Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Secure password authentication fails in KOFF client
  •  
ralfonat

Messages: 19
Karma: 0
Send a private message to this user
Hi,

I was trying to use the single-sign-on password authentication in the Email account setup in Outlook 2003 with Kerio Offline Client 6.5.2.

With the user/pass auth it works, but using the secure option I get the message:

Check of connection to Kerio MailServer failed. (Für technischen Support: 0x80004005, Synchronizator::setOnlineInternal: Error whilte testing connection!)

Whats wrong?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
It could be a number of things. First, for Secure Password Authentication (NTLM) to work:

  1. The server must be a member of the domain
  2. KMS must be set up to use Active Directory for authentication
  3. The connecting computer must be a member of the domain
  4. The user account must be an Active Directory account
  5. NTLM authentication must be enabled on the server

Assuming all of those are met, enable the Authentication and Directory Service Lookup modules in the debug log to get more info. That should tell you why it's failing.

Scott
  •  
coolhandluq

Messages: 14
Karma: 0
Send a private message to this user
I am having this issue as well, and as far as I can tell all settings are correct. What's making it extra confusing is my situation. There are three domains in question. Names are changed for security bla bla.

contosotest.com - test email domain, the one which has the mailboxes like coolhandluq<_a.t_>contosotest.com I need to test Kerio
contoso.com - real company email domain
contosotechnologyspecialists.com - actual NT domain, short NT version is CONTOSOTECHNOLOGY

So under directory service configuration for the consotest.com domain I have it set to the point to dc1.contosotechnologyspecialists.com as the DC. account is set to administrator<_a.t_>contosotechnology, or administrator<_a.t_>contosotechnologyspecialists.com. It doesn't make a difference. Both pass the test on the configuration page, I can import accounts from AD, etc. I also have the Active Directory Domain Name field set to contosotechnologyspecialists.com.

When I try to use SPA in KOFF and retrieve info while I am logged into the PC as coolhandluq<_a.t_>contosotechnologyspecialists.com, I get the same error as the gentleman above. Here's a bit of info from my logs.

Quote:

[16/Oct/2008 15:23:04][4068] {auth} Basic: first step, we respond with realm
[16/Oct/2008 15:23:04][4068] {auth} NTLM: Continuing authentication.
[16/Oct/2008 15:23:04][4068] {auth} NTLM: client CONTOSOTECHNOLOGY\administrator sent valid credentials, ctx attribs 0x4.
[16/Oct/2008 15:23:04][4068] {auth} NTLM: acceptSecurityContext() completed successfully.
[16/Oct/2008 15:23:04][4068] {auth} User administrator performed NTLM authentication in NT domain CONTOSOTECHNOLOGY, found in domain contosotest.com
[16/Oct/2008 15:23:04][4068] {ldapdb} administrator<_a.t_>contosotest.com: Looking up in cache...
[16/Oct/2008 15:23:04][4068] {ldapdb} Sending LDAP search request: filter=" (&(&(objectclass=user)(!(objectclass=computer)))(ker io-Mail-Active=*)(sAMAccountName=administrator)) ", scope="sub", server="dc1.contosotechnologyspecialists.com", base DN = "dc=contosotechnologyspecialists,dc=com"
[16/Oct/2008 15:23:04][4068] {ldapdb} Acquired connection to the LDAP server: "dc1.contosotechnologyspecialists.com". Pool slot: 0; Thread ID: 4068
[16/Oct/2008 15:23:04][4068] {ldapdb} Search request: result=&apos;(0) Success&apos;, filter=&apos;(&(&(objectclass=user)(!(objectclas s=computer)))(kerio-Mail-Active=*)(sAMAccountName=administra tor))&apos;, scope=&apos;sub&apos;, server=&apos;dc1.contosotechnologyspecialists.com&ap os;, base DN=&apos;dc=contosotechnologyspecialists,dc=com&apos ;
[16/Oct/2008 15:23:04][4068] {ldapdb} LDAP connection was released. Pool slot: 0
[16/Oct/2008 15:23:04][4068] {auth} NTLM cannot find user administrator<_a.t_>contosotest.com
[16/Oct/2008 15:23:07][4068] {ldapdb} <_a.t_>contosotest.com: Looking up in cache...
[16/Oct/2008 15:23:07][4068] {ldapdb} Sending LDAP search request: filter=" (&(&(objectclass=user)(!(objectclass=computer)))(ker io-Mail-Active=*)(sAMAccountName= <NIL>))", scope="sub", server="dc1.contosotechnologyspecialists.com", base DN = "dc=contosotechnologyspecialists,dc=com"
[16/Oct/2008 15:23:07][4068] {ldapdb} Acquired connection to the LDAP server: "dc1.contosotechnologyspecialists.com". Pool slot: 0; Thread ID: 4068
[16/Oct/2008 15:23:07][4068] {ldapdb} Search request: result=&apos;(0) Success&apos;, filter=&apos;(&(&(objectclass=user)(!(objectclas s=computer)))(kerio-Mail-Active=*)(sAMAccountName= <NIL>))&apos;, scope=&apos;sub&apos;, server=&apos;dc1.contosotechnologyspecialists.com&ap os;, base DN=&apos;dc=contosotechnologyspecialists,dc=com&apos ;
[16/Oct/2008 15:23:07][4068] {ldapdb} LDAP connection was released. Pool slot: 0


