none
System.Net.Mail.SmtpClient and NTLM Authentication with Exchange 2007 RRS feed

  • Question

  • Hello,

     

    I need to use NTLM authentication with our Exchange 2007 SMTP Servers, but i'm having some problems authenticating !

    In detail, a user, at his workstation, and logged on the domain (same as Exchange) to be able to NTLM authenticate himself to the Exchange SMTP.

     

    Using the System.Net.Mail.SmtpClient class, i tryed setting the Credentials property in the following ways:

     

    1) ...Credentials = new NetworkCredential(username, password, domain);

    2) ...Credentials = CredentialCache.DefaultNetworkCredentials;

    3) ...Credentials = System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri("smtp://server.fqdn"), "NTLM");

     

    All fail because the SmtpClient always sends: AUTH gssapi <base64>

    SMTP returns: 535 5.7.3 Authentication Unsucessfull

     

    And now.. using the deprecated System.Web.Mail namespace, specifying NTLM authentication, all goes fine Smile

     

    What is going wrong here ?!? How to force AUTH ntlm ? Help please.

     

    Thanks in advance,

    Fernando Nunes

    Friday, July 13, 2007 2:20 PM

Answers

  • The AUTH GSSAPI implementation in Exchange 2007 was changed from the previous release of Exchange and, unfortunately, is no longer compatible with the implementation of AUTH GSSAPI in System.Net.Mail.SmtpClient.   Additionally for security reasons System.Net.Mail.SmtpClient will not try to do AUTH NTLM if an AUTH GSSAPI attempt fails.

     

    A fix for this issue is being planned to be released in the next release of the framework (Orcas RTM).

    Monday, July 16, 2007 9:48 PM
    Moderator

All replies

  • The AUTH GSSAPI implementation in Exchange 2007 was changed from the previous release of Exchange and, unfortunately, is no longer compatible with the implementation of AUTH GSSAPI in System.Net.Mail.SmtpClient.   Additionally for security reasons System.Net.Mail.SmtpClient will not try to do AUTH NTLM if an AUTH GSSAPI attempt fails.

     

    A fix for this issue is being planned to be released in the next release of the framework (Orcas RTM).

    Monday, July 16, 2007 9:48 PM
    Moderator
  • Well i'll have to manage with what i can at the moment.

     

    Thank you for the explanation Larry.

     

    Best regards,

    Fernando Nunes

    Monday, July 16, 2007 9:51 PM
  • So are there any ways to programatically send mail with default credentials (I don't want a prompt for creds and I can't store the password) when the mail server is Exchange 2007?  System.Web.Mail.MailMessage seems to want a password.
    Tuesday, July 24, 2007 12:33 AM
  • The issue i'm facing it is with NTLM authentication, and when Exchange SMTP connector supports GSSAPI negotiation.

    If the SMTP supports LOGIN or you can negotiate a Kerberos authentication probably you're ok.

    If you need to use NTLM authentication, uou can use the System.Web.MailMessage class and on the Fields property set:

     

    mailMessage.Fields["http://schemas.microsoft.com/cdo/configuration/smtpauthenticate"] = 2; // Sets up NTLM authentication using the credentials of the running thread

     

    That should do it. Hope it helps.

     

    Best regards,

    Fernando Nunes

    Tuesday, July 24, 2007 12:44 AM
  • I have the following piece of simple code (below) which works with Exchange 2003 but now gives me the exception "5.7.3 Authentication unsuccessful" with Exchange 2007.

     

                MailMessage message = new MailMessage(
                       "administrator@extranet.trey.com",
                       "administrator@extranet.trey.com",
                       "Blah",
                       "blah");

               SmtpClient client = new SmtpClient("Exch-Server");

                client.UseDefaultCredentials = false;
                client.EnableSsl = false;
                client.Credentials = System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri("smtp://extranetws.trey.com"), "Kerberos");
                client.Send(message);

     

    Thanks, Jeff

    Tuesday, July 24, 2007 1:44 AM
  • Argh I previously posted a bad piece of code the second from the last line was wrong but it doesn't matter with the change below it works on Exch 2003 but throws "5.7.3 Authentication unsuccessful" when using Exch 2007.  This seems similar to the NTLM problem that was posted here.  Can anyone tell me if there is something I am doing incorrectly or if there is another way to programmatically send mail with Exch 2007 with default creds.

     

              MailMessage message = new MailMessage(
                       "administrator@extranet.trey.com",
                       "administrator@extranet.trey.com",
                       "Blah",
                       "blah");

               SmtpClient client = new SmtpClient("Exch-Server");

                client.UseDefaultCredentials = false;
                client.EnableSsl = false;
                client.Credentials = System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri("smtp://extranetws.trey.com"), "Kerberos");
                client.Send(message);

     

    Thanks, Jeff

    Tuesday, July 24, 2007 2:02 AM
  • If I use System.Web.Mail with the code below it also works with Exch 2003 but fails with "530 5.7.1 Client was not authenticated" when using Exch 2007

     

                  MailMessage Message = new MailMessage();
                   Message.To = "administrator@test.jeffspel.com";
                   Message.From = "administrator@test.jeffspel.com";
                   Message.Subject = "subject";
                   Message.Body = "body";
                   Message.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate", "2");
                   SmtpMail.SmtpServer = "Exch-Server";
                   SmtpMail.Send(Message);

     

    Anyone have any ideas?

    Thanks, Jeff

    Tuesday, July 24, 2007 3:19 AM
  • Ok, first its better for you to:

     

    telnet exchange_ipaddress 25

     

    type in: EHLO <hostname of your machine>

     

    and you should get some headers, including a 250-AUTH <authentication mechanisms>

     

    What comes after the AUTH defines which authentication mechanisms your smtp server allows or doesn't.

    I.e: 250-AUTH PLAIN LOGIN GSSAPI NTLM .... etc....

     

    Are you sure your server is accepting NTLM authentication ? If it accepts, i suggest you get a log from the smtp connection and validate that System.Web.Mail is directly inputing: auth NTLM.

     

    If it is... it can be something with your smtp conector ?!!?!? Something wrong with the exchange permissions for the user ?!??

    • Proposed as answer by Priya Sajja Tuesday, May 17, 2011 8:00 PM
    Tuesday, July 24, 2007 11:56 AM
  • Thank you for the help Fernando.  I got the System.Web.Mail code to work with Exchange 2007, I was never able to get the System.Net.Mail to work without allowing anonymous users in a receive connector.
    • Proposed as answer by fatloopbe Thursday, August 14, 2008 6:04 PM
    Wednesday, July 25, 2007 5:12 PM
  • Larry,

     

    The .NET Framework 2.0 Service Pack 1 ( http://support.microsoft.com/kb/945757 ) is out with numerous fixes, but none seems to be the issue we've seen.

     

    Do we have to use the .NET Framework 3.5 in order to have proper Exchange 2007 Authentication with the System.Net.Mail.SmtpClient ?

     

    Best regards,

    Fernando Nunes

    Friday, December 21, 2007 11:24 AM
  • Here's the solution to this...

    If you use the following setup in your web.config or your app.config
    Code Snippet

        <system.net>
            <mailSettings>
                <smtp deliveryMethod="Network" from="abc@companyname.com">
                    <network host="[server name]" port="[smtp port]" defaultCredentials="false" userName="[Domain\username]" password="[password]"/>
                </smtp>
            </mailSettings>
        </system.net>




    and then use your SmtpClient with nothing in the constructor and send your mail message, then you can use the System.Net.Mail namespace.

    I've tried this and it works both in the web and the windows application.
    • Proposed as answer by Eslam Badawy Sunday, November 7, 2010 3:39 AM
    Wednesday, February 13, 2008 4:26 PM