The Exchange version of the MAPI store provider does not support Kerberos authentication (918710)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 5.5

INTRODUCTION

MAPI applications use a remote procedure call (RPC)-based protocol to communicate with servers that are running Microsoft Exchange Server. Microsoft Outlook and Exchange Server each include a different version of the MAPI store provider library (Emsmdb32.dll). Emsmdb32.dll handles this RPC communication.

The Exchange version of the MAPI store provider was not designed to work with Kerberos authentication, and does not support Kerberos authentication. No update is available for the Exchange store provider to make the provider work with Kerberos, and no such update is planned.

MORE INFORMATION

The following scenario describes an example in which Active Server Pages (ASP) applications may experience issues that are related to this non-support of Kerberos authentication.

ASP applications experience MAPI_E_LOGON_FAILED errors when the following conditions are true:
  • The ASP applications use integrated authentication.
  • Collaboration Data Objects (CDO 1.21) is used to log on to a mailbox on a remote Exchange server.
This is a double-hop scenario in which credentials that are gathered by the server that is running Internet Information Services (IIS) would be passed to the Exchange server if Kerberos authentication were available. Because the Exchange store provider does not support Kerberos authentication, credentials cannot be passed in a double-hop scenario.

When you run the same ASP Web application in Internet Explorer directly on the server that is running IIS, this error does not occur. In this case, Kerberos authentication is not needed.

To work around this issue, use one of the following methods.

Use Basic authentication with SSL

Basic authentication generates an interactive token which can be passed to different servers. The drawback with Basic authentication is that users are prompted for a user name and password. Additionally, the user name and password are sent to the server in clear text. Therefore, if you use Basic authentication, make sure that you use Secure Sockets Layer (SSL) for the Web application.

Use WebDAV

WebDAV uses HTTP requests and responses together with XML to query, to create, and to modify Exchange data. Because you are using HTTP requests, IIS handles authentication.

Host the Web application on the Exchange server

Kerberos is used to pass credentials between servers. Therefore, if the Web application and Exchange are on the same server, you do not have to use Kerberos. In this case, the Web application will not experience the issue that is described in this article.

REFERENCES

For more information about how Outlook, CDO, MAPI, and providers work together, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/providers.mspx

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

266418 Microsoft does not support installing Exchange Server components and Outlook on the same computer


For more information about Kerberos authentication, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/b748fb3f-dbf0-4b01-9b22-be14a8b4ae101033.mspx

Modification Type:MajorLast Reviewed:5/12/2006
Keywords:kbExpertiseAdvanced kbnofix kbtshoot KB918710 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.