Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- Subject: Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- From: Boyd Fletcher <email@hidden>
- Date: Wed, 09 Jan 2008 08:41:49 -0500
- Thread-topic: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
got another update from Microsoft:
Entourage 2004 and 2008 do not support authentication (for Exchange mailbox
access) requiring client side certificate, period. It does not matter if
that certificate is on your own system (in the certificate store, i.e.
Keychain on a Mac OS system) or on a smart card as client certificate is not
supported for authentication in the first place.
My recommendation is that if you need this support that you open up a fix or
a design change request (DCR) with Microsoft using your Technical Account
Manager.
boyd
On 1/8/08 2:23 PM, "Boyd Fletcher" <email@hidden> wrote:
> After chatting with MS today I found out that neither Entourage 2004 nor
> 2008 using RPC over HTTPS. They only use WebDAV. Outlook uses RPC/HTTPS.
>
> They are looking into whether or not Entourage 2008 will work with CAC
> enabled OWA.
>
> boyd
>
>
>
>
>
> On 1/7/08 11:17 AM, "Timothy J. Miller" <email@hidden> wrote:
>
>> On Jan 7, 2008, at 9:42 AM, Boyd Fletcher wrote:
>>
>>> safari works fine once Apples fixes the SCR-331/Oberthur issue in
>>> Leopard.
>>>
>>> I think the simple solution is for MS Entourage 2008 to just prompt
>>> for the
>>> CAC if it is connecting over HTTPS and the server requests the
>>> certificate.
>>> this would be the correct behavior.
>>
>> That would work if OWA was using the HTTPS authentication to
>> impersonate you, but it isn't in this case. For RPC/HTTP, the HTTPS
>> wrapper serves only to protect the RPC traffic, and it's RPC that's
>> actually authenticating you to the Exchange server. Slapping client
>> auth on the HTTPS end won't authenticate you to Exchange.
>>
>> Access through OWA using a browser is completely different from
>> access through OWA using a mail client (Outlook or Entourage). With
>> the browser, the OWA front-end server is technically the mail client,
>> and it uses RPC to the Exchange server on your behalf (using a
>> delegated Kerberos ticket). With the mail client, the RPC between
>> the client and the Exchange server is the same as if you were sitting
>> at your desk, only it's encapsulated in HTTPS to cross the network
>> boundary "safely."
>>
>> If you could figure out how to obtain Kerberos tickets remotely, then
>> RPC/HTTPS + CAC authentication would work just like sitting at your
>> desk inside the firewall. The problem is that allowing remote users
>> access to a domain controller from *outside* the firewall so that
>> they can get their Kerberos tickets is a really *really* bad idea.
>>
>> -- Tim
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden