Kerberos authentication oddities

[Sean_McGarrahan]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

I am running Office 2008 for Mac on a machine that is bound to an AD domain. I am also running Messenger. I am logging into the machine using an AD account, so I should be using Kerberos.

When I launch Entourage, it starts synchronizing, but I'll get the message, "this Exchange Server does not support Kerberos authentication." In the meantime mail is synchronizing behind the error message, and Messenger is logging in. There is only one account configured. I click Cancel, and continue to use Kerberos authentication.

Why is this message appearing when it is obviously working? Where else should I troubleshoot?

 

[William Smith]

I am running Office 2008 for Mac on a machine that is bound to an AD
domain. I am also running Messenger. I am logging into the machine
using an AD account, so I should be using Kerberos.

When I launch Entourage, it starts synchronizing, but I'll get the
message, "this Exchange Server does not support Kerberos
authentication." In the meantime mail is synchronizing behind the
error message, and Messenger is logging in. There is only one account
configured. I click Cancel, and continue to use Kerberos
authentication.

Why is this message appearing when it is obviously working? Where
else should I troubleshoot?

Can you tell which of your three servers (Exchange, Public folder or
LDAP) is sending you this message?

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>

 

[Sean_McGarrahan]

Can you tell which of your three servers (Exchange, Public folder or
LDAP) is sending you this message?

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page
Entourage Help Blog
YouTalk

That is a good question and one which I suspected might be coming. However, work has kept me from researching it.

After looking, I have found that the Exchange server and the Public folder server are the same, and the LDAP server is the local primary domain controller. Public Folders are set up for SSL, as is LDAP. My domain controllers are supposed to be running Kerberos, but I'll check into it.

Thanks for the reply

 

[Sean_McGarrahan]

That is a good question and one which I suspected might be coming. However, work has kept me from researching it.

After looking, I have found that the Exchange server and the Public folder server are the same, and the LDAP server is the local primary domain controller. Public Folders are set up for SSL, as is LDAP. My domain controllers are supposed to be running Kerberos, but I'll check into it.

Thanks for the reply

(I guess you can't edit) I meant to add one other item.

Once that error message comes up, I can force a send/receive, but it does not stay connected. I don't have to quit and restart, but sometimes I do have to take it offline.

If I press cancel on the error message, the message goes away and I usually get disconnected. If I press OK, the account switches back to password authentication.

I just noticed that my exchange server was not set for SSL.

 

[William Smith]

That is a good question and one which I suspected might be coming.
However, work has kept me from researching it.

After looking, I have found that the Exchange server and the Public
folder server are the same, and the LDAP server is the local primary
domain controller. Public Folders are set up for SSL, as is LDAP. My
domain controllers are supposed to be running Kerberos, but I'll
check into it.

Internal to your own company network you may not need to enable SSL for
your servers. This may be related to your authentication problem.

Hope this helps!

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>

 

[William Smith]

Once that error message comes up, I can force a send/receive, but it
does not stay connected. I don't have to quit and restart, but
sometimes I do have to take it offline.

If I press cancel on the error message, the message goes away and I
usually get disconnected. If I press OK, the account switches back to
password authentication.

I've seen something similar where I work. Entourage 2008, if I remember
correctly, wants to be able to use reverse lookups of your servers to
verify their identity. Unfortunately, our DNS is UNIX-based but has had
stub zones added for our Windows systems. This was not handled well and
reverse lookups resolve strangely.

Use the Network Utility found in /Applications/Utilities to test your
server names. Look up the IP address of each of your servers and get
their IP addresses. Then look up the IP addresses and see if the server
names returned match those you're using. If the server names returned
don't match the server names you're using then your problem is most
likely DNS-related.

You may be able to work around this by entering the IP address of your
domain controller into your DNS Servers list (Apple menu --> System
Preferences... --> Network) on your Mac. Domain controllers, by default,
are DNS servers themselves. These servers will have "more correct"
information for lack of a better expression.

Hope this helps!

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>

 

[Sean_McGarrahan]

I want to apologize for not replying sooner, but work got in the way.

Since I posted this, my office has given me a MacPro to work with. I've had to reinstall a lot of stuff. Having said that, I think I may have found the problem. Please let me know if you agree.

Our company got acquired by another, and we've had a devil of a time migrating to the new network and domain. One of the consequences has been that the local domain controller for the new domain lives on two networks. Pinging it returns an address from the old network. I suspect that is causing the problems.

That would appear to be the specific answer to the apparently correct, but generic, reply of "DNS-related"

 

[William Smith [MVP]]

I want to apologize for not replying sooner, but work got in the way.

Since I posted this, my office has given me a MacPro to work with.
I've had to reinstall a lot of stuff. Having said that, I think I may
have found the problem. Please let me know if you agree.

Our company got acquired by another, and we've had a devil of a time
migrating to the new network and domain. One of the consequences has
been that the local domain controller for the new domain lives on two
networks. Pinging it returns an address from the old network. I
suspect that is causing the problems.

That would appear to be the specific answer to the apparently
correct, but generic, reply of "DNS-related"

Hi Sean!

I hope you've indeed found your problem. I can't tell you if what you've
found is certainly the problem but it sounds like what we found. The
reverse lookup doesn't match.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Sean_McGarrahan]

Unfortunately, I seem to still be having the problem. The DC was removed from the second subnet, rebooted and a ping and a lookup both returned the proper IP. The second subnet is not gone, though, as it is being used as a development network.

I'm going to do some more troubleshooting regarding machine names and DNS entries, as well as making sure the second subnet isn't causing any problems. Does anyone know if having a "-" in the machine name causes any problems with the Kerberos implementation on the Mac?

There has been a bit of a wrench in this. I have had to install Thursby's ADMitMac on my machine to evaluate it. I was hoping it would help this problem, but I don't think it has. I don't think it has made it worse, either.

 

[Sean_McGarrahan]

I have been doing some research on this, and it appears that Macs in our domain are either not Auto registering in DNS whenever they get an IP or registering under a different name. This would really screw up a Kerberos reverse-lookup. I have checked several machines in the domain.

I'm not a DNS expert, so I'm wondering just what setting I'm missing that would prevent the Macs from properly registering in DNS server running on a Windows Server platform.