JavaMail Exchange Server Windows Integrated Authentication

Similar Messages

• Exchange 2013 CU1 Outlook Web App LogOff with Basic or Windows Integrated Authentication

  Hi all,
  Exchange 2013 CU1 has a new OWA LogOff behaviour when Basic or Windows Integrated Authentication is configured. When clicking the LogOff Button you receive the message "Close All your Browser Windows.." but OWA does not sign out. This is not the
  case when using Formbased Authentication...
  The problem in our case is the OWA publishing over the Internet via TMG. When publishing via TMG, only Basic and NTLM authentication is supported. This means you have to change the Authentication for the OWA Virtual Directory to basic or Windows Integrated.
  OK so far, now we can use the TMG Authentication Form. but... TMG is not able to Catch the OWA LogOff. So we will still receive "Close all your Browser Settings.." and no log out from OWA.
  It is a known issue that TMG cannot catch the OWA Logoff with the Exchange 2013 CU1 Release..So my Question:
  Does anyone get that "Real LogOut" fixed via TMG or directly on the CAS Server for Exchange 2013 CU1?
  I know another possibility is to activate Form Based Authentication on the CAS Servers and external users directly authenticate against the CAS Server without pre-authentication at TMG Level, but this of course does not provide the highest security
  we can have.

  Hi SLShare,
  As far as I know, if there is no TMG involved, with Exchange 2013 when the user signs out of mail, the authentication tokens are cleared and the user will be presented with the
  Login Screen.  There will not be a need to click on "Close Window" or any other pop ups that may appear.
  Therefore, you may ask the TMG forum about this question and see whether there are still some other workaround we can temporary bypass this issue. For your convenience:
  Forefront TMG and ISA Server Forum - TechNet - Microsoft
  http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Exchange server 2013 proxy authentication

  Hi All,
  I wanted to know what is the recommended proxy authentication for exchange server 2013. 
  I have observed the following from different proxy authentications:
  1. Negotiate: By default, the proxy authentication is set to negotiate and uses anonymous as Log on network security(un-encrypted MAPI)
  2. Basic: It always prompts for the user credentials and uses encrypted MAPI.
  3. NTLM: Use negotiate at MAPI level by default
  Please provide me some information on different authentication mechanisms and the one which is recommended to use. 
  Thanks,
  Srinivas.

  Hi Srinivas,
  According to my knowledge, there are my views below:
  Basic authentication: If you select this authentication type, Outlook will prompt for username and password
  while attempting a connection with Exchange.
  NTLM authentication: If you select this authentication type, exchange does not prompt users for a user
  name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser
  will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.
  Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated
  authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.
  And you could set the authentication type like this:
  ExternalClientAuthenticationMethod : Basic
  InternalClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
  The command below for your reference:
  Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname "internalServer.contoso.com" -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -ExternalHostname "externalServer.company.com" -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic
  If you have any further questions, please let me know.
  Best regards,
  Eric

• Windows Integrated Authentication Help From Middle Tier

  We are trying to enable single sign-on using Windows Integrated Authentication so that the user does not have to enter a username or password, they just get logged in automatically. I created the current Oracle account on the database and it works just fine when I try to connect from my local computer to the database. Our problem is that our application calls an application that runs as a Windows services on the middle tier, and so it gets an invalid username/password error. I can see in the audit logs that it is trying to connect to the database as NT AUTHORITY\ANONYMOUS LOGON.
  The client, middle tier, and database are all Windows based operating systems. The applications is a .Net application and we turned on Impersonation which we read will help pass the client OS user to middle tier so that the application runs as them. And that appears to be working correctly. Again we can get this working when we host the windows service locally, it just wont work when it is hosted on the middle tier. Any ideas how to get this to work?
  Oracle version 11.2.0.2 and 11.2.0.3
  Windows Server 2008 R2

  Hi, jeff81.
  I had same problem with Win2003 server. Try this:
  Start -> Settings -> Control Panel -> Administrative Tools -> Services
  then select "PROPERTIES/LOGON" for necessary service.
  Change "Local System account" to your user account.
  Make sure that user account have necessary grants.
  ps. sorry my poor english :(

