Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Secure Password Authentication (SPA) - Solution! (A possible fix for problems using SPA in Outlook (2007))
  •  
Sjeiz

Messages: 2
Karma: 0
Send a private message to this user
Hi,

today I've spent a few hours in figuring out why SPA authentication did not work in my test setup:

  • VMWare ESX 3.5
  • Domain Controller on Windows Server 2008 SP2
  • Kerio Mail Server v6.7.1 on Windows Server 2008 SP2
  • Windows Server 2008 SP2 Terminal Server
  • Kerio offline connector for Outlook v6.7.1
  • Outlook (Office) 2007 SP2

After trying various things and googleing my brains out, I finaly got it working. Since the problem is likely to happen to other admins, I thought I'd post the solution I've found.

Cause:
I created all (virtual) servers from a single template without sysprep or newsid. Therefore, the machine SID of the Kerio mail server had the same SID as the domain controller. When using NTLM or Kerberos authentication, it will fail.

Symptoms:
In the eventviewer of the Kerio mail server, the following entries were located:

  • System Log.
    Source: NETLOGON
    Event ID: 5516
    Message: The computer or domain <<computername>> trusts domain <<domainname>>. (This may be an indirect trust.) However, <<computername>> and <<domainname>> have the same machine security identifier (SID). NT should be re-installed on either <<computername>> or <<domainname>>.
  • Security Log (after trying a SPA login)
    Source: Microsoft Windows Security Auditing
    Event ID: 4625
    Message: long description on the failed logon, but with the following failure description:
    Failure Information:
    Failure Reason: Domain sid inconsistent.
    Status: 0xc000006d
    Sub Status: 0xc000019b
  • Kerio debug log
    {auth} NTLM: error while accepting security context


Solution:
The solution is fairly simple:
Make sure that when you deploy servers, a new computerSID is generated (e.g. using sysprep). For already installed servers, you can use newsid.exe (http://download.sysinternals.com/Files/NewSid.zip)

Note: Please use NewSID on your own risk and always test before taking into production.
More information on NewSID.exe can be found here ( http://www.brajkovic.info/virtualization/using-newsid-to-cha nge-sid/) or use your friend Google.

Kind regards,

Erik Cheizoo
Infrastructure architect
eXcellence & Difference
The Netherlands
  •  
Mozilla77

Messages: 9
Karma: 0
Send a private message to this user
Another way around the duplicate sid and I have done this for years with creating desktop images, is don't upload the image or copy the vm with it added to the domain or in a DC case don't promo it. You won't have to use sysprep or newsid then either. So even though the system will have the same SID when you download it or copy it as soon as you add to the domain or dcpromo a new SID gets generated.

[Updated on: Thu, 03 September 2009 18:55]

Previous Topic: Google Calendar
Next Topic: KMS performance in VMware
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 12:41:29 CET 2017

Total time taken to generate the page: 0.00387 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.