Den 25/12/2006 kl. 13.00 skrev Adrian Gill:
Date: Sun, 24 Dec 2006 16:43:40 -0000 From: "Adrian Gill" adrian@ssinternet.co.uk Subject: Re: [Dovecot] NTLM authentication woes To: dovecot@dovecot.org Message-ID: 023001c7277a$ae1bcf60$4107a8c0@AdeLaptop Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
Lars wrote: [Re Outlook handling of SPA/NTLM]
Turning on auth_debug and auth_verbose has led me to discover that MS Outlook uses the users full name as login, instead of whatever is
entered in the account-information - if the user "John Doe" has the login "jd@domain.com", Outlook sends "John Doe" instead. This of course
fails. Strangely enough, if I turn off "Use Secure Authentication" from
within Outlook, the login-name from the account- information is used as
it should be.Not a solution I'm afraid, but just to let you know that I've been experimenting with NTLM (actually with Exim for authenticated SMTP)
for a while with a few users and had the same problems - different
versions of Outlook behave slightly differently, but none (that I've found)
seem to work properly. Usually Outlook sends the users Windows Logon username and password (which is often their name, but often something else too like 'Administrator') initially, and sometimes then retries
automatically with the correct details.Things never seem to be that consistent though, except that they're consistently bad. Frustratingly, the only option I have is to tell
users that have problems to use Thunderbird or something else and use
cram-md5 instead.As far as Outlook goes I think Microsoft seem to only bother
testing NTLM running with MS Exchange on a local network... v.annoying!(Sorry not that helpful a post)
Adrian
Hi Adrian
Thanks for your reply. I suspected as much, though I had hoped that
there was an easy applicable solution. Sadly my MS-using clients are
reluctant at best to change their applications, flawed as they may
be, so I guess they'll have to live with things as they are for now.
MS really should fix their apps, but that's a topic for a discussion
of it's own.
I use a mysql-backend, and suspect I could change the login-call to
match whatever Outlook or Entourage choose to send, but that would be
difficult to make consistent enough to be truly workable, I think...
Thanks for your time
/Lars