Entourage not kerberizing with 2007 upgrade?

[mclinde]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

Ok, so this took a while to figure out the problem, but it's all Kerberos. So history: My system (Entourage 2008 12.1.5) was successfully logging in via Kerberos when we had an Exchange 2003 environment. We are deploying 2007, and I am in the first beta users group. Entourage won't work with Kerberos - on my existing account. I have verified I do not get a ticket, even though I tell Entourage to sync via Kerberos. Only thing I didn't do (yet) is a full reboot, but I've tried destroying and recreating my tgt, and Entourage won't request a ticket, so I get no send/receive capabilities. I created a new account setup in Entourage, I even created a new profile - still no ticket.

I have a test machine sitting next to me, that had never been setup before. Logged in, configured Entourage to use the back-end server (thus Kerberos), and it's fine - I get ticket and can send/receive mail.

So as I'm about to reboot and see if that fixes the problem, what if it doesn't?

 

[William Smith [MVP]]

Ok, so this took a while to figure out the problem, but it's all
Kerberos. So history: My system (Entourage 2008 12.1.5) was
successfully logging in via Kerberos when we had an Exchange 2003
environment. We are deploying 2007, and I am in the first beta users
group. Entourage won't work with Kerberos - on my existing account. I
have verified I do not get a ticket, even though I tell Entourage to
sync via Kerberos. Only thing I didn't do (yet) is a full reboot, but
I've tried destroying and recreating my tgt, and Entourage won't
request a ticket, so I get no send/receive capabilities. I created a
new account setup in Entourage, I even created a new profile - still
no ticket.

I just need to make sure you understand how Entourage and Kerberos are
suppose to work.

First, Kerberos is not the syncing mechanism. It's the authentication
mechanism and it's meant to be used with Macs that are bound to Active
Directory. Is your Mac bound to Active Directory?

I have a test machine sitting next to me, that had never been setup
before. Logged in, configured Entourage to use the back-end server
(thus Kerberos), and it's fine - I get ticket and can send/receive
mail.

Pointing Entourage to your back-end server doesn't mean it's using Kerberos.

Again, just making sure you understand how Kerberos works: Your Mac is
bound to Active Directory and when you log in to it you receive a ticket
that's essentially a pseudo-password for you. When Kerberized
applications need to authenticate they will present your ticket to the
appropriate server and you'll be granted access without having to
authenticate yourself again.

Safari is Kerberized. If you're using something like
"server.example.com" for your Exchange Server back-end address then put
this into Safari: "sever.example.com/exchange". You should connect to
your account without having to authenticate.

Hope this helps!

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[mclinde]

Bill - I do understand Kerberos. It is a secure authentication method which includes the ability to enable SSO (Single-Sign-On) so a user can authenticate once to a system and have access to any "Kerberized" resources afterwards. I'm sure you don't need a lesson in that though.

Your "Safari is Kerberized test is great" - except that you didn't read my post completely. I can make it work just fine if I start from a whole new user login - no existing Entourage setup/preferences. When I say "work just fine" I mean that Entourage (when set to use Kerberos) will generate a ticket that enables it to authenticate to the Exchange 2007 Mail Store. I am also saying that the exact same account settings don't work if put in an "upgrade" situation, where the Entourage user, preferences, etc. exist already. Entourage never communicates a request to the Kerberos application to get a ticket for communicating with the mail server, so the user cannot send or receive mail - and there is no error generated. The only way I tracked this down was by examining the individual tickets issues by Kerberos, and discovering that Entourage (in the upgrade situation) was not making a request, and a ticket is not being generated.