From f2a76d7d56aab11b5e2889304db9d5f1949cfafa Mon Sep 17 00:00:00 2001
From: mguessan <mguessan@3d1905a2-6b24-0410-a738-b14d5a86fcbd>
Date: Sun, 7 Apr 2013 22:38:26 +0000
Subject: [PATCH] Initial Kerberos documentation

git-svn-id: http://svn.code.sf.net/p/davmail/code/trunk@2080 3d1905a2-6b24-0410-a738-b14d5a86fcbd
---
 src/site/site.xml          |  1 +
 src/site/xdoc/kerberos.xml | 79 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 src/site/xdoc/kerberos.xml

diff --git a/src/site/site.xml b/src/site/site.xml
index 2d6fc13a..4aefd789 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -44,6 +44,7 @@
             <item name="Getting Started" href="/gettingstarted.html"/>
             <item name="Advanced Settings" href="/advanced.html"/>
             <item name="SSL Setup" href="/sslsetup.html"/>
+            <item name="Kerberos" href="/kerberos.html"/>
         </menu>
 
         <menu name="Thunderbird Setup">
diff --git a/src/site/xdoc/kerberos.xml b/src/site/xdoc/kerberos.xml
new file mode 100644
index 00000000..1cd626e6
--- /dev/null
+++ b/src/site/xdoc/kerberos.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<!--
+  ~ DavMail POP/IMAP/SMTP/CalDav/LDAP Exchange Gateway
+  ~ Copyright (C) 2013  Mickael Guessant
+  ~
+  ~ This program is free software; you can redistribute it and/or
+  ~ modify it under the terms of the GNU General Public License
+  ~ as published by the Free Software Foundation; either version 2
+  ~ of the License, or (at your option) any later version.
+  ~
+  ~ This program is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  ~ GNU General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU General Public License
+  ~ along with this program; if not, write to the Free Software
+  ~ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+  -->
+<document xmlns="http://maven.apache.org/XDOC/2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
+
+    <properties>
+        <title>DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway - Kerberos</title>
+        <author email="mguessan@free.fr">Mickael Guessant</author>
+    </properties>
+
+    <body>
+
+        <section name="Kerberos">
+            <p>DavMail now includes Windows authentication support, aka Kerberos.
+                A new option is available in DavMail settings to rely on Kerberos token for Exchange authentication.
+            </p>
+
+            <subsection name="Windows workstation Kerberos setup">
+                <p>On windows, you have a valid Kerberos ticket on any workstation using your
+                    Active Directory logon. However, on recent Windows versions the TGT is not readable from Java.
+                    The workaround is to change the following registry key:
+                </p>
+                <source><![CDATA[
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
+REG_DWORD name: allowtgtsessionkey
+Value: 1
+]]></source>
+                <p>More details at:
+                    <a href="http://www.javaactivedirectory.com/?page_id=93">allowtgtsessionkey Registry Key</a>
+                </p>
+            </subsection>
+
+            <subsection name="Linux workstation Kerberos setup">
+                <p>Windows kerberos token is not available on a default Linux workstation setup. You will need to
+                    configure /etc/krb5.conf with Active directory domain name. You may also need to provide a kdc
+                    (Active Directory Domain controller):
+                </p>
+                <source><![CDATA[
+[libdefaults]
+    default_realm = CORP.COMPANY.COM
+
+[realms]
+    CORP.COMPANY.COM  = {
+        kdc = 192.168.184.129
+        default_domain = CORP.COMPANY.COM
+    }
+]]></source>
+                <p>Then create Kerberos ticket: <code>kinit <i>username</i></code>.</p>
+                <p>Check ticket with<code>klist</code></p>
+            </subsection>
+            
+            <subsection name="DavMail configuration">
+                <p>In Kerberos mode, password provided by clients (IMAP, SMTP, POP, HTTP, LDAP) is ignored, thus you
+                must make sure external connections to DavMail are disabled.</p>
+                <p>There is no way in current implementation to define a local password to secure client to DavMail
+                authentication.</p>
+            </subsection>
+
+        </section>
+    </body>
+</document>