General Information
Electronic Mail
Exchange
World Wide Web
NetNews
File Transfer
Unix / Shell Access

Search the FAQ:

Can I use KITE to achieve better PennKey password integration with Exchange?

For Windows authentication, it is possible for a Windows Kerberos domain to trust an MIT Kerberos domain and, transparently to the end user, to obtain Windows Kerberos credentials after the user obtained MIT Kerberos credentials. However, this doesn't work when authenticating to the various components of the Exchange service. There are many ways a user can access their mailbox and those use different authentication mechanisms, few of which support Kerberos at all (let alone MIT Kerberos, which is what PennKey authentication uses).

Via KITE, a Windows user can authenticate to a domain-based workstation using their PennKey and password. That workstation can either be directly joined to the KITE domain or joined to another Windows AD domain that trusts KITE. This would enable single sign-on for the same user if they had an Exchange mailbox because Outlook uses Microsoft Kerberos. But if that user were off campus, they would not be able to logon to their domain via any method because of the packet filtering on Penn's border routers. So the user would need to use their Windows AD password to access their Exchange mailbox using Outlook while on the road or at home. Also webmail uses the Windows Active Directory password, as do SMTP, POP and IMAP.

The client authentication breaks down like this:

There are some possibilities of using Kerberized mail clients for POP/IMAP, but the password would be the AD password because Exchange only works with AD as the KDC.