Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » User performed NTLM authentication in NT domain, this domain is not valid
  •  
SjoerdH

Messages: 5
Karma: 0
Send a private message to this user
I get the following error message on my mailserver log :

[01/Dec/2006 17:03:25] User Sjoerd performed NTLM authentication in NT domain SJOERD, this domain is not valid

Has anyone idea how to solve this issue?

I don't even have Active directory etc, installed. Just Windows XP Pro.

Thanks!
  •  
ashish318

Messages: 21
Karma: 0
Send a private message to this user
I'm having the same problem. But it seems that even though the user that it is reporting this error for can still access all mails through pop3 as well as using activesync on his windows mobile phone.

Any help regarding this would still be appreciated though.

Thanks.
  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
In the Admin Console, go to Configuration -> Domains. Edit your domain and click on the Advanced tab. If anything is listed under the Windows NT Domain field, remove it. Click OK, then click Apply at the bottom. Then restart the Kerio MailServer engine.

The message means the end-user's mail client is trying to use NTLM authentication. You should configure the mail client to use some other type of authentication if you are not actually using NTLM.

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
SjoerdH

Messages: 5
Karma: 0
Send a private message to this user
I think this is one of the new options in Office 2k7
When I close Outlook 2k7 and start on a different pc outlook 2k3 I don't receive this error.
I will try to find out if it is possible to disable this function in MS Outlook...
  •  
pbwells

Messages: 24
Karma: 0
Send a private message to this user
Question for you, I have two people on the network that have installed Office 2007, both of them are generating these errors; User * performed NTLM authentication in NT domain PARKMAIL, this domain is not valid,

Per Kevin's suggestion I checked the domains section and found nothing in the NT Domains line, Do you know how to get Outlook to stop trying the NTLM authentication? I've also refered my boss to Microsofts tech support for additional assistance, but I figured it couldn't hurt to ask here as well.
  •  
SjoerdH

Messages: 5
Karma: 0
Send a private message to this user
No, I really don't know how. I haven't found this option on Office yet.
Can you keep me informed about the answers of MS?
They didn't give me a solution....
  •  
pbwells

Messages: 24
Karma: 0
Send a private message to this user
just a quick note;

Kerio, you might want to begin working on a cure for this, I say cure rather than fix because from what I've found on MS Outlook 2007 support site, Outlook uses NTLM authentication by default if you save your authentication credentials in your profile, if you enter them by hand every time you initiate a Outlook session it will use basic authentication and we "shouldn't" see the NTLM error messages. I have yet to test this. I will play with it more tomorrow and post my findings.
  •  
pbwells

Messages: 24
Karma: 0
Send a private message to this user
This from MS Support:

RESOLUTION
Basic authentication
If you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically. If you want to log on automatically, you must configure your Outlook profile to use NLTM authentication.

My organization has 400+ pc's and I'd conservatively say that +90% of those use Outlook. As the business grows etc, Office 2007 is replacing 2003, We haven't yet stopped ordering 2003 but we are ordering more and more copies of 2007. Especially as we upgrade VP level users. The boss only recently said to me that more and more Exchange is looking like a good idea for integration sake.

- I can't see a bunch of VP types that have a hard enough time remembering their passwords remembering to click "send & receive" every 5 min plus typing in their user name and password every time because Outlook doesn't play nice with Kerio.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I think some things needs a clarification. First, you don't have to enter username/password in Outlook when sending every email. The password is stored in the Outlook account and is entered only once when the account is created. Of course, Outlook will ask the user for new password if it was changed on the server.

Second, there is an option in Outlook called SPA (Secure Password Authentication). This type of authentication use NTLM and does not need to know username/password because it takes it from the user currently logged to the Windows workstation.

KMS supports NTLM in Windows domain. Following requirements must be fulfilled:
* KMS must run on Windows
* Outlook must run on Windows computer added to the Windows domain
* User must be logged to Windows domain
* KMS must be properly configured: user account is authenticated against NT domain or Kerberos, Windows NT domain in Domain Settings must contain correct NT Windows domain name

According to the error message, the user is trying to login to some NT domain but KMS is not configured properly. I would suggest to enable Authentication module in the debug log and open a ticket on our technical support.

[Updated on: Fri, 23 February 2007 14:21]

  •  
pbwells

Messages: 24
Karma: 0
Send a private message to this user
Since I think this might help someone else I'm going to add what I got from Kerio Tech support.

Try this, in the Kerio Admin Console, go to Configuration -> Advanced Options -> Security Policy and disable the NTLM and MD5-Digest authentication methods.

This has in fact stopped all error messages in my logs.
  •  
Valenzi

Messages: 33
Karma: 0
Send a private message to this user
Thanks pbwells, that helped me alot!
Previous Topic: Message Queue Not Processing
Next Topic: Kerio Connect 8.0.1 Reindex Mailbox
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 10:28:21 CEST 2017

Total time taken to generate the page: 0.00463 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.