Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- Subject: Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 7 Jan 2008 10:17:28 -0600
On Jan 7, 2008, at 9:42 AM, Boyd Fletcher wrote:
safari works fine once Apples fixes the SCR-331/Oberthur issue in
Leopard.
I think the simple solution is for MS Entourage 2008 to just prompt
for the
CAC if it is connecting over HTTPS and the server requests the
certificate.
this would be the correct behavior.
That would work if OWA was using the HTTPS authentication to
impersonate you, but it isn't in this case. For RPC/HTTP, the HTTPS
wrapper serves only to protect the RPC traffic, and it's RPC that's
actually authenticating you to the Exchange server. Slapping client
auth on the HTTPS end won't authenticate you to Exchange.
Access through OWA using a browser is completely different from
access through OWA using a mail client (Outlook or Entourage). With
the browser, the OWA front-end server is technically the mail client,
and it uses RPC to the Exchange server on your behalf (using a
delegated Kerberos ticket). With the mail client, the RPC between
the client and the Exchange server is the same as if you were sitting
at your desk, only it's encapsulated in HTTPS to cross the network
boundary "safely."
If you could figure out how to obtain Kerberos tickets remotely, then
RPC/HTTPS + CAC authentication would work just like sitting at your
desk inside the firewall. The problem is that allowing remote users
access to a domain controller from *outside* the firewall so that
they can get their Kerberos tickets is a really *really* bad idea.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden