Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
DiscussionsAccessExcelInfoPathOutlookPowerPointPublisherWord
DirectoryUser Groups
Related Topics
Outlook ExpressInternet ExplorerWindowsMS Server ProductsMore Topics ...
MS Office Forum / Outlook / New Users / January 2005

Tip: Looking for answers? Try searching our database.

Kerberos Auth using O2k3 and E2k3 in a cluster

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Steve - 06 Jan 2005 16:10 GMT
We are having a problme converting our Outlook client authentication from
NTLM to kerberos.  We are in a windows 2003 clustered environment running
Exchange 2003 in native mode.  When we specify in the Outlook security
settings to use kerberose only, the user can't logon.

Is anyone else having these issues?

Thanks
Steve
Reply to this Message
Rich Matheisen [MVP] - 07 Jan 2005 01:42 GMT
>We are having a problme converting our Outlook client authentication from
>NTLM to kerberos.  We are in a windows 2003 clustered environment running
>Exchange 2003 in native mode.  When we specify in the Outlook security
>settings to use kerberose only, the user can't logon.
>
>Is anyone else having these issues?

Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).

Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.

Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]

We've set the value to "1" to force the use of TCP and have seen the
problem disappear.

Signature

Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

Reply to this Message
Steve - 07 Jan 2005 16:15 GMT
Thanks Rich!

We have tried this registry modification before with no sucesses.  We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers.  We do have one Outllok profile that works, and if you bring up the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server.  The strange thing is that on the same client machine if we
create an identical Outlook profile using kerberose only it will not
authenticate.

Thanks again for the input,
Steve
Email & Collaboration Technical Lead

> >We are having a problme converting our Outlook client authentication from
> >NTLM to kerberos.  We are in a windows 2003 clustered environment running
[quoted text clipped - 17 lines]
> We've set the value to "1" to force the use of TCP and have seen the
> problem disappear.
Reply to this Message
Rich Matheisen [MVP] - 08 Jan 2005 16:08 GMT
>We have tried this registry modification before with no sucesses.  We can
>authenticate to our LCS and our DC using kerberos; it's just the Exchange
>servers.  We do have one Outllok profile that works, and if you bring up the
>connection status dialog box it shows connections direcly to the domain
>controller as opposed to the other machines which show connections to the
>Exchange server.  

Outlook 2003 (and XP, and maybe 2000 -- I forget) can "talk" directly
to a GC. They may ask the Exchange server for a GC name, though. The
DSProxy service on the Exchange server can also be used. It just
passes through the information to the GC and passes back the results
to the client.

>The strange thing is that on the same client machine if we
>create an identical Outlook profile using kerberose only it will not
>authenticate.

So only NTLM authentication works?

How about this KB?

Description of the Properties of the Cluster Network Name Resource in
Windows Server 2003 [302389]

If you've disabled the use of UDP by kerberos (by setting the max
packet size to 1 byte), followed the above KB, and the client still
fails to authenticate using kerberos, I'd call MS (or check routers
for packet filters, IPSec for port blocking, etc.). I'd also
doublecheck the registry modification to make sure the key and data
names are spelled correctly. Sometimes the names are case-sensitive .
. . sometimes they aren't.

Signature

Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

Reply to this Message
Doug Frisk - 08 Jan 2005 17:16 GMT
> Thanks Rich!
>
[quoted text clipped - 8 lines]
> create an identical Outlook profile using kerberose only it will not
> authenticate.

Are the SPNs for the Exchange virtual server published?  Kerberos
authentication won't work if the SPNs aren't there.

The command to check is "Setspn -L ExchangeVirtualServer".  Setspn is part
of the resource kit or downloadable from Microsoft.
Reply to this Message
Rodney R. Fournier [MVP] - 08 Jan 2005 19:34 GMT
Setspn is actually from the Support Tools, which comes on the product CD.

Cheers,

Rod

MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering
http://www.msmvps.com/clustering - Blog

>> Thanks Rich!
>>
[quoted text clipped - 14 lines]
> The command to check is "Setspn -L ExchangeVirtualServer".  Setspn is part
> of the resource kit or downloadable from Microsoft.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.