Here's the problem. The way our OWA servers are configured, they require a client to provide a certificate to connect to them. It's on our smart cards. Web browsers like Firefox, SeaMonkey, Internet Explorer, and Safari can be configured to provide that certificate from a smart card. Email clients like Evolution and Entourage don't know how to do that. They know how to sign and encrypt/decrypt email messages using the certificates and keys on the smart card, but not how to provide the client certificate on an SSL connection. - David ----- Original Message ----- From: "John H." To: "David Mueller" Subject: Re: Re: coolkey and evolution Date: Tue, 16 Oct 2007 21:37:37 -0500 Does this tell you anything? Although coolkey works with evolution to get certs off card and show up in "certificates," the 401 error I get below is the same error I get with firefox when the card is not even in the reader. I'd use thunderbird if it supported OWA, which it doesn't, so... (evolution:20207): e-data-server-ui-WARNING **: Key file does not have key 'exchange:__domain\first.last@https:__webmail.foo.bar.gov_' GET HTTP/1.1 E2k-Debug: 0xb793be70 @ 1192518115 Host: webmail.foo.bar.gov Accept-Language: en-US, en Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAwAAAA User-Agent: Evolution/1.10.3.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ) E2k-Debug: 0xb793be70 @ 1192518121 Pragma: no-cache Connection: close Cache-Control: no-cache Content-Length: 1825 Content-Type: text/html GET HTTP/1.1 E2k-Debug: 0xb793bed8 @ 1192518123 Host: webmail.foo.bar.gov Accept-Language: en-US, en User-Agent: Evolution/1.10.3.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ) E2k-Debug: 0xb793bed8 @ 1192518128 Pragma: no-cache Cache-Control: no-cache Content-Length: 1825 Content-Type: text/html On 10/16/07, David Mueller wrote: > I'm inclined to agree with the assessment that Evolution doesn't > understand SSL client authentication. I haven't tried with > Evolution (when I can't get it to properly select a cert off the > card for signing and encrypting messages for a regular IMAP/SMTP > server, it wasn't worth my time to continue further when > Thunderbird works great), but I have also had to deal with an OWA > server that requires both a client certificate and > username/password. I tried it with Microsoft Entourage 2004, > which also uses OWA to communicate with an Exchange server, and > it didn't work there, either. > > - David > > ----- Original Message ----- > From: "Timothy J. Miller" > To: "John H." > Subject: Re: Re: coolkey and evolution > Date: Mon, 15 Oct 2007 08:05:52 -0500 > > > > On Oct 14, 2007, at 11:07 PM, John H. wrote: > > > The problem is, I am not sure if it's being used or not. In firefox, > > I go to https://webmail.foo.bar.gov and it prompts me for my pin via > > coolkey, then user/password, then I check my OWA account. > > Am I to assume from this that your OWA deployment is not accepting > PKI authentication? If so, then you're not really gaining anything > with the smartcard. > > > I have OWA access set up in Evolution and use it for a regular OWA > > account, however, I wanted to use this .gov account, but when I tell > > evolution to authenticate and give it the correct user/pass, it says > > invalid username/password. Is this evolution that is at fault or > > coolkey? Why would it work in firefox? > > Likely because Evolution doesn't understand SSL client > authentication. At all. Even with IMAPS, so far as I can tell. > > If it's working in FF but not in Evolution that's a pretty solid > indication that the problem is Evolution. > > -- Tim > << smime.p7s >> > > _______________________________________________ > Coolkey-devel mailing list > Coolkey-devel@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/coolkey-devel > > > -- > Want an e-mail address like mine? > Get a free e-mail account today at www.mail.com! > > > _______________________________________________ > Coolkey-devel mailing list > Coolkey-devel@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/coolkey-devel > -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com! _______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
