On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote:
On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement.
I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it.
Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538
You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ?
Yes, you can't use NTLM in Thunderbird either, you have to use Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT Kerberos, and then run exim through dovecot-auth. This gives complete SSO using GSSAPI for Thunderbird on all platforms, and secure challenge/response NTLM hashed passwords for roaming users without Kerberos.
The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better.
Apparently if you direct the GSSAPI messages through winbind (like for NTLM) then you can omit the 'net ads keytab' steps and things work a bit smoother, but I have not attempted that configuration.
Jason