RE: how kerberos authe actually works in owa 2 003

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 27 Aug 2004 14:41:29 -0400

www.activedir.org
 

-----Original Message-----
From: Harding, Devon [mailto:dharding@xxxxxxxxxxxxxxxx] 
Sent: Friday, August 27, 2004 2:35 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how kerberos authe actually works in owa 2003

http://www.MSExchange.org/

Where does the AD mailing list lives?  I'm really interested in this as
well.

-Devon

-----Original Message-----
From: Michael B. Smith [mailto:michael@xxxxxxxxxx]
Sent: Friday, August 27, 2004 1:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how kerberos authe actually works in owa
2003

http://www.MSExchange.org/

This is really an A/D question, not an Exchange question. Exchange uses the
built-in capabilities of A/D-IIS. I think you'll probably get a better
response from the activedir mailing list.

(I could be wrong, and somewhere here knows the answer, but I don't think
so.)

Ah... I see that you also posted the same question there already.

-----Original Message-----
From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
Sent: Friday, August 27, 2004 2:43 PM
To: [ExchangeList]
Subject: [exchangelist] how kerberos authe actually works in owa 2003

http://www.MSExchange.org/

Hi,
 
Can anyone help me to confirm whether the following flow of kerberos
authentication for OWA 2003 is correct ? I can only In the directory
security tab, I only enabled integrated windows authentication for exchange
web site.
 
Let's say there are 3 parties involved:
- AD (in windows 2000 server)
- Exchange Server 2003
- Windows XP as a testing client
The three machines are in the same windows domain
 
Since IE that user uses to access his/her mailbox and  IIS in exchange
server are all kerberized, when a user tries to open the owa website, first
of all, he / she will need to authenticate him / herself to the exchange
webserver using kerberos. This is done by getting a ticket for the webserver
from KDC. On behalf of the user, the web server will then send TGS-REQ to
windows kdc to get a ticket for ldap service. The ldap service ticket is
used as GSSAPI in ldap-request from exchange to AD to get information about
the user mail account.
 
Briefly, this is what happens:
1. AS-REQ from user to tgs service to get a tgt 2. AS-REP from tgs service
3. TGS-REQ from user to get a ticket for service http service of the web
server 4. TGS-REP from tgs service 5. TGS-REQ from web server for service
ldap to access AD 6. TGS-REP from tgs service which contains a ticket for
service ldap 7. ldap request to get user account info like the mailbox
location etc.
The ticket for service ldap is used as GSSAPI token for ldap authentication.
 
It's really important for me to understand how the flow of kerberos actually
works for owa 2003....can anybody share his / her ideas ?
 
thanks

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
michael@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
dharding@xxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient and
may contain confidential or privileged information.  If you are not the
intended recipient, any disclosure, copying, use or distribution of the
information included in the message and any attachments is prohibited.  If
you have received this communication in error, please notify us by reply
e-mail and immediately and permanently delete this message and any
attachments.  Thank You.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts:

  • » RE: how kerberos authe actually works in owa 2 003
  1. Home
  2. exchangelist
  3. Archive
  4. 08-2004