Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Outlook 2007 authentication issue (Outlook 2007 send/receive locking AD account)
  •  
scolew

Messages: 7
Karma: 0
Send a private message to this user
We are running KMS 6.5 using the internal database. We have several users that are running Outlook 2007..most all other users are on Outlook 2002. When these with Outlook 2007 check their mail it locks out their Active Directory account on our domain controller on a Windows 2000 domain. Anyone have any thoughts on this? Thanks!!!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I've run into that before. Outlook 2007 does some really dumb things with authentication. Check your security and warning logs. Do you see a lot of failed authentication attempts from these clients?

A few questions:
How are the Outlook 2007 clients set up? POP3, IMAP, KOC/KOFF?
Do you use SPA/NTLM authentication? Not just on the machines having trouble, but any others.
Are the machines they are connecting from members of the domain?

Scott
  •  
scolew

Messages: 7
Karma: 0
Send a private message to this user
I've run into that before. Outlook 2007 does some really dumb things with authentication. Check your security and warning logs. Do you see a lot of failed authentication attempts from these clients?

You are talking about the KMS logs correct? I will check

A few questions:
How are the Outlook 2007 clients set up? POP3, IMAP, KOC/KOFF?

POP3

Do you use SPA/NTLM authentication? Not just on the machines having trouble, but any others.

How do I know if I am...I believe NTLM...but how do I check this on the DC?

Are the machines they are connecting from members of the domain?

Yes, the machines are members and are listed.

Thanks for your help!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
scolew wrote on Wed, 28 January 2009 12:49

How do I know if I am...I believe NTLM...but how do I check this on the DC?


Outlook usually has a checkbox on the screen where you specify username and password for SPA. I'm don't know how well it works with a POP3 account. The last time I tested that setup was in Outlook 2000, and it didn't work as expected in that version.

Also, in the server debug log, you might want to enable POP3 Server and User Authentication. That should show you what's happening when an Outlook 2007 user connects.

Scott
  •  
scolew

Messages: 7
Karma: 0
Send a private message to this user
[28/Jan/2009 12:37:56][2692] {auth} NTLM: Continuing authentication.
[28/Jan/2009 12:37:56][2692] {auth} NTLM: error while accepting security context - logon denied (-2146893044)
[28/Jan/2009 12:37:56][1548] {pop3s} Command: STAT
[28/Jan/2009 12:37:56][1548] {pop3s} Command: UIDL
[28/Jan/2009 12:37:57][1548] {pop3s} Command: QUIT
[28/Jan/2009 12:37:57][1548] {pop3s} Session end
[28/Jan/2009 12:37:59][2692] {pop3s} Command: AUTH DIGEST-MD5
[28/Jan/2009 12:37:59][2692] {auth} DIGEST: first step, we send the digest
[28/Jan/2009 12:37:59][2692] {auth} DIGEST: second step, we get the token
[28/Jan/2009 12:37:59][2692] {ldapdb} lreynolds<_a.t_>tcbphila.com: Looking up in cache...
[28/Jan/2009 12:37:59][2692] {auth} DIGEST: comparing 04312029be540d551885076fdd63db80 and 04312029be540d551885076fdd63db80
[28/Jan/2009 12:37:59][2692] {auth} DIGEST: user lreynolds<_a.t_>tcbphila.com authenticated
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
That looks very similar to what I was getting with Outlook 2007. In my case, Outlook 2007 was using NTLM even though we didn't want it to. The computers having problems were not members of the domain, and the users were not Active Directory accounts, so NTLM had no chance of succeeding.

From what I could determine, authentication in Outlook 2007 works like this:

  1. Query the server for supported authentication methods
  2. Choose the most secure authentication method available. If you have NTLM enabled on the server, it will use NTLM regardless of any settings you specify on the client, because it considers it more secure than the other methods.
  3. If authentication fails, only then use another authentication type.


There are two problems with this. Unless you are specifically set up for it, NTLM authentication will fail. Even on machines that are not a member of a domain, using local machine accounts, OL2007 will use NTLM first, even though it has no chance of succeeding.

The second problem, is when it gets to an authentication type that works, it doesn't store this information anywhere, so it goes through the above procedure every time it connects and authenticates. This leads to multiple failed authentications, which leads to accounts getting locked.

That's what you are running into. It's trying NTLM first, failing, then trying DIGEST-MD5. The question is, why is NTLM failing. If you are set up for it, and intended to use it, there's a problem somewhere that has to be corrected.

If you didn't plan on using NTLM, you just ran into Outlook 2007 hell. I haven't found any way to disable this behavior in OL2007. Two work arounds I found are to use KOC/KOFF, since they respect the SPA setting in the account settings, or disable NTLM authentication on the server so it doesn't respond to OL2007 that it's supported.

Scott
  •  
scolew

Messages: 7
Karma: 0
Send a private message to this user
I figured out the problem.

If I make the Kerio internal user password the same as their AD Windows account password...it doesn't lock them out of AD. It works fine after that even if you change their windows password. I don't know why this happened because we don't even use AD integration with Kerio...but it works!

Thanks to all of you who helped!!!!
Previous Topic: server not blocked spam
Next Topic: Fedora 10 Support
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 16:03:54 CET 2017

Total time taken to generate the page: 0.00432 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.