> I think from what you're seeing that your FE will not authenticate with a > different realm. It uses the NTLM auth that it passes. It does a quick > lookup (as you saw) for the basic authentication (Does the user exist is the > question it's asking the Active Directory, right? 'Cause if it doesn't, why > bother to continue?) You're still not "authenticated" or more precisely > authenticated and authorized at this point because you haven't passed all > credentials. The hash (NTLM) is sent to the BE server which is supposed to > then use Kerberos authentication in your scenario. The eventvwr entries > seem to coincide with this. > > This indicates that if you wanted to deal with another realm, you're really > looking at putting that realm internal and using it via some sort of trust > to allow the BE server to auth via that mechanism. It will still use the > Active Directory since Exchange relies on the mailbox-enabled user objects > to be there, but a trust would be set up and configured. My experiment yesterday was purely microsoft based, no external realm involved yet. I tried again today, and this time FE did send AS-REQ and TGS-REQ on behalf of the user to AD. However, it seems that the kerberos authentication here is not used to validate the user password, but to obtain a ticket to access the BE. Seems to me that authentication is done with DCERPC request to AD which I cannot confirm bec it's encrypted. When I enter a wrong password, FE will send HTTP access denied to client, send no AS-REQ is sent to AD. I'll try to put FE in external realm tomorrow, and see what happens > So that leads me to these questions: > 1) Why aren't you using Windows 2003 for this? Kerberos interop get > *better* in Windows 2003. I'm using windows 2000 server SP4. Should be enough when no external realm involved yet right ? But not sure whether it will when I use external realm. > 2) Why aren't you using Exchange 2003? It uses IIS 6.0 and was re-written > which may give different results. I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I have mentioned it before in my previous mails, otherwise I wouldn't say anything about form based right ;) > 3) Have you seen the Unix interoperability document? It's called "Solution > Guide for Windows Security and Directory Services for UNIX" and it may hold > some useful information and tool references to help see the kerberos > information more clearly. Not yet, will look into it, thanks :-) > 4) When you looked online, did you see the Exchange deployment docs? They > talk about multi-forest deployment scenarios which have the same issues you > are looking at and discuss what is needed to make it work. It has more > information than you're looking for, but it does talk about the trusts etc. > The hardest part will be the MIT interop. That's because it may use other > encryption types than Windows 2003 supports. > > Al > > -----Original Message----- > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] > Sent: Wednesday, September 01, 2004 12:08 PM > To: [ExchangeList] > Subject: [exchangelist] RE: form based auth using kerberos ? > > http://www.MSExchange.org/ > > > How about this: Setup a mock FE/BE scenario and run a network trace. > I've done it today. > Following is my observations (please correct me if I'm wrong): > Setup: > 1. FE - only Basic Authentication enabled 2. BE - only Integrated > Authentication enabled > > Flow (roughly): > 1. HTTP request from client to FE > 2. LDAP search from FE to AD > 3. LDAP entry from AD to FE, where the BE is actually 4. HTTP request from > FE to BE (NTLM used !, not Kerberos, why ?) 5. DCERPC Bind from BE to AD, > UUID = EPM 6. DCERPC Bind Ack from AD to BE 7. DCERPC Bind from BE to AD, > UUID = RPC_NETLOGON 8. DCERPC Bind Ack from AD to BE 9. LDAP search from BE > to AD 10.LDAP entry from AD to BE 11.HTTP OK from BE to FE 12.HTTP OK from > FE to BE > > No krb5 packet captured by ethereal at all ! Even not sure whether FE & BE > authenticates the user to AD. All I could see was LDAP request and DCERPC (I > expect kerberos packet so muchh..) > > Another question is why does it seem the kerberos auth from FE to BE failed > (HTTP is using NTLM), but in the audit logged in event viewer: > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 9/1/2004 > Time: 9:37:29 PM > User: LARASARI\lara > Computer: FREXCHW2KSERVER > Description: > Successful Network Logon: > User Name: lara > Domain: LARASARI > Logon ID: (0x0,0x79B48D) > Logon Type: 8 > Logon Process: IIS > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Workstation Name: FREXCHW2KSERVER > > is logged on FE, while: > > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 9/1/2004 > Time: 9:51:02 PM > User: LARASARI\lara > Computer: EXCHW2KSERVER > Description: > Successful Network Logon: > User Name: lara > Domain: LARASARI > Logon ID: (0x0,0x785801) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > is logged in BE > which proves that basic authentication generates kerberos tokens for > delegations ! (ref: Microsoft Knowledge Base Article - 287537) > > > > Keep in mind that regardless of the forms based vs. pop-up auth you > > use, the only expected difference in the process is that your clients > > will be able to cache credentials on the local workstation if they > > wanted. Forms based auth prevents that. > The above experiment was using pop-up auth by the way, not form-based. > > > One other thing that may be helpful here: Tell us why you want > > kerberos auth vs. any other? What's the risk you're trying to > > mitigate here, because there may be another way that doesn't take so much > of your time. > Well, if FE/BE is able to authenticate against AD using kerberos, we would > like to make them authenticate against MIT KDC, if possible... > > > If that fails to get the results you need, it might be worthwhile to > > open a support call with Microsoft to have them research it and give > > you a definitive answer. I suspect that for your purposes, you'll > > still end up testing it on the wire though :) > Ugg, yeah...i guess so... > > What do you think of the result of my experiment ? > > Thanks for discussing this issue with me, glad to have with whom I can > discuss... > lara > > > -----Original Message----- > > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] > > Sent: Tuesday, August 31, 2004 7:52 AM > > To: [ExchangeList] > > Subject: [exchangelist] RE: form based auth using kerberos ? > > > > http://www.MSExchange.org/ > > > > > You would need a front-end/back-end solution IIRC. The use of > > > Kerberos authentication occurs after you set integrated > > > authentication, but you can't do that for the anonymous users on the > > > internet. Hence, clear-text auth is usually recommended. > > Yes, I agree. I have to use basic authentication with SSL enabled > > between browser and exchange. > > > > > Have you checked out some of the docs on > > > http://www.microsoft.com/exchange/library for some additional > > > deployment suggestions for this scenario? > > > > As suggested, I have read some docs in the microsoft library. > > Kerberos auth is used by front-end to send user cred to back-end to > > get the mailbox, but front end still needs to authenticate user to AD, > > and so does back end. so the flow will be: > > front end -- ? --> AD > > front end -- kerberos --> back end > > back end -- ? --> AD > > (based on article: > > http://www.winnetmag.com/Article/ArticleID/40371/40371.html) > > > > From the net, I can only know that RPC call is used for communication > > from front end to AD. But how does the user authentication process > > work actually ? > > I'm still clueless about the "? protocol" used here. What is the default ? > > Can I use kerberos ? > > > > So if my understanding is right, even using FE/BE won't guarantee that > > I can authenticate users using kerberos, right ? > > > > If kerberos can't work with form based auth, what about non form-based > > auth, can exchange uses kerberos to authenticate user to AD ? > > > > once again, thanks for your help > > lara > > > > ------------------------------------------------------ > > List Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com Leading > > Network Software Directory: http://www.serverfiles.com > > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > > Security Resource Site: http://www.windowsecurity.com/ Network Security > Library: > > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > > http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this MSEXchange.org Discussion List as: > > al.mulnick@xxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > > Report abuse to listadmin@xxxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security > Resource Site: http://www.windowsecurity.com/ Network Security Library: > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > al.mulnick@xxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx