Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- Subject: Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- From: Boyd Fletcher <email@hidden>
- Date: Tue, 08 Jan 2008 14:23:29 -0500
- Thread-topic: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
After chatting with MS today I found out that neither Entourage 2004 nor
2008 using RPC over HTTPS. They only use WebDAV. Outlook uses RPC/HTTPS.
They are looking into whether or not Entourage 2008 will work with CAC
enabled OWA.
boyd
On 1/7/08 11:17 AM, "Timothy J. Miller" <email@hidden> wrote:
> On Jan 7, 2008, at 9:42 AM, Boyd Fletcher wrote:
>
>> safari works fine once Apples fixes the SCR-331/Oberthur issue in
>> Leopard.
>>
>> I think the simple solution is for MS Entourage 2008 to just prompt
>> for the
>> CAC if it is connecting over HTTPS and the server requests the
>> certificate.
>> this would be the correct behavior.
>
> That would work if OWA was using the HTTPS authentication to
> impersonate you, but it isn't in this case. For RPC/HTTP, the HTTPS
> wrapper serves only to protect the RPC traffic, and it's RPC that's
> actually authenticating you to the Exchange server. Slapping client
> auth on the HTTPS end won't authenticate you to Exchange.
>
> Access through OWA using a browser is completely different from
> access through OWA using a mail client (Outlook or Entourage). With
> the browser, the OWA front-end server is technically the mail client,
> and it uses RPC to the Exchange server on your behalf (using a
> delegated Kerberos ticket). With the mail client, the RPC between
> the client and the Exchange server is the same as if you were sitting
> at your desk, only it's encapsulated in HTTPS to cross the network
> boundary "safely."
>
> If you could figure out how to obtain Kerberos tickets remotely, then
> RPC/HTTPS + CAC authentication would work just like sitting at your
> desk inside the firewall. The problem is that allowing remote users
> access to a domain controller from *outside* the firewall so that
> they can get their Kerberos tickets is a really *really* bad idea.
>
> -- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden