Windows workstation Kerberos setup

On windows, you have a valid Kerberos ticket on any workstation using your Active Directory logon. However, on recent Windows versions the TGT is not readable from Java. The workaround is to change the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
REG_DWORD name: allowtgtsessionkey
Value: 1

More details at: JGSS Troubleshooting

Linux workstation Kerberos setup

Windows kerberos token is not available on a default Linux workstation setup. You will need to configure /etc/krb5.conf with your Active Directory domain name. You may also need to provide a kdc (Active Directory Domain controller) address:

[libdefaults]
    default_realm = CORP.COMPANY.COM

[realms]
    CORP.COMPANY.COM  = {
        kdc = 192.168.184.129
        default_domain = CORP.COMPANY.COM
    }

Then create Kerberos ticket: kinit username.

Check ticket withklist

Additional note: on recent linux distribution by default credential cache is stored in OS keyring with: default_ccache_name = KEYRING:persistent:%{uid}, making it invisible to Java. The workaround is to set KRB5CCNAME environment variable first:

# set ticket cache path
KRB5CCNAME=/tmp/krb5cc_$(id -u)

# Reset authentication
kdestroy -A

# Authenticate
kinit

# Check ticket, should have a FILE ticket cache
klist

# Check authentication, should succeed without prompting for credentials
davmail -kerberos

DavMail configuration

In Kerberos mode, password provided by clients (IMAP, SMTP, POP, HTTP, LDAP) is ignored, thus you must make sure external connections to DavMail are disabled.

There is no way in current implementation to define a local password to secure client to DavMail communication.

DavMail needs direct access to Kerberos ticket, which means Kerberos will not work with a remote DavMail instance.