SSO, AD and Exchange via Entourage

[JG_Giant]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

I am an Exchange admin tasked with supporting numerous Mac clients. We are currently running Exchange 2007 SP1 rollup 7. Most clients use Entourage 2008 with the latest MR (not EWS although I am doing some testing with it). Clients (Mac OS X 10.5) are currently bound to AD and pulling Kerberos tickets. I would like to enable single sign on functionality for these clients. I am prompted in Entourage when attempting to log in via kerberos authentication with a message stating Exchange is not properly configured to support Kerberos. Our current OWA environment is configured to use forms based authentication. We do this intentionally to prevent OWA from automatically logging in when opened. This allows users to sit down at any machine and log into any mailbox they choose. I need this functionality to remain in place.

I've spent the last few days attempting to locate documentation for configuring Exchange to accept Kerberos login requests. Haven't had much luck with that so far. Can anyone point me to some documents that might get me going with this? I am thinking it may be as simple as enabling windows authentication in Exchange for the IMAP protocol and in IIS 7.0 for OWA and EWS, but when I do that it overrides the forms based authentication setting. I am also hesitant to just go plugging away and trying settings as I support a rather large number of windows users as well. I'd rather not get 50 calls because I broke something else while attempting to enable SSO for a small number of users. Has anyone had similar configurations as this and gotten kerberos sso working?

Thanks

 

[William Smith [MVP]]

I am an Exchange admin tasked with supporting numerous Mac clients.
We are currently running Exchange 2007 SP1 rollup 7. Most clients use
Entourage 2008 with the latest MR (not EWS although I am doing some
testing with it). Clients (Mac OS X 10.5) are currently bound to AD
and pulling Kerberos tickets. I would like to enable single sign on
functionality for these clients. I am prompted in Entourage when
attempting to log in via kerberos authentication with a message
stating Exchange is not properly configured to support Kerberos. Our
current OWA environment is configured to use forms based
authentication. We do this intentionally to prevent OWA from
automatically logging in when opened. This allows users to sit down
at any machine and log into any mailbox they choose. I need this
functionality to remain in place.

Point your Entourage clients directly to their back-end Exchange Server
and not an external OWA server. Kerberos relies on properly configured
DNS and access to your domain controllers.

Also, you mentioned IMAP. Are you really using IMAP? You want to connect
your Entourage clients as Exchange clients, not IMAP.

Hope this helps!

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[JG_Giant]

Thanks for the info Bill,

Good to know the environment already supports kerberos. However in my situation, Mac clients are connecting internally to the OWA server, they are never routed externally. Through some tricks with split DNS zones, we are able to have the same address point to one address internally, and another routable address externally. In our situation, clients, even when connecting to the OWA server from inside the network (which happens to also be the HUB and CAS server), do still have full access to a properly configured domain controller and DNS server. We've taken great strides to configure our DNS so that clients are never routed out and back in the network, so no firewall comes into play in this situation. Also, the OS itself seems to have no problem pulling the kerberos ticket, so I'd assume DNS is functioning properly in our environment. With all that in mind, is it possible to leave Entourage pointed to the HUB/CAS/OWA server while connected internally and still have it use kerberos to authenticate? Or am I just spinning my wheels? It may seem like splitting hairs, but Exchange 2007 is designed so that clients communicate directly to the CAS (Client Access Server). This gives them one standard place to connect to, and the server than handles the redirection to their particular mailbox server. In a large environment like mine, it comes in extremely handy having only one place to point all clients to. It makes administering the back end much easier, and helps cut down on the confusion for our help desk.

And yes, we are actually still using IMAP to connect back to our Exchange server. We have some users still using Apple Mail, so they do rely on the IMAP connection to Exchange. Entourage, unless it is misconfigured on the client (which does happen from time to time), uses the Exchange connection via OWA.

Thanks again,
Jon