Is anyone out there using Kerberos authentication in order to setup Outlook 2011?
Solved
Anyone deploying Outlook 2011 using Kerberos auth?
+6Best answer by Yoshimi
We are testing this. Kerberization seems to work OK, we have other issues in our environment preventing us from going to Outlook 2011.
+3We are testing this. Kerberization seems to work OK, we have other issues in our environment preventing us from going to Outlook 2011.
+6We've tried to use it in our environment - but have run into issues, and aren't really sure how to proceed with getting support from MS to run through a configuration verification.
We're using Centrify for our AD plugin - but login and connection to File Shares seems to work as expected.
As far as testing the Outlook client, we're not really sure what direction to go in...
+35Works fine for me.
Exchange 2010, Outlook 2011, 10.6.x/10.7.x & native ad plugin.
Nothing special needed to setup. Macs are joined to AD, all servers are a part of the same Kerberos realm & all clients point to the same NTP.
Does Autodiscover work correctly for you guys?
FWIW though, we do not use this as most macs are MacBooks & as such we have a lot of out of office workers. So all use the owa address & can connect off the LAN without VPN.
+15According to Microsoft AutoDiscover and Kerberos do not work properly together.
When I asked about it I found out that even in their tech support environment, MS does not use kerberos for Mac Outlook.
+36Kerberos won't work externally to a network but in a closed lab situation I've been able to make it work with Autodiscover. Unfortunately, real world network environments are often far from lab settings and I'm in the camp where we can't use Kerberos either. That's not because of Microsoft issues but rather our own network support staff.
I have no idea whether Microsoft uses Kerberos in its environment but I'd be curious to know where you heard it doesn't work with Autodiscover.
+4Is there a way to script the selection of the sole Kerberos identity in order to automate adding an exchange account for smart card users?
+36Only via AppleScript:
tell application "Microsoft Outlook"
set use kerberos authentication of exchange account 1 to true
set principal of exchange account 1 to "marty@talkingmoose.pvt"
end tellThanks,
Can that be combined with your Office 2011 setup script to read the kerberos identity from the username and kerberos realm so it will work for all AD users?
+36I've got a Kerberos section in the script already but it pieces together the principal name from different components. A better way, which I'll add to my next script update would be to get it directly from Active Directory itself via dscl:
dscl "/Active Directory/DOMAIN/All Domains" -read /Users/marty dsAttrTypeNative:userPrincipalName | awk '{print $2}'My suggestion for now is to add this line to the "Begin email address properties" section of the script:
if getEMailAddressUsingDSCL is true and systemVersion < "10.7" then
set emailAddress to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " EMailAddress | awk '{print $2}'"
set firstName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " FirstName | awk '{print $2}'"
set lastName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " LastName | awk '{print $2}'"
***set principalName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " dsAttrTypeNative:userPrincipalName | awk '{print $2}'"***
-- DSCL lookups for Mac OS X 10.7 and higher
else if getEMailAddressUsingDSCL is true and systemVersion ? "10.7" then
-- get the domain's primary NetBIOS domain name
set netbiosDomain to do shell script "dscl "/Active Directory/" -read / SubNodes | awk '{print $2}'"
set emailAddress to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " EMailAddress | awk '{print $2}'"
set firstName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " FirstName | awk '{print $2}'"
set lastName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " LastName | awk '{print $2}'"
***set principalName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " dsAttrTypeNative:userPrincipalName | awk '{print $2}'"***And then change this part later in the script:
if useKerberos is true then
set use kerberos authentication of newExchangeAccount to useKerberos
***set principal of newExchangeAccount to principalName***
end ifTake that for a spin and see if it works as you expect. Be sure to set the Kerberos property at the top of the script to "true". I tested the additions individually but not in the overall context of the script.
+4Im having some issues with just selecting the only Kerberos identity available. When it puts the name together using the script, it does not work even though the only difference is lowercase letters. Im prompted for a Kerberos password which doesnt exist due to users logging in with smart cards
Oh and no dscl in my environment
+18Like others have mentioned, we don't use Kerberos for Exchange or Lync because those services are available externally while Kerberos is not.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.