Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerberos Authentication
  •  
asta

Messages: 29
Karma: 0
Send a private message to this user
New to Kerio. I'm demo'ing Mailserver for a small business presently using postfix/cyrus in Mac OSX Server.

I have it running, but my question is this: I can add users listed in my Kerberos Open Directory, but they cannot authenticate on their mail clients.

If I add them to Mailserver locally, and not by Open Directory, they can authenticate no problem.

I don't have a lot of users, but I'd prefer to use OD than add them manually to Kerio. Any thoughts?
  •  
Anonymous
Karma:
Please go to http://support.kerio.com and submit a support ticket so that we can help you solve your problem.
  •  
asta

Messages: 29
Karma: 0
Send a private message to this user
I filed. In the meantime, I noticed this on Kerio's site (art. 182):

"Configure Kerberos on the Kerio MailServer Machine to authenticate against OpenDirectory

This directions in this step assume that you are using a Mac OS X machine to run Kerio MailServer. As far as we are aware, this step is only necessary on Mac OS X Server.

To correctly configure Kerberos, you must:

Open the Mac OS Server Admin tool on the Kerio MailServer machine.
In the OpenDirectory section, go to the "Settings" section and select "Connected to a Directory System"
After this, you must go through the necessary steps to be able to join your machine to Kerberos using the "Join Kerberos..." button. For details, see Apple documentation.
If you have any difficulty with this last step, unfortunately Kerio Technical Support will not be able to help. Apple's Support Team would be glad to assist you, though. You can tell them that you need to "configure Kerberos to point to your OpenDirectory Master."

Once this is working, you should be able to log into Kerio MailServer using the credentials of any activated OpenDirectory user."

Pretty lame. Does this really mean what it says? I'm using my server as a open directory master, and I sure cannot convert it to a "connected" setup. Is this to suggest that you can only use Kerio and Kerberos together on a single server operation when the server is not a master? Not even sure that's possible.
  •  
asta

Messages: 29
Karma: 0
Send a private message to this user
resolved. the problem seems to be that when you select SSL for incoming and outgoing in mac's mail.app, and you select kerberos 5 for authentication, the login will fail. not sure why, by the solution is to NOT select kerberos but password. according to the logs, kerberos is still authenticating the user. btw you do need to use SSL on the clients under this method.
  •  
the_creative_partnership

Messages: 57
Karma: 0
Send a private message to this user
We've had a few issues and a bit of confusion about configuring clients to use Kerberos.

Is there any documentation available detailing how to configure the various client platforms to use Kerberos? Particularly Apple Mail, Entourage (Does this even support Krbs?) and Thunderbird...

Cheers
Dan
  •  
asta

Messages: 29
Karma: 0
Send a private message to this user
Dan --

This just in from Kerio support:

"Regarding the kerberos auth, you're right that the kerberos (or other secure authentication) options will not work in client programs. We were very close to implementing 'single sign on' however this would have required significantly more configuration outside of Kerio, and would have been very strict in terms of the client programs that could use it. For now we always recommend to use SSL, in which case all of the communication is encrypted."

I'm using SSL in/out and my logs show Kerb5 authentication for clients.

Brian is the guy in tech support who handled this for me. Hope this helps.
  •  
the_creative_partnership

Messages: 57
Karma: 0
Send a private message to this user
Thanks Asta

Shame they didn't take this further, I wouldn't have minded doing extra config if it meant less calls from users

Which log files are you refering to and are on client or server?

We managed to get SSL working (sort of) but I see no evidence anywhere of Kerberos in action. Still getting a ball ache regards certificates from Entourage though...

Dan
Previous Topic: Nested OD Groups
Next Topic: 6.3.0 vista version
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 19:24:12 CET 2017

Total time taken to generate the page: 0.00419 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.