Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- Subject: Re: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
- From: Boyd Fletcher <email@hidden>
- Date: Wed, 09 Jan 2008 11:10:02 -0500
- Thread-topic: [Fed-Talk] MS Mac Office 2008 and CAC-enabled WebMail
yep. but the more the merrier :)
On 1/9/08 10:52 AM, "Timothy J. Miller" <email@hidden> wrote:
> Are you going to try for a DCR?
>
> -- Tim
>
> On Jan 9, 2008, at 7:41 AM, Boyd Fletcher wrote:
>
>> got another update from Microsoft:
>>
>> Entourage 2004 and 2008 do not support authentication (for Exchange
>> mailbox
>> access) requiring client side certificate, period. It does not
>> matter if
>> that certificate is on your own system (in the certificate store, i.e.
>> Keychain on a Mac OS system) or on a smart card as client
>> certificate is not
>> supported for authentication in the first place.
>>
>>
>> My recommendation is that if you need this support that you open up
>> a fix or
>> a design change request (DCR) with Microsoft using your Technical
>> Account
>> Manager.
>>
>> boyd
>>
>>
>>
>> On 1/8/08 2:23 PM, "Boyd Fletcher" <email@hidden> wrote:
>>
>>> After chatting with MS today I found out that neither Entourage
>>> 2004 nor
>>> 2008 using RPC over HTTPS. They only use WebDAV. Outlook uses RPC/
>>> HTTPS.
>>>
>>> They are looking into whether or not Entourage 2008 will work with
>>> CAC
>>> enabled OWA.
>>>
>>> boyd
>>>
>>>
>>>
>>>
>>>
>>> On 1/7/08 11:17 AM, "Timothy J. Miller" <email@hidden> wrote:
>>>
>>>> On Jan 7, 2008, at 9:42 AM, Boyd Fletcher wrote:
>>>>
>>>>> safari works fine once Apples fixes the SCR-331/Oberthur issue in
>>>>> Leopard.
>>>>>
>>>>> I think the simple solution is for MS Entourage 2008 to just prompt
>>>>> for the
>>>>> CAC if it is connecting over HTTPS and the server requests the
>>>>> certificate.
>>>>> this would be the correct behavior.
>>>>
>>>> That would work if OWA was using the HTTPS authentication to
>>>> impersonate you, but it isn't in this case. For RPC/HTTP, the HTTPS
>>>> wrapper serves only to protect the RPC traffic, and it's RPC that's
>>>> actually authenticating you to the Exchange server. Slapping client
>>>> auth on the HTTPS end won't authenticate you to Exchange.
>>>>
>>>> Access through OWA using a browser is completely different from
>>>> access through OWA using a mail client (Outlook or Entourage). With
>>>> the browser, the OWA front-end server is technically the mail
>>>> client,
>>>> and it uses RPC to the Exchange server on your behalf (using a
>>>> delegated Kerberos ticket). With the mail client, the RPC between
>>>> the client and the Exchange server is the same as if you were
>>>> sitting
>>>> at your desk, only it's encapsulated in HTTPS to cross the network
>>>> boundary "safely."
>>>>
>>>> If you could figure out how to obtain Kerberos tickets remotely,
>>>> then
>>>> RPC/HTTPS + CAC authentication would work just like sitting at your
>>>> desk inside the firewall. The problem is that allowing remote users
>>>> access to a domain controller from *outside* the firewall so that
>>>> they can get their Kerberos tickets is a really *really* bad idea.
>>>>
>>>> -- Tim
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>> 40je.jfcom.mil
>>>
>>> This email sent to email@hidden
>>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden