account from the AD server and
> then re-created another account called cgatepro. I then removed all of the
> .data files from the CGPro server and stopped and restarted the server.
OK, so second (or third) time around:
Deleting the .data files won't help you. You need to remove the kerberos
keys from the administrative interface:
Users/Domains/<domain>/Security/Kerberos
Delete *all* the imported keys, then re-import the last one you created.
Then you should have matching ends of the transaction.
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Andy Kunkle
>
> On Tue, 2007-06-12 at 15:01 -0400, Andy Kunkle wrote:
> > Well, I did what you said, I removed the cgp account from the AD
> server and
> > then re-created another account called cgatepro. I then removed all
> of the
> > .data files from the CGPro server and stopped and restarted the
> server.
>
> OK, so second (or third) time around:
>
> Deleting the .data files won't help you. You need to remove the
> kerberos
> keys from the administrative interface:
>
> Users/Domains/<domain>/Security/Kerberos
>
> Delete *all* the imported keys, then re-import the last one you
> created.
> Then you should have matching ends of the transaction.
Yes, this is what I did in the first place. I only have 1 keytab on that
admin interface.
Also, when I run the setspn -L cgatepro it comes up with
imap/mail.aimengineering.com
I had one other question, when I create that keytab on the AD server, does
it need to be anywhere physically on the server? Like, in a certain
directory, or does simply running the ktpass enter the necessary information
into the AD schema?
Thanks!
Andy
Graeme Fowler
> Yes, this is what I did in the first place. I only have 1 keytab on that
> admin interface.
Good. Sorry to labour the point, but it is the last one you created
isn't it? Any mismatch between the two "ends" will result in the error
you're seeing.
> Also, when I run the setspn -L cgatepro it comes up with
> imap/mail.aimengineering.com
OK, that's good.
> I had one other question, when I create that keytab on the AD server, does
> it need to be anywhere physically on the server? Like, in a certain
> directory, or does simply running the ktpass enter the necessary information
> into the AD schema?
Running ktpass does things to the AD objects, not the schema. See:
I think you're very close now, but have some stale data somewhere.
Another reboot of the client and a restart of the CGP Server process
wouldn't go amiss, just to clear out any host/process caches. I don't
believe rebooting your domain controller will do anything, apart from
p*** off your colleagues :)
Graeme
Andy Kunkle
Any other ideas about this topic? I'm still at a loss here. Any of the CG
techs able to give a stab at this??
Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569
> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGat...@mail.stalker.com] On
> Behalf Of Graeme Fowler
> Sent: Tuesday, June 12, 2007 4:32 PM
> To: CommuniGate Pro Discussions
> Subject: Re: Kerberos Authentication with 2003 Server
>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Graeme Fowler
> Any other ideas about this topic? I'm still at a loss here. Any of the CG
> techs able to give a stab at this??
Did you try my last suggestion?
The thing is that this is not strictly a CGP problem - it's a Kerberos
implementation problem. Once you crack that side of it, you're away.
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Andy Kunkle
> the CG
> > techs able to give a stab at this??
>
> Did you try my last suggestion?
I've tried rebooting everything, and also clearing out the SPN and
re-creating it. I've also purged the tickets (klist purge) and then opened
outlook again to get them back. I'm getting the tickets for imap/mail but
it's just not working. I'm still getting the error:
Kerberos: Failed to verify Data Integrity
No other helpful logs at all anywhere that I can find. Unless there's a way
to get more out of the eventvwr in windows 2003.
