|
Home > Archive > microsoft.public.exchange2000.admin > October 2002 > Netware, Exchange 2000, and authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Netware, Exchange 2000, and authentication
|
|
| John Rodriguez 2002-10-05, 8:31 pm |
| Hopefully someone here has more experience with integrating Netware and
Exchange than I do, and can help me gain back the goodwill of the user
community at my client site.
Here's the specific situation: this client has a dual Netware 4.x/Windows
NT 4.0 environment. Netware's the primary directory service, and Windows NT
is really just in place so they can have Exchange and SQL. Users log into
Netware first thing in the morning, which automatically logs them into the
local workstation (all users are on Windows 2000 Professional workstations
which are not members of the domain). When they would start Outlook, they
would not receive any authentication prompts -- Exchange would either grab
the local workstation account or, more likely, pass the Novell credentials
and present them to Windows NT. In preparation for the Exchange 2000
upgrade, we added a new BDC two weeks ago, promoted it to PDC, upgraded it,
and ran DCPROMO to have the requisite Windows 2000 DC. At that time there
was no change to the user experience (i.e. they still had just the one logon
prompt).
After the upgrade on Monday, users now receive a prompt when they access
Outlook. Although this is hardly a major issue, the IT staff at the client
tend to bend over backwards to simplify things for their users, and this
additional prompt has already prompted a lot of questions from some very
befuddled users. They (the IT staff) have come back to me to find out what
we need to do to restore the single sign-on functionality the users enjoyed
before, and I'm not sure how at the moment. We've tried a number of things,
including verifying the presence of the Exchange key under HKU (as mentioned
in a KB article), adding the workstations to the domain, and changing the
password mechanism from NT to DPA. The user account names are the same in
Netware, AD, and the local workstation, and users don't reset their own
passwords -- everything is controlled by the IT department who manually
synchronize passwords.
I suspect that our problem lies in the interaction between Netware and AD,
but not knowing for certain how they interrelate, I'm not sure what I need
to do to fix this. My guess is that since Exchange relies on AD as its
directory service, the Netware credentials are being presented directly to
AD, instead of being filtered or matched against an Exchange user, and that
Kerberos somehow doesn't like the credentials that Netware is passing
through.
Has anyone else grappled with this, and, if so, can anyone suggest a remedy?
Thanks very much for any shared expertise or insight!
John
| |
| John Rodriguez 2002-10-05, 8:31 pm |
| Thanks for the quick response, Gene!
The passwords are manually synchronized, so that part matches your
experience. I neglected to explain in my first post that they've been using
Exchange 5.5 for years -- this is simply a migration from Exchange 5.5 to
Exchange 2000 (with of course the NT-to-2000 upgrade).
Is there a setting in Netware that instructs the Netware client to profer
its client credentials to Windows NT/2000? Currently the users only log
into Netware and the workstation (which are all members of a workgroup, not
the domain).
I did some testing last night and moving a workstation into the domain had
no effect on the authentication prompt. Since the Exchange 5.5 server is
still functioning, I created multiple profiles on a single machine and
connected to the two Exchange servers in turn -- connecting to the 5.5
server was seamless while the 2000 server prompted for authentication. This
to me definitely points towards Kerberos and AD's position within Exchange
as the culprit.
"Gene Meili" <gmeili@memphistestinglab.com> wrote in message
news:fd0601c26a2b$eb200f40$39e
f2ecf@TKMSFTNGXA08...
> Been there, done that. Here is what we did.
>
> We changed UserID and Passwords to match on Novell and
> Windows 2000 to match. That eliminated the need for
> multiple logons during the migration. We also cleared
> Groupwise passwords in NWadmin to eliminate the prompt for
> that password.
>
>
> >-----Original Message-----
> >Hopefully someone here has more experience with
> integrating Netware and
> >Exchange than I do, and can help me gain back the
> goodwill of the user
> >community at my client site.
> >
> >Here's the specific situation: this client has a dual
> Netware 4.x/Windows
> >NT 4.0 environment. Netware's the primary directory
> service, and Windows NT
> >is really just in place so they can have Exchange and
> SQL. Users log into
> >Netware first thing in the morning, which automatically
> logs them into the
> >local workstation (all users are on Windows 2000
> Professional workstations
> >which are not members of the domain). When they would
> start Outlook, they
> >would not receive any authentication prompts -- Exchange
> would either grab
> >the local workstation account or, more likely, pass the
> Novell credentials
> >and present them to Windows NT. In preparation for the
> Exchange 2000
> >upgrade, we added a new BDC two weeks ago, promoted it to
> PDC, upgraded it,
> >and ran DCPROMO to have the requisite Windows 2000 DC.
> At that time there
> >was no change to the user experience (i.e. they still had
> just the one logon
> >prompt).
> >
> >After the upgrade on Monday, users now receive a prompt
> when they access
> >Outlook. Although this is hardly a major issue, the IT
> staff at the client
> >tend to bend over backwards to simplify things for their
> users, and this
> >additional prompt has already prompted a lot of questions
> from some very
> >befuddled users. They (the IT staff) have come back to
> me to find out what
> >we need to do to restore the single sign-on functionality
> the users enjoyed
> >before, and I'm not sure how at the moment. We've tried
> a number of things,
> >including verifying the presence of the Exchange key
> under HKU (as mentioned
> >in a KB article), adding the workstations to the domain,
> and changing the
> >password mechanism from NT to DPA. The user account
> names are the same in
> >Netware, AD, and the local workstation, and users don't
> reset their own
> >passwords -- everything is controlled by the IT
> department who manually
> >synchronize passwords.
> >
> >I suspect that our problem lies in the interaction
> between Netware and AD,
> >but not knowing for certain how they interrelate, I'm not
> sure what I need
> >to do to fix this. My guess is that since Exchange
> relies on AD as its
> >directory service, the Netware credentials are being
> presented directly to
> >AD, instead of being filtered or matched against an
> Exchange user, and that
> >Kerberos somehow doesn't like the credentials that
> Netware is passing
> >through.
> >
> >Has anyone else grappled with this, and, if so, can
> anyone suggest a remedy?
> >Thanks very much for any shared expertise or insight!
> >
> >John
> >
> >
> >.
> >
| |
| Gene Meili 2002-10-05, 8:31 pm |
| I have not gone thru a 5.5 to 2000 upgrade, but I do have
a similar situation from the Netware client side. If you
are using the Newtare 32 bit client to log in, it seems to
be the dominant logon. When I started converting my Novell
users to Windows 2000, and had them ready to switch from
Novell to Windos 2000, I had to remove the 32bit client
and use Microsofts built in client for Netware to allow
the Windows 2000 domain to be dominant.
Hope that helps.
>-----Original Message-----
>Thanks for the quick response, Gene!
>
>The passwords are manually synchronized, so that part
matches your
>experience. I neglected to explain in my first post that
they've been using
>Exchange 5.5 for years -- this is simply a migration from
Exchange 5.5 to
>Exchange 2000 (with of course the NT-to-2000 upgrade).
>
>Is there a setting in Netware that instructs the Netware
client to profer
>its client credentials to Windows NT/2000? Currently the
users only log
>into Netware and the workstation (which are all members
of a workgroup, not
>the domain).
>
>I did some testing last night and moving a workstation
into the domain had
>no effect on the authentication prompt. Since the
Exchange 5.5 server is
>still functioning, I created multiple profiles on a
single machine and
>connected to the two Exchange servers in turn --
connecting to the 5.5
>server was seamless while the 2000 server prompted for
authentication. This
>to me definitely points towards Kerberos and AD's
position within Exchange
>as the culprit.
>
>"Gene Meili" <gmeili@memphistestinglab.com> wrote in
message
> news:fd0601c26a2b$eb200f40$39e
f2ecf@TKMSFTNGXA08...
>> Been there, done that. Here is what we did.
>>
>> We changed UserID and Passwords to match on Novell and
>> Windows 2000 to match. That eliminated the need for
>> multiple logons during the migration. We also cleared
>> Groupwise passwords in NWadmin to eliminate the prompt
for
>> that password.
>>
>>
>> >-----Original Message-----
>> >Hopefully someone here has more experience with
>> integrating Netware and
>> >Exchange than I do, and can help me gain back the
>> goodwill of the user
>> >community at my client site.
>> >
>> >Here's the specific situation: this client has a dual
>> Netware 4.x/Windows
>> >NT 4.0 environment. Netware's the primary directory
>> service, and Windows NT
>> >is really just in place so they can have Exchange and
>> SQL. Users log into
>> >Netware first thing in the morning, which automatically
>> logs them into the
>> >local workstation (all users are on Windows 2000
>> Professional workstations
>> >which are not members of the domain). When they would
>> start Outlook, they
>> >would not receive any authentication prompts --
Exchange
>> would either grab
>> >the local workstation account or, more likely, pass the
>> Novell credentials
>> >and present them to Windows NT. In preparation for the
>> Exchange 2000
>> >upgrade, we added a new BDC two weeks ago, promoted it
to
>> PDC, upgraded it,
>> >and ran DCPROMO to have the requisite Windows 2000 DC.
>> At that time there
>> >was no change to the user experience (i.e. they still
had
>> just the one logon
>> >prompt).
>> >
>> >After the upgrade on Monday, users now receive a prompt
>> when they access
>> >Outlook. Although this is hardly a major issue, the IT
>> staff at the client
>> >tend to bend over backwards to simplify things for
their
>> users, and this
>> >additional prompt has already prompted a lot of
questions
>> from some very
>> >befuddled users. They (the IT staff) have come back to
>> me to find out what
>> >we need to do to restore the single sign-on
functionality[colo
r=green]
>> the users enjoyed
>> >before, and I'm not sure how at the moment. We've[/color]
tried
>> a number of things,
>> >including verifying the presence of the Exchange key
>> under HKU (as mentioned
>> >in a KB article), adding the workstations to the
domain,
>> and changing the
>> >password mechanism from NT to DPA. The user account
>> names are the same in
>> >Netware, AD, and the local workstation, and users don't
>> reset their own
>> >passwords -- everything is controlled by the IT
>> department who manually
>> >synchronize passwords.
>> >
>> >I suspect that our problem lies in the interaction
>> between Netware and AD,
>> >but not knowing for certain how they interrelate, I'm
not
>> sure what I need
>> >to do to fix this. My guess is that since Exchange
>> relies on AD as its
>> >directory service, the Netware credentials are being
>> presented directly to
>> >AD, instead of being filtered or matched against an
>> Exchange user, and that
>> >Kerberos somehow doesn't like the credentials that
>> Netware is passing
>> >through.
>> >
>> >Has anyone else grappled with this, and, if so, can
>> anyone suggest a remedy?
>> >Thanks very much for any shared expertise or insight!
>> >
>> >John
>> >
>> >
>> >.
>> >
>
>
>.
>
| |
| John Rodriguez 2002-10-05, 8:31 pm |
| Just to make things even more interesting, it's become pretty clear after
some testing this evening that users are not and never have been logging
into the Windows NT (now 2000) domain when they authenticate to Netware. I
confirmed this by changing a user's domain password but leaving the
workstation and Netware passwords the same. Being almost entirely
unfamiliar with Netware I'm not sure how to set up dual authentication so
that the user logs into both Netware and Windows 2000. I realize this has
gotten a bit off-topic for Exchange, so please reply to my (munged) email
address jrod39@nospam.msn.com.
Thanks for any additional help!
"Gene Meili" <gmeili@memphistestinglab.com> wrote in message
news:332501c26a2e$5f99ccb0$2ae
2c90a@phx.gbl...
> I have not gone thru a 5.5 to 2000 upgrade, but I do have
> a similar situation from the Netware client side. If you
> are using the Newtare 32 bit client to log in, it seems to
> be the dominant logon. When I started converting my Novell
> users to Windows 2000, and had them ready to switch from
> Novell to Windos 2000, I had to remove the 32bit client
> and use Microsofts built in client for Netware to allow
> the Windows 2000 domain to be dominant.
>
> Hope that helps.
>
>
> >-----Original Message-----
> >Thanks for the quick response, Gene!
> >
> >The passwords are manually synchronized, so that part
> matches your
> >experience. I neglected to explain in my first post that
> they've been using
> >Exchange 5.5 for years -- this is simply a migration from
> Exchange 5.5 to
> >Exchange 2000 (with of course the NT-to-2000 upgrade).
> >
> >Is there a setting in Netware that instructs the Netware
> client to profer
> >its client credentials to Windows NT/2000? Currently the
> users only log
> >into Netware and the workstation (which are all members
> of a workgroup, not
> >the domain).
> >
> >I did some testing last night and moving a workstation
> into the domain had
> >no effect on the authentication prompt. Since the
> Exchange 5.5 server is
> >still functioning, I created multiple profiles on a
> single machine and
> >connected to the two Exchange servers in turn --
> connecting to the 5.5
> >server was seamless while the 2000 server prompted for
> authentication. This
> >to me definitely points towards Kerberos and AD's
> position within Exchange
> >as the culprit.
> >
> >"Gene Meili" <gmeili@memphistestinglab.com> wrote in
> message
> > news:fd0601c26a2b$eb200f40$39e
f2ecf@TKMSFTNGXA08...
> >> Been there, done that. Here is what we did.
> >>
> >> We changed UserID and Passwords to match on Novell and
> >> Windows 2000 to match. That eliminated the need for
> >> multiple logons during the migration. We also cleared
> >> Groupwise passwords in NWadmin to eliminate the prompt
> for
> >> that password.
> >>
> >>
> >> >-----Original Message-----
> >> >Hopefully someone here has more experience with
> >> integrating Netware and
> >> >Exchange than I do, and can help me gain back the
> >> goodwill of the user
> >> >community at my client site.
> >> >
> >> >Here's the specific situation: this client has a dual
> >> Netware 4.x/Windows
> >> >NT 4.0 environment. Netware's the primary directory
> >> service, and Windows NT
> >> >is really just in place so they can have Exchange and
> >> SQL. Users log into
> >> >Netware first thing in the morning, which automatically
> >> logs them into the
> >> >local workstation (all users are on Windows 2000
> >> Professional workstations
> >> >which are not members of the domain). When they would
> >> start Outlook, they
> >> >would not receive any authentication prompts --
> Exchange
> >> would either grab
> >> >the local workstation account or, more likely, pass the
> >> Novell credentials
> >> >and present them to Windows NT. In preparation for the
> >> Exchange 2000
> >> >upgrade, we added a new BDC two weeks ago, promoted it
> to
> >> PDC, upgraded it,
> >> >and ran DCPROMO to have the requisite Windows 2000 DC.
> >> At that time there
> >> >was no change to the user experience (i.e. they still
> had
> >> just the one logon
> >> >prompt).
> >> >
> >> >After the upgrade on Monday, users now receive a prompt
> >> when they access
> >> >Outlook. Although this is hardly a major issue, the IT
> >> staff at the client
> >> >tend to bend over backwards to simplify things for
> their
> >> users, and this
> >> >additional prompt has already prompted a lot of
> questions
> >> from some very
> >> >befuddled users. They (the IT staff) have come back to
> >> me to find out what
> >> >we need to do to restore the single sign-on
> functionality[col
or=darkred]
> >> the users enjoyed
> >> >before, and I'm not sure how at the moment. We've
> tried
> >> a number of things,
> >> >including verifying the presence of the Exchange key
> >> under HKU (as mentioned
> >> >in a KB article), adding the workstations to the
> domain,
> >> and changing the
> >> >password mechanism from NT to DPA. The user account
> >> names are the same in
> >> >Netware, AD, and the local workstation, and users don't
> >> reset their own
> >> >passwords -- everything is controlled by the IT
> >> department who manually
> >> >synchronize passwords.
> >> >
> >> >I suspect that our problem lies in the interaction
> >> between Netware and AD,
> >> >but not knowing for certain how they interrelate, I'm
> not
> >> sure what I need
> >> >to do to fix this. My guess is that since Exchange
> >> relies on AD as its
> >> >directory service, the Netware credentials are being
> >> presented directly to
> >> >AD, instead of being filtered or matched against an
> >> Exchange user, and that
> >> >Kerberos somehow doesn't like the credentials that
> >> Netware is passing
> >> >through.
> >> >
> >> >Has anyone else grappled with this, and, if so, can
> >> anyone suggest a remedy?
> >> >Thanks very much for any shared expertise or insight!
> >> >
> >> >John
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >[/color]
|
|
|
|
|