Entourage 2008 supports Kerberos protocolA network authentication protocol that is frequently used to encrypt passwords that are being sent over the Internet. as a method of authentication with Microsoft Exchange Server and standalone LDAP accounts. Kerberos protocol uses cryptography to help provide secure mutual authentication for a network connection between a client and a server, or between two servers.
Kerberos protocol is based on ticketing. In this scheme, a client must provide a valid user name and password only once to prove their identity to an authentication server. Then, the authentication server grants the client strongly encrypted tickets that includes client information and the session key that expires after a specified period of time. The client then attempts to decrypt the ticket by using its password. If the client successfully decrypts the ticket, it keeps the ticket, which is now shared by the client and the server. This decrypted ticket indicates the proof of the client's identity and is used to authenticate the client. The timestamp included in the ticket indicates that it's a recently generated ticket and is not a replay attackA replay attack is a network attack where a valid data transmission is maliciously repeated or delayed.. If an attacker tries to capture and decrypt the information in a ticket, the breach will be limited to the current session. The client can use the same ticket on the network to request other network resources. To use this ticketing scheme, both the client and the server must have a trusted connection to the domain Key Distribution Center (KDC)A network service that supplies session tickets and temporary session keys used in the Kerberos V5 authentication protocol. The KDC runs as a privileged process on all domain controllers..
Mac OS X includes built-in support for Microsoft Kerberos authentication and Active Directory authentication policies, such as password changes, expiration and forced password changes, as well as Active Directory replication and failover. By leveraging the Mac OS X Kerberos service, Entourage 2008 uses the single sign on mechanism to offer better password handling and a cleaner setup experience.
Kerberos authentication and Entourage
You should determine the type of authentication that your organization's Exchange server uses. You can use Kerberos protocol or the other supported authentication methods: NTLM, basic authentication, or forms-based authentication for the Exchange server. In Entourage, you do not have control over the type of authentication methods that users choose. You should ask your users to choose Kerberos authentication if your organization's Exchange server uses it and their computer is connected to the corporate network. For more information about how to set up an Exchange account in Entourage, see Configuring Exchange accounts in Entourage 2008 in the Office 2008 Deployment section.
When you set up your account in Entourage, you must click Use Kerberos authentication, or for all other types of authentication, click Use my account information. When you choose the Kerberos authentication method, the user, password, and domain text fields in the Use my account information section are disabled. The disabled fields serve as a visual clue that Kerberos authentication is mutually exclusive with the other available authentication. When Kerberos protocol is enabled, it is used to attempt authentication against all of the servers related to the account, such as HTTP or LDAP. When Kerberos protocol is disabled in the account settings, Kerberos authentication will not be attempted against any of the servers related to the account.
For new Exchange accounts, Kerberos protocol is disabled by default with None selected in the Kerberos ID pop-up menu. When you enable Kerberos protocol, Entourage allows the user to choose or create a valid Kerberos ID. If the account is created using auto-detect, the Kerberos ID pop-up menu is populated with the existing ID. Kerberos protocol attempts auto-detect against servers if there is at least one Kerberos ticket present in the Mac OS X credential cache or a _kerberos._tcp.<domain> record is available from the Domain Name Server (DNS). If the auto-detect process is successful, the ticket is populated on the account’s Kerberos ID pop-up menu. If the auto-detect process does not include a successful Kerberos authentication, the account’s Kerberos setting will be disabled and Kerberos ID pop-up menu is set to None.
To create a new Kerberos ID, provide the user name, password, and realm information. Realm is another name for a "domainIn an e-mail address, the domain is that part of the address after the "@" symbol. For example, in the address "example@alpineskihouse.com", the domain is "alpineskihouse.com".
A domain is also referred to as a "realm." If you need to log into an Exchange
account using a realm, enter the name in capital letters, for example, ALPINESKIHOUSE.COM.." In the Authenticate to Kerberos dialog box, in the Name field, type
Account ID. This is sometimes the part of your e-mail address before the "@" symbol.
Note In the Realm field, you must type the domain name in all uppercase letters, such as ALPINESKIHOUSE.COM.
Kerberos authentication for administrators
Kerberos authentication might fail if the account’s primary mailbox server does not support Kerberos protocol or if the KDC fails. To ensure that users are authenticated successfully by using Kerberos protocol, you should make sure that the KDC is up and running for users to access the different network services. In enterprise and mission-critical environments, it's important for administrators to create at least one failover KDC.
When Kerberos authentication fails, Entourage provides the option of using the other supported authentication mechanisms. The types of authentication methods that are available for Microsoft Exchange e-mail accounts can vary depending on whether authentication is performed on a front-end server or on a back-end server. For more information about the different authentication methods, see Authentication and security in the WebDAV environment in the Office 2008 Planning section.
