Secure Password Authentication (SPA) and (NTLM) does not work when MailEnable Integrated Authentication. (Auth against AD)


SYMPTOMS

When NTLM authentication is enabled for a service, for a postoffice which is using Windows authentication, clients configured with SPA (Secure Password Authentication) cannot authenticate.

CAUSE

When MailEnable services authenticate against Active Directory using Integrated Authentication a username and password supplied by the email client are required.

The problem when using NTLM with Integrated Authentication is that the email client and the MailEnable service negotiate a successful login using an NTLM handshake method and in this process a password is not sent across (a hash of the password is sent instead).  Due to this MailEnable does not have a password to use when it tries to authenticate back to Active Directory.

SOLUTION

Clients must disable SPA in order to authenticate against MailEnable when Integrated Authentication is enabled.



Product:MailEnable
Category:Other
Article:ME020550
Module:SMTP
Keywords:SPA,NTLM,ntlm,SSO,sso,spa,ad,active,directory,integrated,authentication
Class:BUG: Product Defect/Bug
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable