Authenticating Unix Mail Clients to MS Exchange Server

1
Authenticating Unix Mail Clients to MS Exchange
Server

• This presentation will probably involve audience
  discussion, which will create action items. Use
  PowerPoint to keep track of these action items
  during your presentation
• In Slide Show, click on the right mouse button
• Select Meeting Minder
• Select the Action Items tab
• Type in action items as they come up
• Click OK to dismiss this box
• This will automatically create an Action Item
  slide at the end of your presentation with your
  points entered.

• Ernest Artiaga

2
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

3
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

4
Motivation and Goals

• Scenario
• Mail services moving to MS Exchange 2000 Server
• Unix clients accessing mail
• What we would like
• Single sign-on
• Secure access

5
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

6
Technology

• Mail Access
• IMAP
• HTTP/HTTPS (WebAccess)
• MAPI (?)
• Authentication
• Kerberos
• Certificates

7
Technology

• Mail Access
• IMAP
• HTTP/HTTPS (WebAccess)
• MAPI (?)
• Authentication
• Kerberos
• Certificates

8
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

9
Kerberos
KDC
1.Ask TGT
(TGT)
SK
SK
Server
Client
10
Kerberos
KDC
Server id.
Authenticator
TGT
SK
SK
(ticket)
Server
Client
11
Kerberos
KDC
Server
SK
Client
Authenticator
12
Kerberos

• Kerberized Applications
• Programming Interfaces
• Kerberos native interface
• GSS-API (Generic Security Services)
• SSPI (Windows 2000)

13
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

14
Windows 2000 Authentication

• Basic Authentication
• Username and password in clear text
• Option to protect it via SSL
• Windows Integrated Authentication
• Support for multiple authentication mechanisms
• NTLM, Kerberos, DPA,
• Ability to negotiate the mechanism

15
Windows 2000 Authentication
Application
SSPI Interface
Security Service Providers (SSP)
CryptoAPI
LSA
Cryptographic Service Providers (CSP)
Authentication Packages
SAM
Active Dir.
Authentication Database
16
Windows 2000 Authentication

• Some issues
• Domain Controllers have an integrated KDC
• SSPI is the only interface supported
• The application decides which SSPs are acceptable
• An application does not necessarily accept all
  available SSPs

17
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

18
MS Exchange Server

• Front-end/Back-end topology
• Clients should contact the front-end
• Different retrieval protocols
• IMAP
• HTTP

19
MS Exchange Server

• The front-end supports Basic Authentication only
• Channel can be encrypted using SSL
• Windows Integrated Authentication supported in
  the back-end
• But the server only accepts NTLM
• WebAccess supports Basic Authentication only

20
MS Exchange Server

• Consequences
• Currently, Kerberos authentication is not
  possible
• Other mechanisms require username and password
• Typed on-line (no single sign-on)
• Stored somewhere in the client (!)

21
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

22
Other Ways? (IMAP)

• MS Exchange and certificates?
• MS Exchange Server uses certificates to setup SSL
  connections
• Server authentication
• But it does not require client certificates
• NO Client authentication

23
Other Ways? (HTTP/HTTPS)

• IIS and certificates?
• Mutual authentication is possible
• Security Identity Mapping
• Certificates mapped to Windows 2000 accounts
• Automatically (UPN)
• Manually
• But no link with mail service

24
Outline

• Motivation and goals
• Technology
• Kerberos
• Windows 2000 authentication
• Exchange Server
• Other ways? (Certificates)
• Conclusions

25
Conclusions

• Unix clients and Exchange server
• Kerberos is not supported
• Certificates for server authentication
• Single sign-on is not possible
• Username and password is always required (typed
  or stored)
• Encryption through SSL is possible

26
Additional notes

• IIS supports mutual authentication via
  certificates.
• Kerberos support in Exchange is often requested

http//msruniv.corp.bcentral.com/surveys/surveysum
mary.htm