Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerberos / LDAP troubleshooting tidbit
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Just thought I'd add this little piece of information here.

Problem: user's AD password was changed because it had expired. Upon starting Outlook, he was asked for username/password by Kerio Outlook Connector (KOC). Neither the old nor the new password worked.

After issuing the command
# kinit user<_a.t_>with-login-problem.example.com


on the Linux mail server, the error "Cannot resolve network address for KDC in requested realm while getting initial credentials" was returned.

Solution: The mail server (Linux) couldn't reverse-resolve the KDC through DNS. After adding a PTR record for the KDC host (i.e. the DNS name for the domain controller), everything worked. The user could type the new password in the KOC login dialog box and was in.

Hope this helps someone.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Well, it worked for about five minutes Crying or Very Sad
After that, one user after another got the KOC authentication box, until not a single user was able to log in. It's been going on all day, and the users are ... well ... not happy. Users with internal accounts can log in just fine. Same problems on KOC and Webmail.

The weird thing is that kinit from the Linux command line doesn't throw any errors, but the debug.log (I enabled User Authentication messages) is full of this:

[19/Dec/2008 18:01:46][11102]
{auth} Krb5: get_init_creds_password(krbtgt/MYDOMAIN.LOCAL<_a.t_>MYDOMAIN.LOCAL, user<_a.t_>MYDOMAIN.LOCAL):
Cannot contact any KDC for requested realm, error code 0x96c73a9c (-1765328228)


I can telnet on port 88 to the domain controller without problems, and as I mentioned, kinit works without a hitch.

We are running 2003 Server x64 and KMS 6.6.1 which was upgraded from 6.5.2 last Saturday. We have opened a ticket with Kerio, but nothing has come of it so far.

This is pretty confusing since we didn't touch anything and everything worked yesterday.

[Updated on: Fri, 19 December 2008 18:08]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The problem is solved. For one reason or another, our 64-bit Windows 2003 domain controller had decided to act up and refuse Kerberos traffic. The moment we brought a 32-bit secondary domain controller on the air and directed Kerberos requests to it instead, everything was ok.

The fact that the login errors started to appear the moment a user changed the AD password is less than comfortable for us. We're changing (reinstalling) the primary DC over to 32-bit tomorrow.
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
With the last round of patches from Microsoft we have been having very odd problems with our AD servers. After a few reboots of the AD servers the problems seem to clear up. You can see in the logs that the problems started the exact same minute that the patches were applied.

Not sure if that is of any help, but worth mentioning.
Previous Topic: Change user for connection to active directory
Next Topic: Alternative Archiving Solution
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 05:01:08 CEST 2017

Total time taken to generate the page: 0.00381 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.