• Windows Integrated Authentication on an ABAP data source

  Dear Experts,
  I have to implement Windows Integrated Authentication in my portal. By using Kerberos & SPNEGO, we can implement very easily if portal user id & windows (ADS) user id is same. But my scenario is windows id & portal id is different & data source is already configured as ABAP. Can you suggest me how we can achieve this requirement.
  Regards,
  VENU

  Hi,
  isnt the property krb5principalname used to define the mapping of the user ID when you cannot use the AD standard samaccountname?
  I think that the mapped user ID (as provided by krb5principalname) must be identically with the ABAP userID. When the ABAP user ID isn't present in the LDAP information, SSO won't be possible. Somehow he needs to publish the ABAP user ID into the AD.
  SAP Help:
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c363ac31e30f3e10000000a11466f/frameset.htm
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  br,
  Tobais

• WebLogic 10gR3 and Windows Integrated Authentication

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

• MS. Exchange Server 2007 Integration

  I want to integrate MS. Exchange Server 2007 with my WebCenter portal application. I read that I can do this with WebCenter Interaction. I have following questions:-
  1. Is the license of WebCenter Interaction is convered under the license of WebCenter Suite?
  2. Does WebCenter Interaction support Exchange Server 2007 version?
  Or will you guys suggest me any other solution for same purpose. Waiting for your reply.
  Regards,
  Imran

  Hi Imran,
  As per my information Webcenter Suite 10.1.3.2 does not have any direct integration capability with MS Exchange Server due to DEEP LINK LIMITATION. Only possible work around is go for External Application SSO registration and then render that URL in IFRAME.
  As far as WEBCENTER INTERACTION is concerned i think its seprately licensed and eventhough it's free you need extra Hardware to Install and Configure.
  Regards,
  Vindhyachal Sharma

• Crystal Report 2008 Server - Windows AD authentication

  We have installed Crystal Report 2008 Server and have created Administrator with Enterprise authentication. Using Administrator login, Windows AD-groups were mapped, none of the user from the defined group is able to login using InforView. Created Administrator using Windows-AD authentication, that user to is not able to login.
  When tried LDAP authentication and mapped users, it's not working as well.
  What needs to be done here? we need to get it done urgently.
  Thanks,
  Pradnya

  I have a Windows 2008 Standard 32bit Server running CRS2008
  I performed a default install with ONLY WACS.  I have looked through every possible document I could find to get kerberos working and am still having trouble.  The specific error I am getting when trying to logon to the CMC is:
  Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  The AD group is mapped, I have followed every Kerberos setup document to the letter and still nada.
  Any help would be greatly appreciated.
  Chad

• Windows Integrated Authentication & SAP Logon tickets

  1) We have configured windows authentication and the IISproxy on a SPS frontend server to our SAP portal environment.
  2)We have configured SAP logon tickets on the SAP portal (running on hp-ux).
  3) Both the IIS server and the sap portal server exist on the same domain inside our firewall (iis_server.lsv.internal_company_name.com and sap_portal_server.lsv.internal_company_name.com)
  4) A virtual URL has been created on the IIS server, http://sap_portal.external_company_name.com, using a domain alias.
  5) When an authenticated user is passed from the IIS server to the SAP portal the SAP logon ticket that is created is for external_company_name.com alias rather than lsv.internal_company_name.com. This logon ticket is not accepted by any of the backend SAP systems that have been configured to except logon tickets because they all exist in the lsv.internal_company_name.com domain.
  6) The portal security guide says:
  "The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
  Portal Server only."
  Given this scenario, is there some configuration that can be added to allow the use of this alias or is there a bug in the SAP portal code that needs to be addressed?

  Hi,
  You cannot use the external alias. You can however set SSO on the portal not to look to the total url. For example it would work if you use:
  sap_portal_server.lsv.internal.company_name.com
  and
  sap_portal.external.company_name.com
  The prerequisite here is that at least the domain name should be the same i.e. the last two parts.
  Greetings,
  Vincent

• Windows Integrated Authentication to SAP R/3

  Hi,
  I dont know weather this issue has to be posted here or in WAS or GUI.
  Is there any way to do the Integrates Windows Authentication to SAP R/3. Once the Users logs in to the Network domain adn then to SAP GUI, the User should not prompt for User id and should directlt take in to the Role Menu.
  I know for Portal it is possible, but i am not sure for R/3. Please let me know if there is any documentation for the same.
  Thanks & Regards
  Sumanth

