Microsoft KB Archive/918710

= The Exchange version of the MAPI store provider does not support Kerberos authentication =

Article ID: 918710

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition

-





INTRODUCTION
MAPI applications use a remote procedure call (RPC)-based protocol to communicate with servers that are running Microsoft Exchange Server. Microsoft Outlook and Exchange Server each include a different version of the MAPI store provider library (Emsmdb32.dll). Emsmdb32.dll handles this RPC communication.

The Exchange version of the MAPI store provider was not designed to work with Kerberos authentication, and does not support Kerberos authentication. No update is available for the Exchange store provider to make the provider work with Kerberos, and no such update is planned.



MORE INFORMATION
The following scenario describes an example in which Active Server Pages (ASP) applications may experience issues that are related to this non-support of Kerberos authentication.

ASP applications experience MAPI_E_LOGON_FAILED errors when the following conditions are true:
 * The ASP applications use integrated authentication.
 * Collaboration Data Objects (CDO 1.21) is used to log on to a mailbox on a remote Exchange server.

This is a double-hop scenario in which credentials that are gathered by the server that is running Internet Information Services (IIS) would be passed to the Exchange server if Kerberos authentication were available. Because the Exchange store provider does not support Kerberos authentication, credentials cannot be passed in a double-hop scenario.

When you run the same ASP Web application in Internet Explorer directly on the server that is running IIS, this error does not occur. In this case, Kerberos authentication is not needed.

To work around this issue, use one of the following methods.

Use Basic authentication with SSL
Basic authentication generates an interactive token which can be passed to different servers. The drawback with Basic authentication is that users are prompted for a user name and password. Additionally, the user name and password are sent to the server in clear text. Therefore, if you use Basic authentication, make sure that you use Secure Sockets Layer (SSL) for the Web application.

Use WebDAV
WebDAV uses HTTP requests and responses together with XML to query, to create, and to modify Exchange data. Because you are using HTTP requests, IIS handles authentication.

Host the Web application on the Exchange server
Kerberos is used to pass credentials between servers. Therefore, if the Web application and Exchange are on the same server, you do not have to use Kerberos. In this case, the Web application will not experience the issue that is described in this article.

