FYI: Exchange's CDO 1.21 NOT Supported with Kerberos

  • Article

It's late so I'm going to keep this brief but since we don't have any public content I wanted to get the word out. Exchange's CDO 1.21 was never tested and will not work with Kerberos authentication. While Outlook's version of CDO 1.21 does have Kerberos support, it is not suitable for use in serviced applications.

Problem

A lot people install Exchange System Manager on an IIS box in hopes of using CDO 1.21 inside an ASP application. Typically this ASP application was hosted on the Exchange server itself in the Windows 2000 days but Windows 2003 fully supports Kerberos and this seems like an opportunity to seperate the tiers a bit. What we see people wanting to do is seperate the ASP application to a seperate IIS server with integrated authentication turned on thus allowing users to use this internal web application to pull information from their mailbox or a public folder using their credentials against Exchange through CDO 1.21. What they find is that they get a MAPI_E_LOGON_FAILED error even though they verify the IIS application is running as the logged in user. The problem is that CDO 1.21 doesn't support Kerberos.

Resolution

Unfortunately we can only offer workarounds. CDO 1.21 is old and being de-emphasized in Exchange 12. Here are your options:

  • Use Basic Authentication. Basic authentication will work because it generates an Interactive token which can be passed to different servers. The drawback with Basic authentication is that users are prompted for a user name and password. Additionally that user name and password is sent in clear text to the server so you should be sure to run your web application with SSL if you are using Basic Authentication.
  • Use WebDAV. WebDAV uses HTTP requests and responses with XML to query, create, and modify Exchange data. Since you are using HTTP requests, IIS handles authentication and security is much easier to handle. WebDAV can be cumbersome to use but must be given create for its wide supportability (supported with managed code and from non-PC clients) and its ability to support Contacts, Meetings, and Mail Items.
  • Host your web application on the Exchange server. Since Kerberos is used to pass credentials between servers, if the web application and Exchange are on the same machine there is no need to use Kerberos and your web application will work.

...I thought I was going to keep this brief but I guess not. Anyway, like I said we don't have offical content up yet but I will update this post with the KB article when it goes public. Until then look into WebDAV.

...Update, here is the only offical explaination of this issue that is out there right now...

https://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/providers.mspx

...the most important thing to take away is quoted below..

"EMSMDB32 on the client was modified to support RPC canceling instead of waiting on the server as well as RPC over HTTP and Kerberos authentication. EMSMDB32 on the server went through a series of multithreading changes to improve performance for server applications. EMSABP32 on the client gained the ability to rebind to global catalog servers, where the server version originally did not. MAPI32 was further adapted to work well with third-party providers, while the server version received additional fixes to the temp profile provider."

...Updated 6-02-06... Here is the KB link...https://support.microsoft.com/?kbid=918710