  Sumath,
  there are various variants to do so:
  If your R/3 is running on Windows (and in the same / trusted domain), you can use SNC with either NTLM or Kerberos authentication
  Otherwise you can log on with SAP Logon Tickets. You mentioned already that you know NTLM/Kerberos is feasible with EP. Now, if you simply integrate your R/3 systems in EP by means of SAP logon tickets you have essentially a smooth SSO for your users.
  Finally, you can use ITS up to 6.20 on Windows to SSO to R/3 (the latter on not neccessarily on Windows, too). Simply setup webgui, active SAP logon tickets and configure the PAS service to use Windows authentication.
  Whatever you decide on, al alternatives are a piece of cake to set up.
  Regards,
  Dominik

• Windows Integrated Security with SSRS, Sharepoint 2013 and SSAS over http

  I have the following setup and problem:
  Sharepoint 2013 with SSRS in Sharepoint integrated mode
  SSAS 2012 SP1 with http access (IIS + msmdpump) enabled on the same box as SSAS
  Every component I have tried works fine with this (PerformancePoint, .bism connections, SSIS packages etc.), connecting over http using Kerberos and windows integrated authentication.
  SSRS (.rsds) connections in Sharepoint fail a connection test when using the same http connection string + Windows integrated authentication which works for everything else. The error is: "Unsupported data format: -> Microsoft.ReportingServices.DataExtensions.AdomdTestConnectionException:
  Unsupported data format:"
  SQL server profiler shows that the windows username is reaching the SSAS server is all cases.
  Kerberos delegation is set up for SSAS and is working.
  Switching the .rsds connection to saved credentials (same user as I tried with Windows integrated auth) works fine and SQL server profile logs look the same as the Windows integrated case.
  So, everything seems to work with Kerberos + http apart from SSRS ... any idea welcome. I did read that SSPI is not supported for http connections but then again, there are sites which give examples of exactly such connection strings. I can't find any
  mention of this case or exact problem anywhere ...

  For information, this was fixed by applying the .NET 4.5.1 patch as advised by MS support. Now http connections from integrated mode SSRS work ok.

• SSRS and SharePoint Integration Authentication Issue

  We recently turned on SSRS for our SharePoint 2010 Test Environment.  We are using an account that has rights to SharePoint as a site collection administrator, the feature is enabled on the site collection and site level, it has access to the SQL instance
  to pull the reports.  The report config file specifies NTLM authentication.  It acts as if it will configure and goes through the SP Central Administration steps successfully.  When I try to deploy a report, I receive the following error:
  Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetConnectionProtocol()    
  at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SoapMethodWrapper`1.ExecuteMethod(Boolean setConnectionProtocol) 1afe9dfd-9846-4194-bddf-fcb0ded634be
  06/14/2012 15:37:43.03  w3wp.exe (0x1E78)                        0x1754 SQL Server Reporting Services  SOAP Client Proxy            
   0000 High     Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetCo
  If I turn on trusted accounts, it works, but then it argues when the report loads because our reports use windows integrated authentication.  We would prefer to have windows integrated authentication to control who can see reports by their
  login name.  Any ideas?  I feel like I have exhausted options.

  Can you please elaborate on how to avoid using Kerberos and use the Secure Store to access our external SQL data? In our test environment, we have SharePoint 2013 Ent, SQL 2012 Ent. I am trying to use PowerView to access a Direct Query data model created
  in SSAS tabular mode. My connection from SharePoint to the model is successful but fails with a reporting service error:
  Cannot create a connection to data source 'EntityDataSource'.
  <detail><ErrorCode xmlns="rsErrorOpeningConnection</ErrorCode><HttpStatus">http://www.microsoft.com/sql/reportingservices">rsErrorOpeningConnection</ErrorCode><HttpStatus xmlns="400</HttpStatus><Message">http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message
  xmlns="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><HelpLink xmlns="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3000.0</HelpLink><ProductName">http://www.microsoft.com/sql/reportingservices">http://go.microsoft.com/fwlink/?LinkId=20476&amp;EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&amp;EvtID=rsErrorOpeningConnection&amp;ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&amp;ProdVer=11.0.3000.0</HelpLink><ProductName
  xmlns="Microsoft">http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="11.0.3000.0</ProductVersion><ProductLocaleId">http://www.microsoft.com/sql/reportingservices">11.0.3000.0</ProductVersion><ProductLocaleId
  xmlns="1033</ProductLocaleId><OperatingSystem">http://www.microsoft.com/sql/reportingservices">1033</ProductLocaleId><OperatingSystem xmlns="OsIndependent</OperatingSystem><CountryLocaleId">http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId
  xmlns="1033</CountryLocaleId><MoreInformation">http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation xmlns="<Source>Microsoft.ReportingServices.ProcessingCore</Source><Message">http://www.microsoft.com/sql/reportingservices"><Source>Microsoft.ReportingServices.ProcessingCore</Source><Message
  msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&amp;EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&amp;EvtID=rsErrorOpeningConnection&amp;ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&amp;ProdVer=11.0.3000.0"
  xmlns:msrs="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><MoreInformation><Source>Microsoft.AnalysisServices.AdomdClient</Source><Message></Message><MoreInformation><Source>mscorlib</Source><Message>Access
  is denied.
  </Message></MoreInformation></MoreInformation></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" /></detail>

