RE: how kerberos authe actually works in owa 2003

  • From: "Michael B. Smith" <michael@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 27 Aug 2004 13:52:15 -0400

This is really an A/D question, not an Exchange question. Exchange uses
the built-in capabilities of A/D-IIS. I think you'll probably get a
better response from the activedir mailing list.

(I could be wrong, and somewhere here knows the answer, but I don't
think so.)

Ah... I see that you also posted the same question there already.

-----Original Message-----
From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] 
Sent: Friday, August 27, 2004 2:43 PM
To: [ExchangeList]
Subject: [exchangelist] how kerberos authe actually works in owa 2003

Can anyone help me to confirm whether the following flow of kerberos
authentication for OWA 2003 is correct ? I can only In the directory
security tab, I only enabled integrated windows authentication for
exchange web site.
Let's say there are 3 parties involved:
- AD (in windows 2000 server)
- Exchange Server 2003
- Windows XP as a testing client
The three machines are in the same windows domain
Since IE that user uses to access his/her mailbox and  IIS in exchange
server are all kerberized, when a user tries to open the owa website,
first of all, he / she will need to authenticate him / herself to the
exchange webserver using kerberos. This is done by getting a ticket for
the webserver from KDC. On behalf of the user, the web server will then
send TGS-REQ to windows kdc to get a ticket for ldap service. The ldap
service ticket is used as GSSAPI in ldap-request from exchange to AD to
get information about the user mail account.
Briefly, this is what happens:
1. AS-REQ from user to tgs service to get a tgt 2. AS-REP from tgs
service 3. TGS-REQ from user to get a ticket for service http service of
the web server 4. TGS-REP from tgs service 5. TGS-REQ from web server
for service ldap to access AD 6. TGS-REP from tgs service which contains
a ticket for service ldap 7. ldap request to get user account info like
the mailbox location etc.
The ticket for service ldap is used as GSSAPI token for ldap
It's really important for me to understand how the flow of kerberos
actually works for owa 2003....can anybody share his / her ideas ?

List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking: Leading
Network Software Directory:
No.1 ISA Server Resource Site: Windows Security
Resource Site: Network Security Library: Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
michael@xxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: