delegated authentication, can it be done?

[mmorgensen]

We are working on an Exchange=>Zimbra pilot project, and Activesync is one of the big requirements for our environment.

However, with the tight security policy we require that the password a user enters on the handheld be totally different from the one they use to access their other accounts. (We tie Zimbra to Active Directory for auth).

In Exchange world, we use kerberos constrained delegation with a secondary auth source to accomplish this.

Is there any way to do something like this in Zimbra, out of the box or with creativity?

I was wondering if you could leverage the proxy role in this. But how does the authentication take place? Thinking...could we setup a password for each user that is local to Zimbra, and then use a ACL to block access from the proxy server to AD? This way the proxy would never be able to authenticate against the AD credentials...it would time out. However, if the proxy passes through the authentication to the mailbox server, this would not work.

Any thoughts?

Thanks
Matt

[bdial]

zimbra does have fallback authentication support, thats about all the info i can give you.