Has anyone figured out how to get Windows kerberos and WSAM to work together. I am running 6.0r5 and it just doesn't want to work. I tried forcing the kerberos to use TCP and not UDP on the desktops, but it still didn't work. One of the things I noticed was that DNS queries for kerboros were being sent to the external DNS server and so they didn't get the right answer back.
Does anyone have the same problem? I have similar problem on version 6.5r2. Is there any ticket open?
To be more concrete. Outlook is not working with WSAM, but works with NC and after successful NC session Outlook will run with WSAM.
It looks like the kerberos is switched back to NTLM. I dont know, why there is kerberos, because I have NTML in the Outlook preferences...
@hadar: Kerberos over WSAM is available in 6.4 and later only. You need to enable the standard WSAM application (6.4 and later only) called "Domain Authentication" and then define all your DCs as allowed servers in order to allow the WSAM application to capture the kerberos-based traffic. Previous versions do not contain the ability to capture the data.
@fild: do you see WSAM capturing the traffic successfully for Outlook? if you look at the events log tab on the WSAM application (WSAM UI>Advanced>Event log) do you see any access denied/ACL check failure messages? Are you expecting Kerberos- or NTLM-based auth for Outlook? Do you have all DCs/Exchange servers enabled as WSAM destinations? Are you using the WSAM application "Domain Authentication" as well as the Outlook application?
Yes, there are all the access right, NTLM is set as the auth method in outlook. The the best thing - it was working and it stopped. Maybe from upgrade to 6.5r2 ?? I can connect via NC and there are some kerberos packets. I can then run WSAM and connect to outlook. Than again NC. Success. But no kerberos packets...
So it looks like that Exchange server wants Kerberos for some reason and Kerberos is not working. When connecting via LAN or NC - it will try Kerberos and then ntlm. And ntlm will be OK.
I can also see denied in wsam logs...
@fild: can you paste the access denied message here or what server is being denied? Can you confirm that the server that you are seeing the deny for is allowed in the SAM ACL? Do you have the "domain authentication" application defined for WSAM as well?