none
Shared Mailboxes with IMAP Kerberos Exchange Bug? RRS feed

  • Question

  • Our non-Windows client machines users are happily using Kerberos authenticated IMAP to read their email accounts on Exchange 2010. This allows us to use SSO and ensure we don't have to save passwords in applications which is not secure.

    However shared mailboxes do not work with this, the account setup connects but just gives you your own inbox NOT the shared mailbox. I have tested this with several IMAP email clients and all behave the same. If you select password authentication you get the correct shared mailbox content.

    To demonstrate this issue , I installed Thunderbird on Windows. Settings Server Name "casarray.internal.mycompany.com" (my casarray  hostname). User name in TB was "internal\name\sharedmailbox", "internal" being the domain, "name" being the username and "sharedmailbox" being the shared mailbox name. Connection Security "STARTTLS" . With Authentication method set to "Normal Password" I  get prompted for my password when entered shows me correctly the contents of the shared mailbox. If I set "Authentication Method" to "Kerberos / GSSAPI" (and restart thunderbird to ensure the change is made) I get my own INBOX in this account NOT the shared mailbox INBOX!

    Anyone seem this? 

    Is it a protocol limitation, an Exchange setup issue or an Exchange IMAP bug ?

    Thanks

    Friday, July 27, 2012 6:41 PM

All replies

  • Hi Simpz,

    I am not familiar with thunderbird.

    If you want use IMAP to login the shared mailbox, you can try this way:

    Access Shared mailbox via IMAP on Exchange 2010

    http://social.technet.microsoft.com/Forums/bg-BG/exchangesvrgeneral/thread/8c8b4605-efae-49eb-a118-54aa418de6c2

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Monday, July 30, 2012 7:12 AM
    Moderator
  • As I said in my post, it's not an issue of simply accessing the shared mailbox with IMAP.

    It is an issue that shared mailboxes don't work with IMAP using SSO/Kerberos authentication, using the paths outlined in that original post.

    With Kerberos auth turned on you get your own mailbox/INBOX (using this shared mailbox's path) and NOT the contents of the shared mailbox. Turn off Kerberos (in the client) and you get the contents of the shared mailbox properly as expected.

    Sadly turning off Kerberos results in password prompts and the need to store passwords in client (which violates many corporate's security policies) and is a totally hassle when you have password change policies.

    It looks like it's probably a bug in Exchange, not sure how you report these to MS without lots of hassle.

    Monday, July 30, 2012 9:55 AM
  • What is authentication method you configure on the Exchange Server?

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Wednesday, August 1, 2012 9:26 AM
    Moderator
  • Where on the Exchange server ?

    Authentication is working as expected with IMAP Kerberos , but when trying to connect to a shared mailbox it displays your own mailbox rather than the shared one. Switch to password based and it correctly shows the shared contents.

    Friday, August 3, 2012 6:59 PM
  • You can check the authentcaion method this way on Exchange Server:

    EMC->Server configuration->Client Access->POP3 and IMAP4->IMAP4->Authentication

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Monday, August 6, 2012 9:59 AM
    Moderator