• Windows Intergrated Authentication with reverse proxy issue with Safari

  Hi All
  I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
  Thanks & Regards
  Karthikeyan Vaithilingam

  I found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.

• Problem connecting outlook 2013 to exchange server

  Hello,
  I recently bought a new windows laptop for emailing (our company is otherwise only using Mac).
  Setting up Outlook with the intended email address failed, and at this point, when clicking Outlook, I get the following message:
  "The connection to Microsoft Exchange is unavailable. Outlook must be be online or connected to complete this action."
  The only option is to click "ok".
  The following window is then opened:
  "Microsoft Exchange"
  It has only one tab, containing:
  "Microsoft Exchange server" window, in which I've entered the server address.
  "Mailbox" window, in which I've entered the email address. There is a button called "Check Name".
  If clicked, the following message shows up:
  "The name can not be resolved. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action."
  By clicking "ok" anyway, the following message appears:
  "Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file C:\xxxxxxxxxxx.ost is not an Outlook datafile (.ost)."
  The problem seems to be that there is nothing I can do to change these messages. I have access to the correct server name, address etc.
  What to do?
  Thank you for your help!

  Hi Scout,
  Thank you for your question.
  As Ronomatic said, we could clear the present profile and re-build profile by the following link:
  http://support2.microsoft.com/kb/829918/en-us
  The problem seems to be that there is nothing I can do to change these messages. I have access to the correct server name, address etc.
  Notice: We will make sue the client could resolve the FQDN of Exchange server by
  Ping or Nslookup；
  Waiting your reply. 
  Best Regard,
  Jim

• Web Dispatcher with Windows Intgrated Authentication

  Hello,
  We are setting up the relay of Browser ==> IISProxy ==> Web Dispatcher ==> Cluster.  We plan to use Windows Integrated Authentication and terminate the SSL connection at the IIS.  We are wondering how smoothly this will go as we have read differences in the order between IISProxy and WebDispatcher (in these forums) and have found nothing on the combination with SSL.  I assume that the IISProxy will encrypt, authenticate, provide the cookie and then forward the request to the Web Dispatcher for further routing to the cluster.
  Needless to say, has anyone done this successfully?  Can anyone provide information, warnings, caveats, etc... so that we can decide to use the Web Dispatcher or another software-based NLB solution.  We understand the technical benefits - especially in an SAP shop, but if there are richer features for authentication in latter releases we may consider putting it on hold and going with a known solution.
  We have seen some appliances that can perform the SSL termination, 3rd party authentication, etc, etc,... are there any plans for the Web Dispatcher to be able to perform the authentication with windows (NTLM or Kerberos)?
  All of the other features are grat and a breeze to work with however authentication on the MS domain is a must here and it may be the missing functionality.
  Thanks and kind regards,
  Judson

  Hi Judson,
  currently there is no plan to enhance web dispatcher into that direction. Instead we started to work together with network technology providers to offer the funtcionality of web dispatcher together with additional security and authentication stuff.
  network is not our business, so there are no plans to boldly go into that direction. Because of that such combinations like authentication with wd are sometimes hard to do.
  If you want a tip for the future I'd say, what you will see is boxes that have everything in there and two plugs for the internet and the sap network -everything else (firewalls, authentication, load balancing with automatic recognition of the sap cluster) would be in the box.
  Regards,
  Benny