Mac Outlook prompting for AD credentials when email with embedded HTTP content is encountered – how to fix?

11. November 2013 · Write a comment · Categories: Outlook for Mac · Tags: , ,

Hello,

I'm trying to solve an issue for Mac users that has been seen and resolved already in our Windows population. The customer I'm working for is implementing a newer version of content filtering. It uses Kerberos (Integrated Windows Authentication). Originally their older Windows XP clients prompted for NTLM credentials when in Outlook and were opening an email that contained embedded HTTP.

 

The fix for this issue if this was a Windows system is to do the following:

 

With the XP SP2 release and SP3, Microsoft implemented several security measures
into both Outlook and Internet Explorer (IE) to protect against multiple attack
vectors, the largest being email spoofing.


Outlook has just one zone - Restricted.  In this zone, you will always be
prompted for credentials to mitigate email spoofing and other attacks.

Windows XP SP2 implements two additional security measures for Outlook:

HTTP Cookies are no longer sent for image downloads.

  1. HTTP Credentials are no longer sent for image downloads.

You can use the following registry edit to allow outlook.exe
to send http credentials to the proxy server when it goes out to fetch
images.

Click Start, click Run, type regedit, and
then click OK.

  1. Expand the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl 

      3.    Right-click
FeatureControl, point to New, and then click
Key.
      4.    Type
KB895948_DISABLE_MAIL_SUBDOWNLOAD_LOCKDOWN, and then press
ENTER to name the new subkey.
      5.    Right-click
on KB895948_DISABLE_MAIL_SUBDOWNLOAD_LOCKDOWN, point to
New, and then click DWORD Value

6.    Type outlook.exe, and then press ENTER
to name the new entry.
      7.    Right-click outlook.exe,
and then click Modify.
      8.    In the
Value data box, type 00000001, and then click
OK
      9.    Quit Registry Editor.

I'm not a Mac person, but I've done quite a bit of digging. I'm looking to find out if there are PLIST settings on Mac Outlook or Mac Office that would accomplish the same purpose as the Windows Registry fix referenced above? Essentially I need to be able to have Mac Outlook provide the users Kerberos ticket transparently to our proxy.

 

I know that Kerberos is working on our Mac systems as I do not get prompted when using either Safari or Firefox, and I can verify Kerberos is working by looking at the authentication counters on the proxy.

Any assistance will be greatly appreciated.

Thanks,

David