Kerberos SMTP Authentication was added to SafeConsole in version 5.3.2. 


Important notes: 

The user credentials that is used to run SafeConsole will be used to authenticate with the Exchange SMTP server. It is recommended to run SafeConsole with a User login that does not have local machine admin rights for Kerberos authentication to work properly. If the user has local Administrator rights on the machine, Windows will prevent Kerberos TGT(Ticket for Generate Ticket) from LSA Kerberos storage. We must run SafeConsole with UAC “Run as Administrator” and set these registry values:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTGTSession

KeyValue Type: REG_DWORD

Value: 1



Prerequisites:

  • Verify User login can send email via Exchange SMTP Server
  • Exchange SMTP Server must have AUTH method GSSAPI enabled

                Use the following telnet commands to connect to your SMTP server
    • telnet <SMTPSERVER> <PORT>
      ehlo <HOSTNAME>


      Should respond with the following:

    • 250-AUTH GSSAPI NTLM LOGIN

Implementation:

Rerun the configurator and enter: mail-use-domain-credentials=trueOn Database settings page, you may specify your Kerberos specific ini settings by clicking advance. Values from this box will be automatically entered into SafeConsole.ini. If any of the custom lines need to be removed, they have to be manually deleted from SafeConsole.ini. This process will only add or update custom lines. Continue to the next to change more SMTP settings. 



Enter the hostname and port of the server, as well as the user and who to send the mail as if supported. The password field can be left blank and will use a token instead. 


Note:  The verify step may fail and still let you send emails after finishing the configuration and starting safeconsole. A valid test would attempt can be done by logging into the SafeConsole dashboard and using the deployment wizard.