Kerberos authentication support in Windows Mail

Hello,

Does anybody know if Windows Mail has support for authenticating via
Kerberos with SMTP servers?

Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
outgoing mail server. When I try to send mail, the server responds with:

Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'

and Windows Mail subsequently reports:

Error Number: 0x800CCC79

Based on the server error, it appears I can connect with my SMTP server, but
I cannot authenticate with it.

Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
[manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
cannot get a ticket from the SMTP server.

Any comments are appreciated.

Thanks.

I'm not familiar with that protocol. However, your mail provider
should be able to recommend mail clients that are compatible
with their mail server. If Outlook Express is one of their
recommendations, then Windows Mail should also work.

--
Gary VanderMolen [MS-MVP WLM]


"WaveRaider" <> wrote in message news:86A59984-109D-4A3F-AEF8-...
> Hello,
>
> Does anybody know if Windows Mail has support for authenticating via
> Kerberos with SMTP servers?
>
> Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
> outgoing mail server. When I try to send mail, the server responds with:
>
> Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
>
> and Windows Mail subsequently reports:
>
> Error Number: 0x800CCC79
>
> Based on the server error, it appears I can connect with my SMTP server, but
> I cannot authenticate with it.
>
> Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
> [manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
> cannot get a ticket from the SMTP server.
>
> Any comments are appreciated.
>
> Thanks.

"WaveRaider" <> wrote in message
news:86A59984-109D-4A3F-AEF8-...
> Hello,
>
> Does anybody know if Windows Mail has support for authenticating via
> Kerberos with SMTP servers?
>
> Specifically, my e-mail provider uses Kerberos (v4) to authenticate with
> the
> outgoing mail server. When I try to send mail, the server responds with:
>
> Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
>
> and Windows Mail subsequently reports:
>
> Error Number: 0x800CCC79
>
> Based on the server error, it appears I can connect with my SMTP server,
> but
> I cannot authenticate with it.
>
> Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
> [manually] get the initial Ticket Granting Ticket (TGT), but it seems that
> I
> cannot get a ticket from the SMTP server.
>
> Any comments are appreciated.
>
> Thanks.

If it uses port 25, note that connections to port 25 that cross from one
internet provider's equipment to another's on the way to the server are
usually blocked to cause trouble for spammers.

Gary,

Thanks for your response.

My mail provider is actually my university, and they recommend using Mozilla
Thunderbird. The university also notes (in the Thunderbird setup procedure)
that if I'm sending e-mail from an off campus location (i.e. my IP address is
not on the university's local network) that I need to use another provider's
SMTP server. (My guess is that the SMTP server does not require
authentication if it sees the sender's IP is a local address.)

An interesting note is that some of my friends living off-campus use Outlook
2003, and have no problems using my university's SMTP server. (Indicating
that Outlook 2003 has support for Kerberos authentication). Unfortunately I
don't have Office Outlook.

"Gary VanderMolen" wrote:

> I'm not familiar with that protocol. However, your mail provider
> should be able to recommend mail clients that are compatible
> with their mail server. If Outlook Express is one of their
> recommendations, then Windows Mail should also work.
>
> --
> Gary VanderMolen [MS-MVP WLM]
>
>
> "WaveRaider" <> wrote in message news:86A59984-109D-4A3F-AEF8-...
> > Hello,
> >
> > Does anybody know if Windows Mail has support for authenticating via
> > Kerberos with SMTP servers?
> >
> > Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
> > outgoing mail server. When I try to send mail, the server responds with:
> >
> > Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
> >
> > and Windows Mail subsequently reports:
> >
> > Error Number: 0x800CCC79
> >
> > Based on the server error, it appears I can connect with my SMTP server, but
> > I cannot authenticate with it.
> >
> > Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
> > [manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
> > cannot get a ticket from the SMTP server.
> >
> > Any comments are appreciated.
> >
> > Thanks.
>

Robert,

Thanks for your response.

Other people I know use Outlook 2003 with the SMTP server in question (via
port 25), and they can send mail with no problems.

I also use Apple Mail with the same SMTP server on another computer with no
problems. I checked Apple Mail's settings and it uses port 25 to send mail
with Kerberos (v4) authentication to the SMTP server. So I don't think that
my ISP is blocking port 25 from their network to my mail provider's network.

