SYMPTOMS
When NTLM authentication is enabled for a service, for a postoffice which is using Windows authentication, clients configured with SPA (Secure Password Authentication) cannot authenticate.
CAUSE
When MailEnable services authenticate against Active Directory using Integrated Authentication a username and password supplied by the email client are required.
The problem when using NTLM with Integrated Authentication is that the email client and the MailEnable service negotiate a successful login using an NTLM handshake method and in this process a password is not sent across (a hash of the password is sent instead). Due to this MailEnable does not have a password to use when it tries to authenticate back to Active Directory.
SOLUTION
Clients must disable SPA in order to authenticate
against MailEnable when Integrated Authentication is
enabled.
Product: | MailEnable |
Category: | Other |
Article: | ME020550 |
Module: | SMTP |
Keywords: | SPA,NTLM,ntlm,SSO,sso,spa,ad,active,directory,integrated,authentication |
Class: | BUG: Product Defect/Bug |
Revised: | Wednesday, May 4, 2016 |
Author: | MailEnable |
Publisher: | MailEnable |