Basics of problem:
Exim is putting failed authorization messages into reject log;
but authorization of users is succeeding with only a single
authorization stanza. (ONLY SPA for Windows clients.)
I tried a message similar to this on the CygWin (running Cygwin 1.5.8) list
but received no matching responses and so wish to ask the following:
Would someone running Exim 4.50+ (especially 4.52) and using Microsoft
Outlook or Outlook Express with SPA (NTLM) authentication to a flat file
please search your Exim reject log for a warning of the following type (all
one line):
2005-08-23 18:36:53 spa authenticator failed for
cpe-70-112-20-135.austin.res.rr.com (Unagi)
[70.112.20.135]: 535 Incorrect authentication
data (set_id=HerbM)
The key point: "spa authenticator" reported as "failed". YET, users are
authenticated ANYWAY.
If you have no such errors under similar setup, would you please post (or
send to me privately) the relevant authenticator and a (sanitized) snippet
of your password file so I can check my format.
The weird part is that the authentication actually seems to work correctly,
the user is authenticated (an incorrect password will fail and not work as
expected so it doesn't seem to be getting through another way -- and all
other authenticators have been commented out of the exim.conf file.)
Here is my (ONLY) authenticator:
begin authenticators
spa:
driver = spa
public_name = NTLM
server_password = ${lookup{$1}lsearch{/etc/authpwd}}
server_set_id = $1
(I have tried it both with and without that last line:
"server_set_id".)
My "/etc/authpwd" password file is:
username:password
user2:password2
etc:and_so_on
Another weird thing, it always shows the interCap version of the "username"
(HerbM as opposed to herbm) even though Outlook is set to use "herbm" and
the file has the lower case version (I have also tried changing both to
match Intercap and it still "works" but the failure also appears in the
reject log.) And yet again oddly if I put bogus name (purposeful and
obvious misspelling) in Outlook it SHOWS this when the authentication fails
and a dialog asking for correction appears.
I have tried making sure the /etc/authpwd is "UNIX style line endings (i.e.,
lf not cr/lf) but that change had no effect.
My working assumption (pure guess) is that Outlook is FIRST sending the
"user logon name", maybe with domain included, and then perhaps failing over
to the configured (in Outlook) name and that somehow works but this doesn't
really hold together as a satifying answer.
Testing PLAIN authenticators using MIME encode and Telnet/netcat is
something I understand but I don't know a strategy for testing SPA
authentication manually. Ideas?
--
Herb Martin
