SMTP & Kerberos Delegation
- From: Steven_C <Steven_C@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Oct 2008 21:02:01 -0700
Our email and computer security teams want to tighten up emails being sent
externally. They want the users to authenticate to the SMTP server. I'm not
having much luck and was wondering if anyone else has figured this out.
Environment: IE6/XP client --> W2K3/IIS 6/ASPX page .Net 2.0 --> W2K3/IIS
6/SMTP The Authentication tab for the SMTP server is set to "Integrated
Windows Authentication". The web site on the IIS server is also set for
integrated authentication. The key issue being that we do not want to prompt
the user for their password. The MS Auth Diag tool and Brian Booth's
DelegConfig tool report that Kerberos is ok on the IIS server. I have a test
ASPX page that reads from a UNC on another server and that works fine. In the
security log on that server I see a Kerberos login for the client user. Here
is the ASPX code snippet.
Dim oMM As New MailMessage
Dim oMM As New MailMessage
Dim emailaddr As String = "dave@xxxxxxxxxxxxx"
Dim oAddress As New MailAddress(emailaddr)
Dim oSMTP As New SmtpClient("mailhost.mycompany.com", 25)
oMM.From = oAddress
oMM.To.Add(oAddress)
oMM.Subject = "Mail test"
oMM.Body = "Mail test"
oSMTP.UseDefaultCredentials = True
oSMTP.Send(oMM)
With "UseDefaultCredentials = True" I see an "AUTH gssapi" packet being sent
from the IIS server to the SMTP server in a network trace. The web.config for
the site contains <identity impersonate="true" /> so this should be passing
the credentials of the user. But in the security log on the SMTP server I see
an NTLM logon for NT AUTHORITY\ANONYMOUS LOGON. If I set the web site to use
basic authentication then everything works. But we don’t want to do that
because we want the integrated authentication to take care of that for us.
Within AD, the IIS server is set to "Trust this computer for delegation to
any service (Kerberos only)". And in the metabase on the SMTP server I have
"NTAuthenticationProviders="GSSAPI,NTLM". Does SMTP support Kerberos login's?
The email team also has an SMTP that is installed as part of Exchange. Does
that support Kerberos? My email guys tell me that it should not matter. Note:
SMTP on the IIS server will not require authentication and can only send
emails internally. All externally bound emails must go thru an SMTP server
that requires authentication. How do I pass integrated credentials from a
client to IIS to SMTP? Thanks for any help.
.
- Follow-Ups:
- Re: SMTP & Kerberos Delegation
- From: Sanford Whiteman
- Re: SMTP & Kerberos Delegation
- Prev by Date: Re: SMTP relay authentication
- Next by Date: Re: SMTP & Kerberos Delegation
- Previous by thread: SMTP relay authentication
- Next by thread: Re: SMTP & Kerberos Delegation
- Index(es):
Relevant Pages
|