"" wrote:

>
> "WaveRaider" <> wrote in message
> news:86A59984-109D-4A3F-AEF8-...
> > Hello,
> >
> > Does anybody know if Windows Mail has support for authenticating via
> > Kerberos with SMTP servers?
> >
> > Specifically, my e-mail provider uses Kerberos (v4) to authenticate with
> > the
> > outgoing mail server. When I try to send mail, the server responds with:
> >
> > Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
> >
> > and Windows Mail subsequently reports:
> >
> > Error Number: 0x800CCC79
> >
> > Based on the server error, it appears I can connect with my SMTP server,
> > but
> > I cannot authenticate with it.
> >
> > Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
> > [manually] get the initial Ticket Granting Ticket (TGT), but it seems that
> > I
> > cannot get a ticket from the SMTP server.
> >
> > Any comments are appreciated.
> >
> > Thanks.
>
> If it uses port 25, note that connections to port 25 that cross from one
> internet provider's equipment to another's on the way to the server are
> usually blocked to cause trouble for spammers.
>
>
>

I also have Outlook 2003. Do you have the step-by-step procedure
for setting it up in Outlook? If so, I may be able to figure out the
equivalent Windows Mail settings.

Alternatively, you can use a different SMTP server, such as the one
from your home ISP. Most do not bother to check the IP address of
the originator; they control access by means of username/password
credentials.
--
Gary VanderMolen [MS-MVP WLM]


"WaveRaider" <> wrote in message news:227FCA4D-196B-41F5-8A0F-...
> Gary,
>
> Thanks for your response.
>
> My mail provider is actually my university, and they recommend using Mozilla
> Thunderbird. The university also notes (in the Thunderbird setup procedure)
> that if I'm sending e-mail from an off campus location (i.e. my IP address is
> not on the university's local network) that I need to use another provider's
> SMTP server. (My guess is that the SMTP server does not require
> authentication if it sees the sender's IP is a local address.)
>
> An interesting note is that some of my friends living off-campus use Outlook
> 2003, and have no problems using my university's SMTP server. (Indicating
> that Outlook 2003 has support for Kerberos authentication). Unfortunately I
> don't have Office Outlook.
>
> "Gary VanderMolen" wrote:
>
>> I'm not familiar with that protocol. However, your mail provider
>> should be able to recommend mail clients that are compatible
>> with their mail server. If Outlook Express is one of their
>> recommendations, then Windows Mail should also work.
>>
>> --
>> Gary VanderMolen [MS-MVP WLM]
>>
>>
>> "WaveRaider" <> wrote in message news:86A59984-109D-4A3F-AEF8-...
>> > Hello,
>> >
>> > Does anybody know if Windows Mail has support for authenticating via
>> > Kerberos with SMTP servers?
>> >
>> > Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
>> > outgoing mail server. When I try to send mail, the server responds with:
>> >
>> > Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
>> >
>> > and Windows Mail subsequently reports:
>> >
>> > Error Number: 0x800CCC79
>> >
>> > Based on the server error, it appears I can connect with my SMTP server, but
>> > I cannot authenticate with it.
>> >
>> > Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
>> > [manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
>> > cannot get a ticket from the SMTP server.
>> >
>> > Any comments are appreciated.
>> >
>> > Thanks.

Gary,

I did a little poking around my SMTP server, and found out that Outlook 2003
actually produces the same behavior as Windows Mail.

One important thing that I didn't try with my friend's Outlook 2003 client
was to send an e-mail to a non-local domain (i.e. for example Gmail). In my
initial test I sent an e-mail to my university account and it worked. Later,
I tried sending a message to my Gmail account using the university's SMTP
server and it failed.

It appears that my university has some interesting SMTP settings, where the
server will accept the outgoing message if it is destined for a local
address, and the from field of the e-mail also contains a valid university
account. Thus, I can send any e-mails locally using my university's server,
but cannot send e-mails to remote domains with the university's SMTP server
(unless I'm on campus).

So, I'll probably have to take your advise, and use another SMTP server to
send my e-mails.

Thanks for all your help.

"Gary VanderMolen" wrote:

