Re: Kerberos authentication for SMTP

steve schofield — Tue, 14 Oct 2008 01:24:09 GMT

I'm not sure, post your question in the IIS SMTP newsgroup. There is a guru there that can / should be able to help.

Kerberos authentication for SMTP

Madness80 — Mon, 13 Oct 2008 19:47:37 GMT

Our email and computer security teams want to tighten up emails being sent externally. They want the users to authenticate to the SMTP server. I'm not having much luck and was wondering if anyone else has figured this out. Environment: IE6/XP client --> W2K3/IIS 6/ASPX page .Net 2.0 --> W2K3/IIS 6/SMTP The Authentication tab for the SMTP server is set to "Integrated Windows Authentication". The web site on the IIS server is also set for integrated authentication. The key issue being that we do not want to prompt the user for their password. The MS Auth Diag tool and Brian Booth's DelegConfig tool report that Kerberos is ok on the IIS server. I have a test ASPX page that reads from a UNC on another server and that works fine. In the security log on that server I see a Kerberos login for the client user. Here is the ASPX code snippet.

Dim oMM As New MailMessage
Dim oMM As New MailMessage
Dim emailaddr As String = "dave@mycompany.com"
Dim oAddress As New MailAddress(emailaddr)
Dim oSMTP As New SmtpClient("mailhost.mycompany.com", 25)

oMM.From = oAddress
oMM.To.Add(oAddress)
oMM.Subject = "Mail test"
oMM.Body = "Mail test"
oSMTP.UseDefaultCredentials = True
oSMTP.Send(oMM)

With "UseDefaultCredentials = True" I see an "AUTH gssapi" packet being sent from the IIS server to the SMTP server in a network trace. The web.config for the site contains <identity impersonate="true" /> so this should be passing the credentials of the user. But in the security log on the SMTP server I see an NTLM logon for NT AUTHORITY\ANONYMOUS LOGON. If I set the web site to use basic authentication then everything works. But we don’t want to do that because we want the integrated authentication to take care of that for us. Within AD, the IIS server is set to "Trust this computer for delegation to any service (Kerberos only)". And in the metabase on the SMTP server I have "NTAuthenticationProviders="GSSAPI,NTLM". Does SMTP support Kerberos login's? The email team also has an SMTP that is installed as part of Exchange. Does that support Kerberos? My email guys tell me that it should not matter. Note: SMTP on the IIS server will not require authentication and can only send emails internally. All externally bound emails must go thru an SMTP server that requires authentication. How do I pass integrated credentials from a client to IIS to SMTP? Thanks for any help.

General

Re: Kerberos authentication for SMTP

Kerberos authentication for SMTP