Kerberos Auth using O2k3 and E2k3 in a cluster

[Steve]

We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.

Is anyone else having these issues?

Thanks
Steve

 

[Rich Matheisen [MVP]]

We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.

Is anyone else having these issues?

Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).

Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.

Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]

We've set the value to "1" to force the use of TCP and have seen the
problem disappear.

 

[Steve]

Thanks Rich!

We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server. The strange thing is that on the same client machine if we
create an identical Outlook profile using kerberose only it will not
authenticate.

Thanks again for the input,
Steve
Email & Collaboration Technical Lead

We are having a problme converting our Outlook client authentication from
NTLM to kerberos. We are in a windows 2003 clustered environment running
Exchange 2003 in native mode. When we specify in the Outlook security
settings to use kerberose only, the user can't logon.

Is anyone else having these issues?

Yes. And it doesn't affect just Outlook. Anything that uses Kerberos
is a problem (SIP w/Live Communications Server, mapping a network
share, etc.).

Kerberos will use UDP by default, and the size of the packet can be a
problem if it's getting fragmented by a router somewhere and not being
properly reassembled, or if there's a VPN involved where the VPN info
being added to the packet causes it to exceed te MTU size.

Try this KB article:
How to force Kerberos to use TCP instead of UDP [244474]

We've set the value to "1" to force the use of TCP and have seen the
problem disappear.

 

[Rich Matheisen [MVP]]

We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server.

Outlook 2003 (and XP, and maybe 2000 -- I forget) can "talk" directly
to a GC. They may ask the Exchange server for a GC name, though. The
DSProxy service on the Exchange server can also be used. It just
passes through the information to the GC and passes back the results
to the client.

The strange thing is that on the same client machine if we
create an identical Outlook profile using kerberose only it will not
authenticate.

So only NTLM authentication works?

How about this KB?

Description of the Properties of the Cluster Network Name Resource in
Windows Server 2003 [302389]

If you've disabled the use of UDP by kerberos (by setting the max
packet size to 1 byte), followed the above KB, and the client still
fails to authenticate using kerberos, I'd call MS (or check routers
for packet filters, IPSec for port blocking, etc.). I'd also
doublecheck the registry modification to make sure the key and data
names are spelled correctly. Sometimes the names are case-sensitive .
.. . sometimes they aren't.

 

[Doug Frisk]

Thanks Rich!

We have tried this registry modification before with no sucesses. We can
authenticate to our LCS and our DC using kerberos; it's just the Exchange
servers. We do have one Outllok profile that works, and if you bring up
the
connection status dialog box it shows connections direcly to the domain
controller as opposed to the other machines which show connections to the
Exchange server. The strange thing is that on the same client machine if
we
create an identical Outlook profile using kerberose only it will not
authenticate.

Are the SPNs for the Exchange virtual server published? Kerberos
authentication won't work if the SPNs aren't there.

The command to check is "Setspn -L ExchangeVirtualServer". Setspn is part
of the resource kit or downloadable from Microsoft.

 

[Rodney R. Fournier [MVP]]

Setspn is actually from the Support Tools, which comes on the product CD.

Cheers,

Rod

MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering
http://www.msmvps.com/clustering - Blog