> I also have Outlook 2003. Do you have the step-by-step procedure
> for setting it up in Outlook? If so, I may be able to figure out the
> equivalent Windows Mail settings.
>
> Alternatively, you can use a different SMTP server, such as the one
> from your home ISP. Most do not bother to check the IP address of
> the originator; they control access by means of username/password
> credentials.
> --
> Gary VanderMolen [MS-MVP WLM]
>
>
> "WaveRaider" <> wrote in message news:227FCA4D-196B-41F5-8A0F-...
> > Gary,
> >
> > Thanks for your response.
> >
> > My mail provider is actually my university, and they recommend using Mozilla
> > Thunderbird. The university also notes (in the Thunderbird setup procedure)
> > that if I'm sending e-mail from an off campus location (i.e. my IP address is
> > not on the university's local network) that I need to use another provider's
> > SMTP server. (My guess is that the SMTP server does not require
> > authentication if it sees the sender's IP is a local address.)
> >
> > An interesting note is that some of my friends living off-campus use Outlook
> > 2003, and have no problems using my university's SMTP server. (Indicating
> > that Outlook 2003 has support for Kerberos authentication). Unfortunately I
> > don't have Office Outlook.
> >
> > "Gary VanderMolen" wrote:
> >
> >> I'm not familiar with that protocol. However, your mail provider
> >> should be able to recommend mail clients that are compatible
> >> with their mail server. If Outlook Express is one of their
> >> recommendations, then Windows Mail should also work.
> >>
> >> --
> >> Gary VanderMolen [MS-MVP WLM]
> >>
> >>
> >> "WaveRaider" <> wrote in message news:86A59984-109D-4A3F-AEF8-...
> >> > Hello,
> >> >
> >> > Does anybody know if Windows Mail has support for authenticating via
> >> > Kerberos with SMTP servers?
> >> >
> >> > Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
> >> > outgoing mail server. When I try to send mail, the server responds with:
> >> >
> >> > Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
> >> >
> >> > and Windows Mail subsequently reports:
> >> >
> >> > Error Number: 0x800CCC79
> >> >
> >> > Based on the server error, it appears I can connect with my SMTP server, but
> >> > I cannot authenticate with it.
> >> >
> >> > Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
> >> > [manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
> >> > cannot get a ticket from the SMTP server.
> >> >
> >> > Any comments are appreciated.
> >> >
> >> > Thanks.
>
>

Thanks for your feedback.

--
Gary VanderMolen [MS-MVP WLM]


"WaveRaider" <> wrote in message news:0D46AB30-11D6-4CB9-9A48-...
> Gary,
>
> I did a little poking around my SMTP server, and found out that Outlook 2003
> actually produces the same behavior as Windows Mail.
>
> One important thing that I didn't try with my friend's Outlook 2003 client
> was to send an e-mail to a non-local domain (i.e. for example Gmail). In my
> initial test I sent an e-mail to my university account and it worked. Later,
> I tried sending a message to my Gmail account using the university's SMTP
> server and it failed.
>
> It appears that my university has some interesting SMTP settings, where the
> server will accept the outgoing message if it is destined for a local
> address, and the from field of the e-mail also contains a valid university
> account. Thus, I can send any e-mails locally using my university's server,
> but cannot send e-mails to remote domains with the university's SMTP server
> (unless I'm on campus).
>
> So, I'll probably have to take your advise, and use another SMTP server to
> send my e-mails.
>
> Thanks for all your help.
>
> "Gary VanderMolen" wrote:
>
>> I also have Outlook 2003. Do you have the step-by-step procedure
>> for setting it up in Outlook? If so, I may be able to figure out the
>> equivalent Windows Mail settings.
>>
>> Alternatively, you can use a different SMTP server, such as the one
>> from your home ISP. Most do not bother to check the IP address of
>> the originator; they control access by means of username/password
>> credentials.
>> --
>> Gary VanderMolen [MS-MVP WLM]
>>
>>
>> "WaveRaider" <> wrote in message news:227FCA4D-196B-41F5-8A0F-...
>> > Gary,
>> >
>> > Thanks for your response.
>> >
>> > My mail provider is actually my university, and they recommend using Mozilla
>> > Thunderbird. The university also notes (in the Thunderbird setup procedure)
>> > that if I'm sending e-mail from an off campus location (i.e. my IP address is
>> > not on the university's local network) that I need to use another provider's
>> > SMTP server. (My guess is that the SMTP server does not require
>> > authentication if it sees the sender's IP is a local address.)
>> >
>> > An interesting note is that some of my friends living off-campus use Outlook
>> > 2003, and have no problems using my university's SMTP server. (Indicating
>> > that Outlook 2003 has support for Kerberos authentication). Unfortunately I
>> > don't have Office Outlook.
>> >
>> > "Gary VanderMolen" wrote:
>> >
>> >> I'm not familiar with that protocol. However, your mail provider
>> >> should be able to recommend mail clients that are compatible
>> >> with their mail server. If Outlook Express is one of their
>> >> recommendations, then Windows Mail should also work.
>> >>
>> >> --
>> >> Gary VanderMolen [MS-MVP WLM]
>> >>
>> >>
>> >> "WaveRaider" <> wrote in message
>> >> news:86A59984-109D-4A3F-AEF8-...
>> >> > Hello,
>> >> >
>> >> > Does anybody know if Windows Mail has support for authenticating via
>> >> > Kerberos with SMTP servers?
>> >> >
>> >> > Specifically, my e-mail provider uses Kerberos (v4) to authenticate with the
>> >> > outgoing mail server. When I try to send mail, the server responds with:
>> >> >
>> >> > Error '530 5.7.1 Relaying is not permitted: <e-mail address hidden>'
>> >> >
>> >> > and Windows Mail subsequently reports:
>> >> >
>> >> > Error Number: 0x800CCC79
>> >> >
>> >> > Based on the server error, it appears I can connect with my SMTP server, but
>> >> > I cannot authenticate with it.
>> >> >
>> >> > Currently I have installed MIT's Kerberos for Windows (v3.2.2) and I can
>> >> > [manually] get the initial Ticket Granting Ticket (TGT), but it seems that I
>> >> > cannot get a ticket from the SMTP server.
>> >> >
>> >> > Any comments are appreciated.
>> >> >
>> >> > Thanks.
>>
>>

