how kerberos authe actually works in owa 2003

  • From: m1r4cle_26@xxxxxxxxx
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Fri, 27 Aug 2004 12:43:25 -0600

Can anyone help me to confirm whether the following flow of kerberos
authentication for OWA 2003 is correct ? I can only In the directory
security tab, I only enabled integrated windows authentication for
exchange web site.
Let's say there are 3 parties involved:
- AD (in windows 2000 server)
- Exchange Server 2003
- Windows XP as a testing client
The three machines are in the same windows domain
Since IE that user uses to access his/her mailbox and  IIS in exchange
server are all kerberized, when a user tries to open the owa website,
first of all, he / she will need to authenticate him / herself to the
exchange webserver using kerberos. This is done by getting a ticket for
the webserver from KDC. On behalf of the user, the web server will then
send TGS-REQ to windows kdc to get a ticket for ldap service. The ldap
service ticket is used as GSSAPI in ldap-request from exchange to AD to
get information about the user mail account.
Briefly, this is what happens:
1. AS-REQ from user to tgs service to get a tgt 
2. AS-REP from tgs service
3. TGS-REQ from user to get a ticket for service http service of the web
4. TGS-REP from tgs service
5. TGS-REQ from web server for service ldap to access AD
6. TGS-REP from tgs service which contains a ticket for service ldap
7. ldap request to get user account info like the mailbox location etc.
The ticket for service ldap is used as GSSAPI token for ldap
It's really important for me to understand how the flow of kerberos
actually works for owa 2003....can anybody share his / her ideas ?

Other related posts: