Den 25/12/2006 kl. 13.00 skrev Adrian Gill:
> Date: Sun, 24 Dec 2006 16:43:40 -0000
> From: "Adrian Gill" <adrian at ssinternet.co.uk>
> Subject: Re: [Dovecot] NTLM authentication woes
> To: <dovecot at dovecot.org>
> Message-ID: <023001c7277a$ae1bcf60$4107a8c0 at AdeLaptop>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> reply-type=response
>
> Lars wrote:
> [Re Outlook handling of SPA/NTLM]
>> Turning on auth_debug and auth_verbose has led me to discover that MS
>> Outlook uses the users full name as login, instead of whatever is
>> entered
>> in the account-information - if the user "John Doe" has the
login
>> "jd at domain.com", Outlook sends "John Doe"
instead. This of course
>> fails.
>> Strangely enough, if I turn off "Use Secure Authentication"
from
>> within
>> Outlook, the login-name from the account- information is used as
>> it should
>> be.
>
> Not a solution I'm afraid, but just to let you know that I've been
> experimenting with NTLM (actually with Exim for authenticated SMTP)
> for a
> while with a few users and had the same problems - different
> versions of
> Outlook behave slightly differently, but none (that I've found)
> seem to work
> properly. Usually Outlook sends the users Windows Logon username and
> password (which is often their name, but often something else too like
> 'Administrator') initially, and sometimes then retries
> automatically with
> the correct details.
>
> Things never seem to be that consistent though, except that they're
> consistently bad. Frustratingly, the only option I have is to tell
> users
> that have problems to use Thunderbird or something else and use
> cram-md5
> instead.
>
> As far as Outlook goes I think Microsoft seem to only bother
> testing NTLM
> running with MS Exchange on a local network... v.annoying!
>
> (Sorry not that helpful a post)
>
> Adrian
Hi Adrian
Thanks for your reply. I suspected as much, though I had hoped that
there was an easy applicable solution. Sadly my MS-using clients are
reluctant at best to change their applications, flawed as they may
be, so I guess they'll have to live with things as they are for now.
MS really should fix their apps, but that's a topic for a discussion
of it's own.
I use a mysql-backend, and suspect I could change the login-call to
match whatever Outlook or Entourage choose to send, but that would be
difficult to make consistent enough to be truly workable, I think...
Thanks for your time
/Lars