Re: Kerberos Auth using O2k3 and E2k3 in a cluster

From: Rich Matheisen [MVP] (richnews_at_rmcons.com.NOSPAM.COM)
Date: 01/07/05

• Next message: Rich Matheisen [MVP]: "Re: Outbound e-mail approval process"
• Previous message: Rich Matheisen [MVP]: "Re: Strange Emails in imcdata\in\archive"
• In reply to: Steve: "Kerberos Auth using O2k3 and E2k3 in a cluster"
• Next in thread: Steve: "Re: Kerberos Auth using O2k3 and E2k3 in a cluster"
• Reply: Steve: "Re: Kerberos Auth using O2k3 and E2k3 in a cluster"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 06 Jan 2005 20:42:24 -0500

"Steve" <sasteph@msn.com> wrote:

>We are having a problme converting our Outlook client authentication from
>NTLM to kerberos. We are in a windows 2003 clustered environment running
>Exchange 2003 in native mode. When we specify in the Outlook security
>settings to use kerberose only, the user can't logon.
>
>Is anyone else having these issues?

Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).

Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.

Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]

We've set the value to "1" to force the use of TCP and have seen the
problem disappear.

-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

---

• Next message: Rich Matheisen [MVP]: "Re: Outbound e-mail approval process"
• Previous message: Rich Matheisen [MVP]: "Re: Strange Emails in imcdata\in\archive"
• In reply to: Steve: "Kerberos Auth using O2k3 and E2k3 in a cluster"
• Next in thread: Steve: "Re: Kerberos Auth using O2k3 and E2k3 in a cluster"
• Reply: Steve: "Re: Kerberos Auth using O2k3 and E2k3 in a cluster"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Activesync HTTP_500 ... Activesync in our test environment is working fine without these nodes set ... To verify if Kerberos has been turned ... > for the folder called Exchange in its configuration database (which ... > WSS but its best not to have WSS installed on an Exchange Server. ... (microsoft.public.exchange.clients) RE: [fw-wiz] NTLM authentication from DMZ ... > that the OWA box needs to be in the same domain as the Exchange server ... its own domain with a one-way trust to the internal domain. ... You need to have NetBIOS (or Kerberos) enabled to the domain ... (Firewall-Wizards) Re: SBS2003 - Active Sync - http_500 ... 1.Make sure that Kerberos is enabled on the Exchange computer. ... Exchange Server ActiveSync will fail. ... |> use the /Exchange virtual directory to access OWA templates and DAV ... (microsoft.public.windows.server.sbs) Re: services not starting ... Previously I have Sophos Anti Virurs installed but I was having problems with ... MVP - Exchange ... When I do that the Kerberos ... The security account manager or local security authority ... (microsoft.public.exchange.admin) RE: Activesync HTTP_500 ... One of the main causes of the HTTP_500 error is if Kerberos authentication ... From a command prompt on the Exchange 2000 computer, ... WSS but its best not to have WSS installed on an Exchange Server. ... (microsoft.public.exchange.clients)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)