I'm still seeing this in the CGPro logs:
11:28:07.484 4 IMAP-000029([192.168.0.231]) got connection on
[192.168.0.50]:143(mail.aimengineering.com) from [192.168.0.231]:1675
11:28:07.484 5 IMAP-000029([192.168.0.231]) out: * OK CommuniGate Pro IMAP
Server 5.1.5 at mail.aimengineering.com ready\r\n
11:28:07.485 5 IMAP-000029([192.168.0.231]) inp: 00000001 STARTTLS
11:28:07.485 5 IMAP-000029([192.168.0.231]) out: 00000001 OK begin TLS
negotiation\r\n
11:28:07.495 5 IMAP-000029([192.168.0.231]) TLS inp 22: (65) 01 00 00 3D 03
01 46 70 0D 12 12 F5 86 D9 45 1F 98 FC 26 E5 37 E8 AC E3 58 2D 0D A9 9E B9
4A 1C 02 09 E7 DD 35 0B 00 00 16 00 04 00 05 00 0A 00 09 00 64 00 62 00 03
00 06 00 13 00 12 00 63 01 00
11:28:07.495 4 IMAP-000029([192.168.0.231]) TLSv1 client hello:
method=RC4_MD5, residual=0, session=20 < 00 00 00 14 46 70 0D 07 94 A0 55 07
DE 50 F2 58 AA C0 BC 28 97 C8 6B 01 37 E7 01 50 1F 69 16 14>
11:28:07.495 4 IMAP-000029([192.168.0.231]) TLS handshake: sending
'server_hello'
11:28:07.495 5 IMAP-000029([192.168.0.231]) TLS out 22: (74) 02 00 00 46 03
01 46 9C 0D 07 30 30 30 30 05 91 54 69 E9 C8 4A 1B 11 11 11 51 D9 C8 4A 5B
D9 C8 4A 27 72 3C 42 47 20 00 00 00 14 46 70 0D 07 94 A0 55 07 DE 50 F2 58
AA C0 BC 28 97 C8 6B 01 37 E7 01 50 1F 69 16 14 00 04 00
11:28:07.495 4 IMAP-000029([192.168.0.231]) TLS handshake: sending the
certificate
11:28:07.495 5 IMAP-000029([192.168.0.231]) TLS out 22: (573) 0B 00 02 39 00
02 36 00 02 33 30 82 02 2F 30 82 01 D9 02 02 1E 61 30 0D 06 09 2A 86 48 86
F7 0D 01 01 04 05 00 30 81 B0 31 22 30 20 06 03 55 04 0A 13 19 43 6F 6D 6D
75 6E 69 47 61 74 65 20 53 79 73 74 65 6D 73 2C 20 49 6E 63 2E 31 0B 30
11:28:07.496 4 IMAP-000029([192.168.0.231]) TLS handshake: sending
'hello_done'
11:28:07.496 5 IMAP-000029([192.168.0.231]) TLS out 22: (4) 0E 00 00 00
11:28:07.697 5 IMAP-000029([192.168.0.231]) TLS inp 22: (70) 10 00 00 42 00
40 5F 96 61 FC 19 50 69 A6 81 FF F1 C1 77 CF 03 29 20 45 CB B5 E7 DB 65 65
0D D5 9A 30 10 DC 55 67 C7 85 FD 59 9F CB D4 FE 9C 71 8A E6 F0 7D 8B 37 4C
45 1C 2F 3F F7 53 16 30 3E 05 EC C0 3C F9 35
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS client key exchange
processed
11:28:07.701 4 IMAP-000029([192.168.0.231]) security initiated
11:28:07.701 5 IMAP-000029([192.168.0.231]) TLS inp 20: (1) 01
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS 'change cipher' processed
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS 'change cipher' sending
11:28:07.701 5 IMAP-000029([192.168.0.231]) TLS out 20: (1) 01
11:28:07.701 5 IMAP-000029([192.168.0.231]) TLS inp 22: (32) D8 E7 DE B4 BC
DC 1E B2 99 46 D4 A3 5E 8D 37 0B B2 CF 5F 24 CB 69 56 3A 0A BC 24 6C 87 A2
0A BA
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS 'finish handshake' processed
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS handshake: sending
'finished'
11:28:07.701 5 IMAP-000029([192.168.0.231]) TLS out 22: (32) E3 5C CD 70 A6
BF 3B 5C 68 C4 CB CE 31 6F 3C 99 CC 20 04 BD 80 DA E5 42 E5 56 A6 3B 27 2E
D5 1A
11:28:07.701 4 IMAP-000029([192.168.0.231]) TLS(RC4_MD5) connection accepted
for 'mail.aimengineering.com', session 20
11:28:08.012 5 IMAP-000029([192.168.0.231]) TLS inp 23: (1619) 1A 1C DD 46
EE 73 80 7B AC A7 84 A9 BF 14 78 1F 32 92 3D 72 AA 60 F4 45 B8 4C 82 01 5D
B8 68 47 E1 11 06 E1 C2 2D FA 83 36 46 D0 09 DE 5F 79 7E F2 7C A2 38 86 6D
FF A8 5F 1F 31 89 4D 80 C2 AA 4A 05 85 7A 86 4C 03 A8 35 B4 64 C3 94 96 6E
11:28:08.012 5 IMAP-000029([192.168.0.231]) inp: 00000002 AUTHENTICATE
GSSAPI
YIIElgYJKoZIhvcSAQICAQBuggSFMIIEgaADAgEFoQMCAQ6iBwMFACAAAACjggOpYYIDpTCCA6Gg
AwIBBaEUGxJBSU1FTkdJTkVFUklORy5DT02iKjAooAMCAQKhITAfGwRpbWFwGxdtYWlsLmFpbWVu
Z2luZWVyaW5nLmNvbaOCA1YwggNSoAMCAQOhAwIBCaKCA0QEggNAPR9u8hrn2s5uDlS30n
11:28:08.012 5 IMAP-000029([192.168.0.231]) SASL(GSSAPI) ini: 60 82 04 96 06
09 2A 86 48 86 F7 12 01 02 02 01 00 6E 82 04 85 30 82 04 81 A0 03 02 01 05
A1 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 03 A9 61 82 03 A5 30 82 03
A1 A0 03 02 01 05 A1 14 1B 12 41 49 4D 45 4E 47 49 4E 45 45 52 49 4E 47
11:28:08.012 5 IMAP-000029([192.168.0.231]) s-out: 00000002 NO Kerberos:
failed to verify data integrity\r\n
11:28:08.012 5 IMAP-000029([192.168.0.231]) TLS out 23: (71) BB 41 C3 F2 80
4A 9C 19 BD C5 73 5F D3 9C EA 50 C6 71 C4 2A 6A D3 5F B7 3F 62 35 E5 1E 10
F4 6D 6C 3C B2 CC 1F 5D DA C1 E2 87 2B 03 94 BD 4D D9 0D 1D 31 4F 54 BC 7F
F3 F9 EF 42 1A 10 54 3C F8 F4 98 E9 58 23 E7 DA
11:28:08.013 3 IMAP-000029([192.168.0.231]) read failed. Error
Code=connection closed by peer
11:28:08.013 4 IMAP-000029([192.168.0.231]) TLS connection is closing
11:28:08.013 5 IMAP-000029([192.168.0.231]) TLS out 21: (18) 38 32 57 83 3A
5B 18 EB CB 7E 8C 40 58 5B B4 C9 02 BE
11:28:08.013 4 IMAP-000029([192.168.0.231]) closing connection
11:28:08.013 4 IMAP-000029([192.168.0.231]) releasing stream
11:28:23.001 5 IMAP stream thread finished
11:29:47.092 4 ACCOUNT(postmaster) taken from cache
I've created many different tickets, each time, I've deleted the realm from
the cgpro admin interface, purged the klist on the client, then stopped and
started the CG service on the mail server and run the ktpass program again,
re-uploaded the new .data file and tried outlook. The odd thing is that the
klist ticket I receive on the client never seems to change. Even if I use a
different crypto algorithm like RC4 or something... so it leads me to
believe that there's something cached, even on reboot???
My other question was regarding the location of the ktpass file on the
server. I know that running that program changes the user account in AD, but
does that file also need to be somewhere special? Like in the sysvol or
something?
I feel that we're just on the edge of getting this figured out, but I feel
like now I'm just mashing buttons and crossing my fingers... certainly not a
very organized approach!
Andy
> The thing is that this is not strictly a CGP problem - it's a Kerberos
> implementation problem. Once you crack that side of it, you're away.
>
> Graeme
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Alexander Lázaro Gómez Valdivia
Client!
El Wed, 13 Jun 2007 11:49:41 -0400
"Andy Kunkle" <aku...@aimengr.com> escribió:
Ing. Alexander Lázaro Gómez Valdivia
Sucursal Emprestur s.a. Villa Clara
Carretera Central 117 e/ Eufemia y Caneyes. Santa Clara
Telefonos: (53) 42 208204, (53) 42 208205
E-mail: alexa...@esvc.co.cu
Sitio Web: http://www.esvc.co.cu
Graeme Fowler
On 13 June 2007 16:50, Andy Kunkle wrote:
> I've tried rebooting everything, and also clearing out the SPN and
> re-creating it. I've also purged the tickets (klist purge) and then
> opened outlook again to get them back. I'm getting the tickets for
> imap/mail but it's just not working. I'm still getting the error:
>
> Kerberos: Failed to verify Data Integrity
<snip>
When you say "clearing out the SPN and recreating it", what do you mean
(how do you do it?)?
> I've created many different tickets, each time, I've deleted the
> realm from the cgpro admin interface, purged the klist on the client,
> then stopped and started the CG service on the mail server and run
> the ktpass program again, re-uploaded the new .data file and tried
> outlook. The odd thing is that the klist ticket I receive on the
> client never seems to change. Even if I use a different crypto
> algorithm like RC4 or something... so it leads me to believe that
> there's something cached, even on reboot???
[You don't need to restart the CG service when you do this]
I believe you have two instances of the imap/ SPN in your Active
Directory, and the client is picking up an old one before the new one.
Does your old "cgp" user still exist? Sadly I can't quite remember how
to view the assigned SPN mappings for a given user :(
> My other question was regarding the location of the ktpass file on the
> server. I know that running that program changes the user account in
> AD, but does that file also need to be somewhere special? Like in the
> sysvol or something?
No. When you run ktpass it does two things:
1. Sets/adds an SPN mapping to a user in the Active Directory
2. Outputs a keytab file for export to another system (in this case that
system is the CGP server application). You could put it on a floppy disk
and send it to Australia for all your domain controller would care, in
that it wouldn't :)
I think, as I said above, that you probably need to make sure you don't
have an older SPN mapping set on another user in your Active Directory.
Graeme
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
Andy Kunkle
> Client!
I gave that a shot too, and get the same error. Thanks for the input though!
Andy
Andy Kunkle
Howdy!
> On 13 June 2007 16:50, Andy Kunkle wrote:
> > I've tried rebooting everything, and also clearing out the SPN and
> > re-creating it. I've also purged the tickets (klist purge) and then
> > opened outlook again to get them back. I'm getting the tickets for
> > imap/mail but it's just not working. I'm still getting the error:
> >
> > Kerberos: Failed to verify Data Integrity
> <snip>
>
> When you say "clearing out the SPN and recreating it", what do you mean
> (how do you do it?)?
I clear it by going to the AD server and in dos doing the following:
Setspn -D imap/mail.aimengineering.com AIMENGINEERING.COM
This clears that SPN from the list... then if you search for it:
Setspn -L cgatepro
It doesn't find anything listed under that username.
Then I run the ktpass command again and it created the ticket again as well
as the SPN, so when I do the setspn -L cgatepro it shows up correctly
mapped.
> > I've created many different tickets, each time, I've deleted the
> > realm from the cgpro admin interface, purged the klist on the client,
> > then stopped and started the CG service on the mail server and run
> > the ktpass program again, re-uploaded the new .data file and tried
> > outlook. The odd thing is that the klist ticket I receive on the
> > client never seems to change. Even if I use a different crypto
> > algorithm like RC4 or something... so it leads me to believe that
> > there's something cached, even on reboot???
>
> [You don't need to restart the CG service when you do this]
Ok, I was just being extra cautious, in case something was hanging or
something...
> I believe you have two instances of the imap/ SPN in your Active
> Directory, and the client is picking up an old one before the new one.
> Does your old "cgp" user still exist? Sadly I can't quite remember how
> to view the assigned SPN mappings for a given user :(
No, I've removed those previous users. I was thinking that too so I created
them again in AD and then did the setspn -L username to see if there was a
mapping for it, but there wasn't. I wish you could do a search in the
directory for all instances of imap/mail... that would be the best method of
finding it.
There's also an LDP control panel in 2003 server where you can search the
LDAP for a particular occurrence of an object. I'm going to research that a
little more and see if I can find imap/mail... anywhere else in the
directory.
> > My other question was regarding the location of the ktpass file on
> the
> > server. I know that running that program changes the user account in
> > AD, but does that file also need to be somewhere special? Like in the
> > sysvol or something?
>
> No. When you run ktpass it does two things:
>
> 1. Sets/adds an SPN mapping to a user in the Active Directory
> 2. Outputs a keytab file for export to another system (in this case
> that
> system is the CGP server application). You could put it on a floppy
> disk
> and send it to Australia for all your domain controller would care, in
> that it wouldn't :)
>
> I think, as I said above, that you probably need to make sure you don't
> have an older SPN mapping set on another user in your Active Directory.
Roger that. I hear Aussy is nice this time of year... good diving too.
It seems we're thinking along the same lines here. I know we're close, but
I did receive a response from Tech Support regarding this issue and they
said that it was perhaps a problem with decryption on the CGP side and that
they are working on a fix for it this week. So I'm hoping that fix will
solve our (my) problems!
Thanks again for your diligence!
Andy
Bret Miller
> Directory Users and Computers and navigate your way to the user (cgp)
> that holds the SPN for imap/.
>
> Open up the user, click the "Account" pane and check that:
>
> 1. "User logon name" is "imap/mail.aimengineering.com"
> 2. The domain is "@aimengineering.com"
> 3. In "Account options" the "Use DES encryption types for
> this account"
> is ticked.
> 4. THE ACCOUNT IS NOT LOCKED OUT.
>
> can't. If it's locked out, no amount of wrangling will make Kerberos
> work for CGP!
>
> I'm guessing here that Bret et al might need to check that
> one out, too, just in case...
Checked and 1-4 correct.
Bret
Andy Kunkle
It's that time again!! Kerberos time!! Yay. Anyway, I have some updates for
you. I started to follow a hunch last week, and just got finished about 10
minutes ago. I thought that there was something blown up in AD that was
causing the problems.
So, I reinstalled 2003 server, then got the SP2 update, then downloaded the
Resource Kit and the Support Tools for SP2, ran the ktpass command and now
I'm able to log in using Outlook!!! This is a bit troublesome, however,
because reinstalling the AD server in my production environment is not
something I can really do.
The differences between this install and the last:
Services for Unix is not installed on the fresh AD server now.
SP2 is installed now, where before I only had SP1 installed...
I'm hoping it was changes in SP2 that fixed it, and not the lack of Services
for UNIX... but who knows? The trouble if it is SFU and not the SP is that
you cannot uninstall Services for Unix. It's only a one-way thing, and since
it's installed on my production AD server, I'll be SOL if that's the case.
So, now that it's working, or at least seems to be, I'm pretty excited! I'm
still having trouble with one thing though, it's the HTTP access using
Pronto. I still get a incorrect username / password error when I try to log
in through there. I've tried to add another user in AD and given it
http/mail.aimengineering.com access through ktpass, but it doesn't work. I
must be missing something. I've tried it as HTTP/mail as well as http/mail
with no luck.
The other problem I have is the regular webmail link, the normal one found
at http://mailserver.com:8100, crashes the Communigate service every time I
try to log in. After running it, I have to go to the server and restart the
cgatepro service in Unix. I'm not sure what's going on there!
Anyway, let me know what you all think, but it seems there's a bit of
progress for a Monday.
Thanks!
Andy Kunkle
IT Administrator
AIM Engineering & Surveying, Inc.
5300 Lee Blvd
Lehigh Acres, FL 33971
239-332-4569
> No. When you run ktpass it does two things:
>
> 1. Sets/adds an SPN mapping to a user in the Active Directory
> 2. Outputs a keytab file for export to another system (in this case
> that
> system is the CGP server application). You could put it on a floppy
> disk
> and send it to Australia for all your domain controller would care, in
> that it wouldn't :)
>
> I think, as I said above, that you probably need to make sure you don't
> have an older SPN mapping set on another user in your Active Directory.
>
> Graeme
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> dig...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> in...@mail.stalker.com>
Alexander Lázaro Gómez Valdivia
El Mon, 18 Jun 2007 13:13:45 -0400
"Andy Kunkle" <aku...@aimengr.com> escribió:
Ing. Alexander Lázaro Gómez Valdivia
Sucursal Emprestur s.a. Villa Clara
Carretera Central 117 e/ Eufemia y Caneyes. Santa Clara
Telefonos: (53) 42 208204, (53) 42 208205
E-mail: alexa...@esvc.co.cu
Sitio Web: http://www.esvc.co.cu
#############################################################
Bret Miller
Bret