Docstoc

Unix Windows

Document Sample
Unix Windows Powered By Docstoc
					Authenticating Unix Mail Clients to MS Exchange Server
Ernest Artiaga 8/11/2009
IS Technical Presentation 1

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 2

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 3

Motivation and Goals
Scenario:
– Mail services moving to MS Exchange 2000 Server – Unix clients accessing mail

What we would like:
– Single sign-on – Secure access

8/11/2009

IS Technical Presentation

4

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 5

Technology
Mail Access:
– IMAP – HTTP/HTTPS (WebAccess) – MAPI (?)

Authentication
– Kerberos – Certificates

8/11/2009

IS Technical Presentation

6

Technology
Mail Access:
– IMAP – HTTP/HTTPS (WebAccess) – MAPI (?)

Authentication
– Kerberos – Certificates

8/11/2009

IS Technical Presentation

7

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 8

Kerberos
KDC

AS

TGS

1.Ask TGT

SK

SK (TGT)

Server

Client

8/11/2009

IS Technical Presentation

9

Kerberos
KDC

AS

TGS

Server id. Authenticator TGT

SK

SK (ticket)

Server

Client

8/11/2009

IS Technical Presentation

10

Kerberos
KDC

AS

TGS

SK

Server

Client

Authenticator

8/11/2009

IS Technical Presentation

11

Kerberos
Kerberized Applications Programming Interfaces
– Kerberos native interface – GSS-API (Generic Security Services) – SSPI (Windows 2000)

8/11/2009

IS Technical Presentation

12

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 13

Windows 2000 Authentication
Basic Authentication
– Username and password in clear text – Option to protect it via SSL

Windows Integrated Authentication
– Support for multiple authentication mechanisms
• NTLM, Kerberos, DPA, …

– Ability to negotiate the mechanism…

8/11/2009

IS Technical Presentation

14

Windows 2000 Authentication
Application
SSPI Interface

…

Security Service Providers (SSP)

LSA
DES

Authentication Packages

Negotiate

Kerberos Active Dir.

NTLM SAM

Authentication Database
15

8/11/2009

IS Technical Presentation

DPA

CryptoAPI RC4-HMAC Cryptographic Service Providers (CSP)

…

Windows 2000 Authentication
Some issues:
– Domain Controllers have an integrated KDC – SSPI is the only interface supported – The application decides which SSPs are acceptable
• An application does not necessarily accept all available SSPs

8/11/2009

IS Technical Presentation

16

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 17

MS Exchange Server
Front-end/Back-end topology
– Clients should contact the front-end

Different retrieval protocols
– IMAP – HTTP –…

8/11/2009

IS Technical Presentation

18

MS Exchange Server
The front-end supports Basic Authentication only
– Channel can be encrypted using SSL

Windows Integrated Authentication supported in the back-end…
– … But the server only accepts NTLM

WebAccess supports Basic Authentication only
8/11/2009 IS Technical Presentation 19

MS Exchange Server
Consequences:
– Currently, Kerberos authentication is not possible – Other mechanisms require username and password
• Typed on-line (no single sign-on) • Stored somewhere in the client (!)

8/11/2009

IS Technical Presentation

20

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 21

Other Ways? (IMAP)
MS Exchange and certificates?
– MS Exchange Server uses certificates to setup SSL connections
• Server authentication

– But it does not require client certificates
• NO Client authentication

8/11/2009

IS Technical Presentation

22

Other Ways? (HTTP/HTTPS)
IIS and certificates?
– Mutual authentication is possible

Security Identity Mapping
– Certificates mapped to Windows 2000 accounts
• Automatically (UPN) • Manually

… But no link with mail service
8/11/2009 IS Technical Presentation 23

Outline
Motivation and goals Technology Kerberos Windows 2000 authentication Exchange Server Other ways? (Certificates) Conclusions
8/11/2009 IS Technical Presentation 24

Conclusions
Unix clients and Exchange server
– Kerberos is not supported – Certificates for server authentication – Single sign-on is not possible – Username and password is always required (typed or stored)

Encryption through SSL is possible

8/11/2009

IS Technical Presentation

25

Additional notes
IIS supports mutual authentication via certificates. Kerberos support in Exchange is often requested
http://msruniv.corp.bcentral.com/surveys/surveysummary.htm

8/11/2009

IS Technical Presentation

26


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:22
posted:8/12/2009
language:English
pages:26
Shah Muhammad  Butt Shah Muhammad Butt IT professional
About IM IT PROFESSIONAL