Kerberos (v4) authentication is supported in Windows Mail, as long as the
server you're connecting to advertises it as a service. (I'm actually not
sure if the mail server explicitly advertises the authentication service, or
if Windows Mail has some different procedure for detecting the availability
of this service. Please see my explanation below for more detail).

To have Windows Mail use this authentication, enable the 'Logon using Secure
Password Authentication (SPA)' option in the Servers tab for a specific
e-mail account within Windows Mail.

In my case, my mail provider uses simple password authentication for the
IMAP portion of the e-mail server, and uses Kerberos (v4) for the SMTP
portion of the server. What is unique about my situation is that the IMAP
server does seem to advertise this service, because when I turn on SPA for my
IMAP account, Windows Mail comes back with a KERBEROS_V4 error message
(indicating that Windows Mail at least recognizes this protocol). In my
situation, this is the correct behavior since the IMAP server is supposed to
use simple password authentication but also advertises the Kerberos (v4)
method, too. (Even though it doesn't accept Kerberos for authentication
purposes).

The even bigger question in my case is why doesn't my SMTP server advertise
this service? Some other e-mail clients allow the user to explicitly select
how to authenticate with each server, and thus on other platforms I can tell
the e-mail client how to authenticate. Unfortunately, it doesn't seem that
Windows Mail has this level of detail.

I hope this helps, and if anyone has a more precise explanation of what's
going on, please post it. Thank You.

Also, if you are experiencing Kerberos related authentication problems, you
may need to install Windows Authentication services.
This can be done by going into the Programs and Features control panel item,
and then selecting the 'Turn Windows features on or off' item. The Windows
Authentication feature can then be found in: Internet Information Services
--> World Wide Web Services --> Security. Check the box for Windows
Authentication to use this feature.

Thanks, interesting stuff.

--
Gary VanderMolen [MS-MVP WLM]


"WaveRaider" <> wrote in message news:3516D10C-CAF7-4A62-A728-...
> Kerberos (v4) authentication is supported in Windows Mail, as long as the
> server you're connecting to advertises it as a service. (I'm actually not
> sure if the mail server explicitly advertises the authentication service, or
> if Windows Mail has some different procedure for detecting the availability
> of this service. Please see my explanation below for more detail).
>
> To have Windows Mail use this authentication, enable the 'Logon using Secure
> Password Authentication (SPA)' option in the Servers tab for a specific
> e-mail account within Windows Mail.
>
> In my case, my mail provider uses simple password authentication for the
> IMAP portion of the e-mail server, and uses Kerberos (v4) for the SMTP
> portion of the server. What is unique about my situation is that the IMAP
> server does seem to advertise this service, because when I turn on SPA for my
> IMAP account, Windows Mail comes back with a KERBEROS_V4 error message
> (indicating that Windows Mail at least recognizes this protocol). In my
> situation, this is the correct behavior since the IMAP server is supposed to
> use simple password authentication but also advertises the Kerberos (v4)
> method, too. (Even though it doesn't accept Kerberos for authentication
> purposes).
>
> The even bigger question in my case is why doesn't my SMTP server advertise
> this service? Some other e-mail clients allow the user to explicitly select
> how to authenticate with each server, and thus on other platforms I can tell
> the e-mail client how to authenticate. Unfortunately, it doesn't seem that
> Windows Mail has this level of detail.
>
> I hope this helps, and if anyone has a more precise explanation of what's
> going on, please post it. Thank You.
>
> Also, if you are experiencing Kerberos related authentication problems, you
> may need to install Windows Authentication services.
> This can be done by going into the Programs and Features control panel item,
> and then selecting the 'Turn Windows features on or off' item. The Windows
> Authentication feature can then be found in: Internet Information Services
> --> World Wide Web Services --> Security. Check the box for Windows
> Authentication to use this feature.