[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote:
> On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
> > On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
> > > Has anyone successfully configured the above to enable Single Sign-On? I
> > > would love to move away from Exchange but SSO is a corporate
> > > requirement.
> > 
> > I looked at this in some detail and concluded that the NTLM support on
> > Outlook 2007 was only for encryption, it was not using SPA. I couldn't
> > find a hidden registry setting or whatnot to switch it.
> 
> Heh, have just found you here:
>  https://bugzilla.mozilla.org/show_bug.cgi?id=284538
> 
> You mention that you managed to get Thunderbird working with SSO; I've
> not achieved that - I'm still required to provide the password before
> the NTLM login is successful.. Is there any particular magic needed with
> Thunderbird 2.0.0.23 ?

Yes, you can't use NTLM in Thunderbird either, you have to use
Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT
Kerberos, and then run exim through dovecot-auth. This gives complete
SSO using GSSAPI for Thunderbird on all platforms, and secure
challenge/response NTLM hashed passwords for roaming users without
Kerberos.

The kerberos setup is pretty easy.. 'net ads join' your server, go
into the adsi editor and provide a imap and smtp SPN for the host, use
'net ads keytab' to put the imap and smtp SPNs in the system keytab,
and then you are good to go. I test it with mutt first as the error
messages are somewhat better.

Apparently if you direct the GSSAPI messages through winbind (like
for NTLM) then you can omit the 'net ads keytab' steps and things work
a bit smoother, but I have not attempted that configuration.

Jason