Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » KMS - Outlook change password
  •  
ZAKhan

Messages: 1
Karma: 0
Send a private message to this user
I have KMS installed on Redhat linux and connected to Windows 2003 Server AD.

When I change user password on AD the outlook does not register the change and the user has to manually change the password. The web interface on the other hand works fine.

debug.log : {auth} Krb5: get_init_creds_password(krbtgt/abc.com<_a.t_>abc.com, user<_a.t_>abc.com): Preauthentication failed, error code 0x96c73a18 (-1765328360)

could this be an issue with outlook connector?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Outlook has no way of knowing the password changed. If you manually specified a password in Outlook, you have to manually update it when it changes.

Scott
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
I have the same issue (LMS on Linux, Windows AD users), and was wondering why Webmail picks up the changed password and Outlook doesn't. Isn't Webmail just another client connected to KMS?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I really enjoy this fun discussion Smile

The main core of password-based authentication is the password. If you change it on the server, you need to change it in all clients otherwise they fail to connect.

WebMail does not store any password. It can be stored in the browser and very often when you change the password via WebMail's interface, the browser will detect it and change the saved password as well. Otherwise, you need to enter new password on next login.

Imagine a situation when someone guessed or stole your password. You immediately change it on the server. I bet no one would be happy if the changed password would be propagated to all clients, including attacker's one Smile
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Kerio_pdobry wrote on Wed, 21 January 2009 14:43

I really enjoy this fun discussion Smile


That probably sounds different in Chezch, but in English it sounds like you are laughing at us. I know you aren't. I'm just saying. Rolling Eyes

Kerio_pdobry wrote on Wed, 21 January 2009 14:43

Imagine a situation when someone guessed or stole your password. You immediately change it on the server. I bet no one would be happy if the changed password would be propagated to all clients, including attacker's one


Try telling that to users which have used the Outlook/Exchange/MAPI combo for years. Granted, most users understand the situation and changes their KOC password when their Active Directory password is up for renewal, but quite a few throws a hissy fit whenever they have to face their own security specification.

Understand that some organizations are replacing MS Exchange with KMS, and a password request in Outlook simply isn't something users are used to see. Hence admins are asking questions here.
  •  
rinzwind

Messages: 145
Karma: 1
Send a private message to this user
When you specify manual authentication in KOC you need to change the password (you have entered it the first time and the login data is stored somewhere). When you use secure password authentication (Windows NTLM) you are using Windows authentication, so no need to enter the password.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
SPA does not work out of the box when you run KMS on Linux, as the original poster does. But it's of course the only (insecure) choice to avoid manual password changes in KOC/KOFF.
  •  
rinzwind

Messages: 145
Karma: 1
Send a private message to this user
It's not insecure. It's using your Windows token.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
SPA is safe as such, but I cannot see any real reason why KOC password synchronization is possible with NTLM but not Kerberos. The latter is what Windows 2000 and 2003 prefers over NTLM, and it is certainly possible to change you password if you are a Linux user authenticating against AD via Kerberos.
Previous Topic: Cleanout Agent
Next Topic: Getting blasted with SPAM
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 22:42:36 CET 2017

Total time taken to generate the page: 0.00469 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.