shibboleth-dev - Re: Shibboleth and MS Exchange
Subject: Shibboleth Developers
List archive
- From: Will Norris <>
- To:
- Subject: Re: Shibboleth and MS Exchange
- Date: Fri, 16 Sep 2005 09:37:04 -0500
On Sep 14, 2005, at 7:55 PM, james sankar wrote:
One requirement is to shibbolise our mail server that is based on MS Exchange so that our staff can get access to web-based email using their single sign on LDAP password. Has anyone done this and if so is any documentation or good advice available?
I don't think Walter would mind me copying this in -- it is an excerpt from an email explaining what we've discovered here at the University of Memphis in our attempts to shibbolize OWA. This email was forwarded to a few key people at Microsoft (2 months ago) but as Steven said, we've not heard anything back. Perhaps someone could try pinging MS again? I've been working on other shib projects while waiting to hear from them, but may try going at it again before too long... would love to brainstorm any ideas anyone else may have.
From: Walter Hoehn
<>
Date: July 15, 2005 4:25:59 PM CDT
I'm no expert on MS technologies, but I've done a bit of research trying to determine if it is possible to integrate Shibboleth with OWA. Two vendors, at least, advertise that their SSO systems do work with OWA. RSA specifically mentions in their documentation that they implement this functionality using MS's kerberos protocol transition and constrained delegation features. These features allow a specified user or computer to impersonate a kerberos principal (obtain service tickets) without doing a proper kerberos authentication (getting a TGT). This is used to gateway third party authentication systems to MS's kerberos-enabled services (Cool!). We've setup a test environment and have been able to get both of these features to work so that a Shibboleth-protected ASP page can do queries against MS-SQL as the user in the Shibboleth session. With OWA, however, it isn't quite as simple. The code that initializes the Exchange/OWA session is inside a .dll and it isn't clear what we need to do to hook in and crank up the session ourselves. To make a long story short; I think it is possible, but I've hit a brick wall and don't think I can get this to work without some help.
--
Will Norris
Information Technology
The University of Memphis
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Shibboleth and MS Exchange, james sankar, 09/14/2005
- Re: Shibboleth and MS Exchange, Chad La Joie, 09/14/2005
- Re: Shibboleth and MS Exchange, Will Norris, 09/16/2005
- Re: Shibboleth and MS Exchange, Bart Kerver, 09/16/2005
- Re: Shibboleth and MS Exchange, Will Norris, 09/16/2005
- RE: Shibboleth and MS Exchange, Scott Cantor, 09/16/2005
- Re: Shibboleth and MS Exchange, Bart Kerver, 09/20/2005
- Re: Shibboleth and MS Exchange, Bart Kerver, 09/16/2005
- <Possible follow-up(s)>
- Re: Shibboleth and MS Exchange, Steven_Carmody, 09/14/2005
- RE: Shibboleth and MS Exchange, james sankar, 09/21/2005
- Re: Shibboleth and MS Exchange, Walter Hoehn, 09/22/2005
- Re: Shibboleth and MS Exchange, Bart Kerver, 09/23/2005
- Re: Shibboleth and MS Exchange, Walter Hoehn, 09/23/2005
- Re: Shibboleth and MS Exchange, Bart Kerver, 09/23/2005
- Re: Shibboleth and MS Exchange, Walter Hoehn, 09/22/2005
Archive powered by MHonArc 2.6.16.