[Dovecot] NTLM authentication woes
Hi all,
I have set up dovecot to use a number of different authentication-
mechanisms, which are all working as expected from well-behaved
clients. However, MS Outlook on Windows and MS Entourage X on Mac OS
X refuse to connect using NTLM.
Outlook Express on Windows seems to be working fine, and NTLM
authentication works from within OS X Mail.app as well.
Turning on auth_debug and auth_verbose has led me to discover that MS
Outlook uses the users full name as login, instead of whatever is
entered in the account-information - if the user "John Doe" has the
login "jd@domain.com", Outlook sends "John Doe" instead. This of
course fails. Strangely enough, if I turn off "Use Secure
Authentication" from within Outlook, the login-name from the account-
information is used as it should be.
From MS Entourage, the problem is similar but not identical. Here,
the login is sent as "jd@domain.com/jd".
I have worked around the problem for now by instructing my clients to
use SSL-connections and disabling "Secure Authentication", but would
like for everyone to be able to log on without using SSL (due to the
returning questions regarding my self-signed certificate).
Can anyone shed some light on why the MS apps refuse to behave?
Thanks in advance!
/Lars
PS: I wish you all a merry christmas and a happy new year! :o)
On Saturday December 23, 2006 at 12:13:13 (PM) Lars Skovgaard wrote:
I have worked around the problem for now by instructing my clients to
use SSL-connections and disabling "Secure Authentication", but would
like for everyone to be able to log on without using SSL (due to the
returning questions regarding my self-signed certificate).
It has been awhile, but I thought that MS Outlook and OE both had options to accept the self signed certificate ad infinitum.
You did not disclose how many users you are servicing; however, I think it would be a wise decision, even if you total is small, to secure a proper certificate. That certificate works for you mail server also.
-- Gerard
Lars wrote: [Re Outlook handling of SPA/NTLM]
Turning on auth_debug and auth_verbose has led me to discover that MS Outlook uses the users full name as login, instead of whatever is entered in the account-information - if the user "John Doe" has the login "jd@domain.com", Outlook sends "John Doe" instead. This of course fails. Strangely enough, if I turn off "Use Secure Authentication" from within Outlook, the login-name from the account- information is used as it should be.
Not a solution I'm afraid, but just to let you know that I've been experimenting with NTLM (actually with Exim for authenticated SMTP) for a while with a few users and had the same problems - different versions of Outlook behave slightly differently, but none (that I've found) seem to work properly. Usually Outlook sends the users Windows Logon username and password (which is often their name, but often something else too like 'Administrator') initially, and sometimes then retries automatically with the correct details.
Things never seem to be that consistent though, except that they're consistently bad. Frustratingly, the only option I have is to tell users that have problems to use Thunderbird or something else and use cram-md5 instead.
As far as Outlook goes I think Microsoft seem to only bother testing NTLM running with MS Exchange on a local network... v.annoying!
(Sorry not that helpful a post)
Adrian
participants (3)
-
Adrian Gill
-
Gerard Seibert
-
Lars Skovgaard