Any ideas here? Notice the administrator<_a.t_>contosotest.com... I don't know why it's trying to authenticate there instead of administrator<_a.t_>contosotechnologyspecialists.com ever. It has to fail because there is no directory service at all for contosotest.

Sorry for the convoluted nature of the domain names, yes it's that horrible in reality. Sad

[Updated on: Thu, 16 October 2008 23:07]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
coolhandluq wrote on Thu, 16 October 2008 23:06


Any ideas here? Notice the administrator<_a.t_>contosotest.com... I don't know why it's trying to authenticate there instead of administrator<_a.t_>contosotechnologyspecialists.com ever. It has to fail because there is no directory service at all for contosotest.

Sorry for the convoluted nature of the domain names, yes it's that horrible in reality. Sad


Probably because email domain 'contosotest.com' is configured to use same NT Domain as domain 'contosotechnologyspecialist.com'. If there are two email domains with same NT Domain setting, KMS can't guess which one should be used so it simply takes first available.
  •  
coolhandluq

Messages: 14
Karma: 0
Send a private message to this user
Just to be clear here, contosotechnologyspecialists.com is not an email domain. Just an NT domain. The production email domain currently in use (via Exchange and some external pop3 mail hosting) is contosospecialty.com.

Do you think I'm just screwed here and I can't test KOFF unless I use the production domain?

edit: also, thanks for the quick response!

[Updated on: Thu, 16 October 2008 23:30]

  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
Go to Configuration/Domains. Select your e-mail domain and select edit. Go to Directory Server.

Select Map user accounts and groups from a directory service to this domain "Active Directory"

Select hostname. We have selected "domainname.com" which is our AD DNS domain main.

Select a username (like Kerio<_a.t_>domainname.com) which is your user profile in the AD. Enter the password.

We have our secondary backup directory server specified as one of our AD servers (server.domainname.com)

We have Active Directory domain name is different from this mail domain name. So while our e-mail is "somedomain.com" our internal domain is "someotherdomain.com" We put in "someotherdomain.com" in this box.

We have "Secure connections (LDAPS)" setup. We did have to create SSL Certificates for each of our LDAP servers. We are using self signed certificates so we had to import the certificate authority .CER file onto Kerio.

Hope that helps.

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I think what is causing confusion is that you have all the domains mixed together, and "domain" keeps popping up without being qualified. Try to separate them by e-mail and NT domain. To simplify things, I'll leave out the short NT name. You have:

E-mail Domain
contosotest.com
contoso.com

NT Domain
contosotechnologyspecialists.com

For production use, you would need:
cotoso.com -> contosotechnologyspecialists.com

For testing:
contosotest.com -> contosotechnologyspecialists.com

It's not just a one-way relationship though. It's really a two-way relationship.

More accurately, it is:
cotoso.com <-> contosotechnologyspecialists.com

and
contosotest.com <-> contosotechnologyspecialists.com

When the NTLM request comes in, KMS gets the NT domain that's supplied by the host computer, contosotechnologyspecialists.com. It has to, for lack of a better term, do a reverse lookup. It finds contosotechnologyspecialists.com, and looks backward to see what e-mail domain it should be authenticating. If you have more than one e-mail domain pointing to a single NT domain, there's no control over which one will be returned.

For testing purposes like you're describing, you should be able to map the test e-mail domain to the NT domain, BUT you have to make sure you don't have your real e-mail domain pointed to the NT domain as well. Once you go live on KMS, this will no longer be an option, since it will break your production e-mail domain, but you can do it prior to putting it into production.

Scott
  •  
coolhandluq

Messages: 14
Karma: 0
Send a private message to this user
Ok I think I get it. Thanks for the help!
  •  
ralfonat

Messages: 19
Karma: 0
Send a private message to this user
Sorry for the delay:

Do the same principles apply if KMS is running under Linux? Because then it cant be member of the domain?!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I never saw it in the documentation, though I didn't spend much time looking since I'm on Windows myself, but according to this post, the server must run on Windows for NTLM to work.

Scott
Previous Topic: spam filter
Next Topic: Uninstalling KB946983 and 952142 via GPO
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 10:49:45 CET 2017

Total time taken to generate the page: 0.00503 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.