RE: how kerberos authe actually works in owa 2003

  • From: "Harding, Devon" <dharding@xxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 27 Aug 2004 14:34:33 -0400

Where does the AD mailing list lives?  I'm really interested in this as
well.

-Devon

-----Original Message-----
From: Michael B. Smith [mailto:michael@xxxxxxxxxx] 
Sent: Friday, August 27, 2004 1:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: how kerberos authe actually works in owa
2003

http://www.MSExchange.org/

This is really an A/D question, not an Exchange question. Exchange uses
the built-in capabilities of A/D-IIS. I think you'll probably get a
better response from the activedir mailing list.

(I could be wrong, and somewhere here knows the answer, but I don't
think so.)

Ah... I see that you also posted the same question there already.

-----Original Message-----
From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] 
Sent: Friday, August 27, 2004 2:43 PM
To: [ExchangeList]
Subject: [exchangelist] how kerberos authe actually works in owa 2003

http://www.MSExchange.org/

Hi,
 
Can anyone help me to confirm whether the following flow of kerberos
authentication for OWA 2003 is correct ? I can only In the directory
security tab, I only enabled integrated windows authentication for
exchange web site.
 
Let's say there are 3 parties involved:
- AD (in windows 2000 server)
- Exchange Server 2003
- Windows XP as a testing client
The three machines are in the same windows domain
 
Since IE that user uses to access his/her mailbox and  IIS in exchange
server are all kerberized, when a user tries to open the owa website,
first of all, he / she will need to authenticate him / herself to the
exchange webserver using kerberos. This is done by getting a ticket for
the webserver from KDC. On behalf of the user, the web server will then
send TGS-REQ to windows kdc to get a ticket for ldap service. The ldap
service ticket is used as GSSAPI in ldap-request from exchange to AD to
get information about the user mail account.
 
Briefly, this is what happens:
1. AS-REQ from user to tgs service to get a tgt 2. AS-REP from tgs
service 3. TGS-REQ from user to get a ticket for service http service of
the web server 4. TGS-REP from tgs service 5. TGS-REQ from web server
for service ldap to access AD 6. TGS-REP from tgs service which contains
a ticket for service ldap 7. ldap request to get user account info like
the mailbox location etc.
The ticket for service ldap is used as GSSAPI token for ldap
authentication.
 
It's really important for me to understand how the flow of kerberos
actually works for owa 2003....can anybody share his / her ideas ?
 
thanks

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
michael@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
dharding@xxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient and may 
contain confidential or privileged information.  If you are not the intended 
recipient, any disclosure, copying, use or distribution of the information 
included in the message and any attachments is prohibited.  If you have 
received this communication in error, please notify us by reply e-mail and 
immediately and permanently delete this message and any attachments.  Thank You.



Other related posts: