| Author |
Message |
Steve
Guest
|
 Posted:
Thu Jan 06, 2005 10:10 pm Post subject:
Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.
Is anyone else having these issues?
Thanks
Steve
|
|
| Back to top |
|
 |
Rich Matheisen [MVP]
Guest
|
| Posted:
Fri Jan 07, 2005 7:42 am Post subject:
Re: Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
"Steve" <sasteph@msn.com> wrote:
| Quote: | We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.
Is anyone else having these issues?
|
Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).
Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.
Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]
We've set the value to "1" to force the use of TCP and have seen the
problem disappear.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
| Back to top |
|
|
Steve
Guest
|
| Posted:
Fri Jan 07, 2005 10:15 pm Post subject:
Re: Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
Thanks Rich!
We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server. The strange thing is that on the same client machine if we
create an identical Outlook profile using kerberose only it will not
authenticate.
Thanks again for the input,
Steve
Email & Collaboration Technical Lead
"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:evprt05nig0hb48jgq8c9p60uvn00nkhp1@4ax.com...
| Quote: | "Steve" <sasteph@msn.com> wrote:
We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.
Is anyone else having these issues?
Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).
Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.
Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]
We've set the value to "1" to force the use of TCP and have seen the
problem disappear.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
|
| Back to top |
|
|
Rich Matheisen [MVP]
Guest
|
| Posted:
Sat Jan 08, 2005 10:09 pm Post subject:
Re: Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
"Steve" <sasteph@msn.com> wrote:
| Quote: | We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server.
|
Outlook 2003 (and XP, and maybe 2000 -- I forget) can "talk" directly
to a GC. They may ask the Exchange server for a GC name, though. The
DSProxy service on the Exchange server can also be used. It just
passes through the information to the GC and passes back the results
to the client.
| Quote: | The strange thing is that on the same client machine if we
create an identical Outlook profile using kerberose only it will not
authenticate.
|
So only NTLM authentication works?
How about this KB?
Description of the Properties of the Cluster Network Name Resource in
Windows Server 2003 [302389]
If you've disabled the use of UDP by kerberos (by setting the max
packet size to 1 byte), followed the above KB, and the client still
fails to authenticate using kerberos, I'd call MS (or check routers
for packet filters, IPSec for port blocking, etc.). I'd also
doublecheck the registry modification to make sure the key and data
names are spelled correctly. Sometimes the names are case-sensitive .
.. . sometimes they aren't.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm |
|
| Back to top |
|
|
Doug Frisk
Guest
|
| Posted:
Sat Jan 08, 2005 11:16 pm Post subject:
Re: Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
"Steve" <sasteph@msn.com> wrote in message
news:%23vIRUQN9EHA.2012@TK2MSFTNGP15.phx.gbl...
| Quote: | Thanks Rich!
We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up
the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server. The strange thing is that on the same client machine if
we
create an identical Outlook profile using kerberose only it will not
authenticate.
|
Are the SPNs for the Exchange virtual server published? Kerberos
authentication won't work if the SPNs aren't there.
The command to check is "Setspn -L ExchangeVirtualServer". Setspn is part
of the resource kit or downloadable from Microsoft. |
|
| Back to top |
|
|
Rodney R. Fournier [MVP]
Guest
|
| Posted:
Sun Jan 09, 2005 1:34 am Post subject:
Re: Kerberos Auth using O2k3 and E2k3 in a cluster |
|
|
Setspn is actually from the Support Tools, which comes on the product CD.
Cheers,
Rod
MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering
http://www.msmvps.com/clustering - Blog
"Doug Frisk" <PublicNews@removeme.fazwak.com> wrote in message
news:OLpAaXa9EHA.3840@TK2MSFTNGP10.phx.gbl...
| Quote: | "Steve" <sasteph@msn.com> wrote in message
news:%23vIRUQN9EHA.2012@TK2MSFTNGP15.phx.gbl...
Thanks Rich!
We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up
the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server. The strange thing is that on the same client machine if
we
create an identical Outlook profile using kerberose only it will not
authenticate.
Are the SPNs for the Exchange virtual server published? Kerberos
authentication won't work if the SPNs aren't there.
The command to check is "Setspn -L ExchangeVirtualServer". Setspn is part
of the resource kit or downloadable from Microsoft.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in