To configure Mail Express for Windows (Kerberos) authentication
Use this topic as a checklist to correctly configure Mail Express so that Internal users can authenticate with the Mail Express Server using integrated Windows Authentication. The benefits of using Windows Authentication as it pertains to Mail Express include:
The Add-In does not need to store any credentials for authenticating, which is more secure.
Aside from ensuring that each user has a domain account, an organization does not need to create and maintain additional credentials for each Mail Express user.
The credentials are not passed between the Add-In and the Mail Express Server, which is more secure.
|
|
To configure Mail Express for Windows (Kerberos) authentication |
To configure the Mail Express Server to use Windows Authentication, launch the Mail Express Administration Web Site and navigate to the Active Directory page. Complete Active Directory Configuration as it pertains to your environment.
After configuring the settings on the Active Directory page, make sure that the settings are accurate by completing the Test Configuration fields (Test username, Test user password, and Confirm test user password) and clicking Test. Be sure to click Save to save your settings before leaving the page.
If the Active Directory settings test was successful, then proceed to the Internal Settings page, select the Enable Single Sign On (Kerberos) check box, complete the Single Sign On fields, then click Save. (Refer to Configuring the Add-In and Internal Portal for details of configuring Single Sign On.)
Why do I need an SPN? According to Microsoft Technet, "A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host."
Using the Windows "setspn" utility, create the Service Principal Name (SPN), which is necessary for Kerberos to function correctly for Mail Express. The SPN is a name by which the Add-In can uniquely identify the Mail Express Server service. The SPN will be associated with the Active Directory domain account used in the KDC pre-auth username field of the Mail Express Server Kerberos Configuration.
The “setspn” utility is typically installed by default on Active Directory server computers. The command must be run using an account with Active Directory administration rights. Typically it is easiest to perform these steps on the domain’s primary Active Directory server.
To create the SPNs, execute the following at a command prompt:
setspn –A HTTP/<MailExpressServerHostName> <PreAuthUsername>
setspn –A HTTP/<MailExpressServerFullyQualifiedHostName> <PreAuthUsername>
setspn -A HTTP/<URL> <PreAuthUsername>
Where:
<MailExpressServerHostName> is the host name of the computer running the Mail Express Server; the host name that workstations would use internally to communicate with the Mail Express Server computer.
<MailExpressServerFullyQualifiedHostName> is the fully qualified host name of the computer running the Mail Express Server; the full host name that workstations would use internally to communicate with the Mail Express Server computer.
<PreAuthUsername> with the username of Active Directory domain account used in the “KDC pre-auth username” field of the Mail Express Server Kerberos Configuration.
<URL> is the address to which the Add-On will connect.
Do not type "HTTP://" -- the proper prefix is "HTTP/". For example, type:
setspn –A HTTP/meserver mepreauthuser
setspn –A HTTP/meserver.globalscape.com mepreauthuser
These SPNs should work regardless of the account the Mail Express Server Windows Service is running as.
|
|
If duplicate SPNs exist (meaning multiple domain accounts with the same HTTP/<SPN>), then Kerberos will not work correctly. Once the SPN has been associated with the Kerberos Pre-Auth Account used by the Mail Express Server to participate in Kerberos Authentication, you can double-check for duplicate SPNs on the domain using the command: setspn –X. |
To view the SPNs to verify that they were created successfully, run the following command after substituting <PreAuthUsername> auth user account:
setspn –l <PreAuthUsername>
(Note: The switch is a lower-cased letter L, not the number one.)
When the Outlook Add-In is installed, end users can choose between Windows or Manual Authentication. If Windows Authentication is specified, the Service Principal Name created earlier must be specified. For instance, if a Service Principal Name was created with the command "setspn –A HTTP/meserver mepreauthuser" then type HTTP/meserver in the Service Principal Name field of the installation wizard. Again, ensure you use the prefix "HTTP/" and not "HTTP://."
If the Outlook Add-In is installed silently, then the SPN must be provided as an installation parameter. The installation parameter name is "SERVICEPRINCIPALNAME."
If the Outlook Add-In has already been installed using alternate authentication settings, then the settings can be changed after installation either by doing one of the following:
Updating the Service Principal Name (SPN) in the Add-In’s General Configuration.
Re-running the installation in silent mode and specifying a different value for the SERVICEPRINCIPALNAME installation parameter
Changing the ServicePrincipalName registry setting directly and then restarting Outlook. This registry setting resides under the following registry key:
HKEY_CURRENT_USER\Software\GlobalSCAPE\Mail Express Outlook Addin\Settings
