Re: Kerberos Auth using O2k3 and E2k3 in a cluster

From: Rich Matheisen [MVP] (richnews_at_rmcons.com.NOSPAM.COM)
Date: 01/08/05 

Date: Sat, 08 Jan 2005 11:09:34 -0500

"Steve" <sasteph@msn.com> wrote:

>We have tried this registry modification before with no sucesses. We can
>authenticate to our LCS and our DC using kerberos; it's just the Exchange
>servers. We do have one Outllok profile that works, and if you bring up the
>connection status dialog box it shows connections direcly to the domain
>controller as opposed to the other machines which show connections to the
>Exchange server.

Outlook 2003 (and XP, and maybe 2000 -- I forget) can "talk" directly
to a GC. They may ask the Exchange server for a GC name, though. The
DSProxy service on the Exchange server can also be used. It just
passes through the information to the GC and passes back the results
to the client.

>The strange thing is that on the same client machine if we
>create an identical Outlook profile using kerberose only it will not
>authenticate.

So only NTLM authentication works?

How about this KB?

Description of the Properties of the Cluster Network Name Resource in
Windows Server 2003 [302389]

If you've disabled the use of UDP by kerberos (by setting the max
packet size to 1 byte), followed the above KB, and the client still
fails to authenticate using kerberos, I'd call MS (or check routers
for packet filters, IPSec for port blocking, etc.). I'd also
doublecheck the registry modification to make sure the key and data
names are spelled correctly. Sometimes the names are case-sensitive .
. . sometimes they aren't. 

-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

Relevant Pages

  • Re: Allowing Mail from an appliance &/or other Mail server
    ... this virtual server and restrict by the ip address for the security. ... accomplished by limiting which IP addresses can connect to your SMTP ... Outlook users do not need smtp connectivity to Exchange servers - they ... your smtp relay server configured to authenticate as well. ...
    (microsoft.public.exchange.connectivity)
  • Re: Password Authentication
    ... >> on the exchange server it shows her as being ... >It is a very common user error. ... >> email on our server other than through the web server. ... >> still cannot get it to authenticate! ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Password Authentication
    ... It is a very common user error. ... > email on our server other than through the web server. ... > still cannot get it to authenticate! ... We are using Exchange 2000 on a 2000 ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SBS2003 - Active Sync - http_500
    ... 1.Make sure that Kerberos is enabled on the Exchange computer. ... Exchange Server ActiveSync will fail. ... |> use the /Exchange virtual directory to access OWA templates and DAV ...
    (microsoft.public.windows.server.sbs)
  • Re: SYNC_5 Fehler bei der Syncronisation mit Exchange 2003
    ... was SYNC5_ genau heissen kann (MIS_5 hiess das damals beim Mobile INformation Server) ... Windows Integrated Authentication is not enabled on the Exchange virtual directory on the Exchange server. ... Windows Integrated Authentication is enabled on the Exchange virtual directory on the Exchange server, but Kerberos is disabled via the IIS metabase. ...
    (microsoft.public.de.exchange)