Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Secure password authentication & mutiple domains & AD (Secure password authentication & mutiple domains & AD)
  •  
dide

Messages: 2
Karma: 0
Send a private message to this user
We are having a problem with multiple email domainnames a different AD domain name and Secure password authentication.
When we use manual authentication everything is working fine.
But we want to use SPA(Outlook)...

The situation:

AD domain:
adname.com

Mail domain:
mail1.com
mail2.com
mail3.com

How can we tell the mailserver/AD with SPA that the active user must use mail2.com for the authentication and correct emailbox?

It would be nice if there was a option in the KOFF/KOC client to select/type a email domainname with SPA.
So active windows user + manual domainname > SPA

A test:
correct emailaddress: dide.heuvel<_a.t_>mail1.com

Debug output:
[12/Mar/2009 14:46:05][2432] {auth} Basic: first step, we respond with realm
[12/Mar/2009 14:46:05][2432] {auth} NTLM: Continuing authentication.
[12/Mar/2009 14:46:05][2432] {auth} NTLM: client ADNAME\dide.heuvel sent valid credentials, ctx attribs 0x4.
[12/Mar/2009 14:46:05][2432] {auth} NTLM: acceptSecurityContext() completed successfully.
[12/Mar/2009 14:46:05][2432] {auth} User dide.heuvel performed NTLM authentication in NT domain ADNAME, found in domain mail2.com
[12/Mar/2009 14:46:05][2432] {auth} NTLM cannot find user dide.heuvel<_a.t_>mail2.com




[Updated on: Thu, 12 March 2009 14:51]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
You can't. The mail domain and Active Directory domain are a 1 to 1 mapping. You can only have one mail domain using one AD domain for authentication.

SPA gets it's domain info from the user login on the Windows machine itself. There's no way to specify a different domain.

In addition, for SPA to work, the computer must belong to the AD domain, the user account authenticating must belong to the AD domain, and the Kerio server itself must belong to the AD domain.

Scott
  •  
dide

Messages: 2
Karma: 0
Send a private message to this user
Quote:

In addition, for SPA to work, the computer must belong to the AD domain, the user account authenticating must belong to the AD domain, and the Kerio server itself must belong to the AD domain.


This is also the situation.
Computer, account and Kerio server belong to the AD domain.

But we are having mutiple email domain names.
And of course is the primary email domainname also the AD name.
So we are having 4 email domain names but we are using 3 for the email.

With SPA the Kerio server don't know to which email domain the user account belong. (See debug output in my first post.)
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Right. It has no way of knowing what domain to use. All SPA provides is the domain name the user is logged in to. That's one reason why the mail domain and AD domain is a 1 to 1 relationship. The client provides one domain, but you have 3 set up all pointing at the same AD domain. Should the server guess which domain to authenticate against?

Scott
  •  
veteran

Messages: 6
Karma: 0
Send a private message to this user
Maybe mail domain alias is a solution?
Previous Topic: !! HELP License user count exceeded
Next Topic: PAM + Winbind
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 22:53:18 CET 2017

Total time taken to generate the page: 0.00522 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.