19,543 views

Different Windows IIS Authentications and Thunderbird Or Firefox

(2014-10-21) As you can read I no longer maintain this add-on. But the guys from Ericsson have taken over maintanance. You can get new versions from their github page: https://github.com/Ericsson/exchangecalendar/releases.

I will keep my pages online for the archive.

!!! The next information is old and outdated !!!

Windows Internet Information Service (IIS) serviced websites can use different authentication providers. For the Exchange Web Services (EWS) one or a combination of those authentication providers is turned on. For the autodiscovery service this is the same but it could be a different provider than for the EWS service.

The following are available in Windows2008:

  1. NTLM
  2. Kerberos
  3. Basic authentication.
  4. Extended Protection for Authentication.

To be able to use the “Exchange 2007/2010 Calendar and Tasks add-on” within Lightning & Thunderbird it might be necessary to change some configuration settings of Thunderbird to get it to Authenticate in the right way to the EWS service. You need to make these settings before you configure an Exchange calendar in Thunderbird.

If “Extended Protection for Authentication” is enabled on the IIS webserver for the EWS interface than it is not possible to view your exchange calendar in Thunderbird/Lightning. See the explanation in this technet article.

On Windows:

When NTLM is active on the IIS EWS server you do not have to do anything. When you add a new exchange calendar it will ask for your password once and it should work by default. No configuration changes required.

When Kerberos is active on the IIS EWS server you need to change the following configuration settings in Thunderbird (Main menu “Edit” | option “Preferences” |  option “Advanced” | tab page “General” | button “Config Editor”)  or Firefox (webpage about:config):

  • network.negotiate-auth.delegation-uris: <full domainname>
  • network.negotiate-auth.trusted-uris: <full domainname>
  • network.auth.use-sspi: true

Your computer also needs to be part of the windows domain you are trying to authenticate against (Kerberos Client Configurklistation) and you need to be logged on with the domain user you use to access the exchange calendar or you need to have extra Kerberos client software (MIT: Kerberos for Windows KfW) installed which arranges this for you.

When you use another kerberos client because your computer is not connected to the domain it is part of or it is not part of a windows domain you also need to set the following configuration settings in Thunderbird/Firefox.

  • network.auth.use-sspi: false

Following are not necessary for the MIT client.

  • network.negotiate-auth.using-native-gsslib: false or true (true is default value)
  • network.negotiate-auth.gsslib: <full path to gssapi dll file> (default is empty. Specifies a alternate GSSAPI shared library e.g. c:\MIT\bin\gssapi32.dll)

On Linux:

When NTLM is active on the IIS EWS server you do not have to do anything. When you add a new exchange calendar it will ask for your password once and it should work by default. No configuration changes required.

When Kerberos is active on the IIS EWS server you need to change the following configuration settings in Thunderbird (Main menu “Edit” | option “Preferences” |  option “Advanced” | tab page “General” | button “Config Editor”) :

  • network.negotiate-auth.delegation-uris: <full domainname>
  • network.negotiate-auth.trusted-uris: <full domainname>

And you have to configure the kerberos environment. You do this by editing the file /etc/krb5.conf and run the command kinit followed by klist to check if everything went right.

/etc/krb5.conf example:

  • Domain controller: dc.example.com
  • full domainname (in uppercase): EXAMPLE.COM
  • Accessing sites with hostnames like: *.example.com
  • Windows username: john
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = dc.example.com
admin_server =dc.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

ALL FULL DOMAINNAMES MUST BE IN UPPERCASE!!

Example output of “kinit <windowsusername>” command. When password is asked enter windows password for specified user. You have to do this after each reboot or you have to configure that this is done automatically.

[miv@odi ~]$ kinit -V john
Using default cache: /tmp/krb5cc_500
Using principal: john@EXAMPLE.COM
Password for john@EXAMPLE.COM:
Authenticated to Kerberos v5
[miv@odi ~]$ 

Example output of “klist” command.

[miv@odi ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: john@EXAMPLE.COM

Valid starting     Expires            Service principal
02/15/12 22:36:36  02/16/12 08:36:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/22/12 22:36:36
02/15/12 22:36:41  02/16/12 08:36:40  HTTP/exchange2010.example.com@EXAMPLE.COM
renew until 02/22/12 22:36:36
[miv@odi ~]

Links to sites with more info:

Leave a Reply

Your email address will not be published. Required fields are marked *