Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » LDAP authentication
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
I've got Kerio sitting on a machine in a DMZ. On the Directory Services tab of domains I've got the DC set up and hitting the test connection tells me success.

The DC (WIN2003) has the KADE installed and on 2 test users I've created mailboxes which appear in KMS.

If I try to log into web mail it fails, the error log tells me 'invalid password'.

If I go to users and double click them to look at their properties then exit, on hitting apply I get "Error: LDAP operation failed. Check that you have installed Directory Extensions properly"
I've unistalled KADE and reinstalled but this has made no difference.

What is going on here? What have I missed?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
zebby wrote on Wed, 03 June 2009 16:46


If I try to log into web mail it fails, the error log tells me 'invalid password'.


User authentication is using Kerberos. Make sure that proper Kerberos ports are allowed in DMZ.
Check "Authentication module" debugging in KMS debug log.
Quote:


If I go to users and double click them to look at their properties then exit, on hitting apply I get "Error: LDAP operation failed. Check that you have installed Directory Extensions properly"


Looks like the credentials used for user mapping from AD do not have access rights for modifying the AD attributes.
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
User authentication is using Kerberos. Make sure that proper Kerberos ports are allowed in DMZ. >> What port numbers are these?

Check "Authentication module" debugging in KMS debug log >> Debug log is empty; does this need switching on somewhere?

Looks like the credentials used for user mapping from AD do not have access rights for modifying the AD attributes >> Ah, my screw up, I've fixed this now and this has resolved the "Error: LDAP operation failed. Check that you have installed Directory Extensions properly" message I was getting.

But I still can't log in to web mail!
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
zebby wrote on Wed, 03 June 2009 17:46

User authentication is using Kerberos. Make sure that proper Kerberos ports are allowed in DMZ. >> What port numbers are these?


TCP/UDP 88 - see http://support.microsoft.com/kb/832017
Quote:


Check "Authentication module" debugging in KMS debug log >> Debug log is empty; does this need switching on somewhere?



Of course - read http://manuals.kerio.com/kms/en/sect-debuglog.html
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
Well port 88 is now set (previously for testing I was allowing everything) but which ever way I set the firewall the result is the same:

[03/Jun/2009 17:41:36][3152] {ldapdb} Acquired connection to the LDAP server: "192.168.1.10". Pool slot: 0; Thread ID: 3152
[03/Jun/2009 17:41:36][3152] {ldapdb} LDAP connection was returned back to pool slot: 0. ThreadId: 3152
[03/Jun/2009 17:41:36][3152] {auth} Krb5: entering auth (user A1test<_a.t_>MAILTEST.LOCAL)
[03/Jun/2009 17:41:36][3152] {auth} Kerberos 5 auth: user A1test<_a.t_>MAILTEST.LOCAL not authenticated, error code c000005e
[03/Jun/2009 17:41:36][3152] {auth} c000005e (1311) There are currently no logon servers available to service the logon request.

Confused
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You forgot to mention what OS is on KMS server. The error says that the server with KMS is not a member of the AD domain or it has incorrect configuration of Kerberos client.
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
Ah, so the machine with KMS on has to be a member server?

KMS is on 2003 STD R2 by the way
  •  
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
sedell wrote on Thu, 04 June 2009 12:57

See http://manuals.kerio.com/kms/en/sect-krbwin.html.


So I've read through this and we ARE saying that for LDAP authentication to work the KMS machine HAS to be a member server?

How can that be secured?
  •  
sjourney

Messages: 132
Karma: 0
Send a private message to this user
Cross your fingers...

Originally we were going to put our mail server in the DMZ, but because of this reason we left it in the LAN. You can use an SSL tunnel, and just open up 443 so webmail and phones work... Our mail server does not receive email directly, so this setup works good for us.
  •  
zebby

Messages: 240
Karma: 2
Send a private message to this user
sjourney wrote on Thu, 04 June 2009 14:32

Cross your fingers...
I'm not sure this is the right approach to server security! Laughing

There must be something I'm missing here or are my options really:

1. Having a domain server member in the DMZ - bad idea.
2. Having KMS on the internal LAN exposed to the internet - really bad idea.
3. Having KMS as a stand alone server in the DMZ using the internal user database - good idea. BUT having to duplicate setting up users in AD and KMS - pain in the arse, but do-able. Having no way of enforcing a password policy on KMS - bad idea.





Previous Topic: KOFF INSIDE AND OUTSIDE THE LAN
Next Topic: Public Contacts Problem
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 06:19:51 CEST 2017

Total time taken to generate the page: 0.00547 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.