Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Multiple companies and 1 login to AD and Kerio components (Multiple companies and 1 login to AD and Kerio components)
  •  
WideConnect

Messages: 18
Karma: 0
Send a private message to this user
Hi guys,

I thinking of a solution for this and I hope someone can help me out. I am not sure how to create this properly:

I have an Active Directory domain controller with for exmple: domain.com with multiple users.
These users can authenticate in the different Kerio Components (Connect/control/Workspace...) through the active directory import. This works perfect.

But.. since I am a hoster using Kerio for customers I want the following:

Company1 with multiple users logs in with <name><_at_>domain2.com,
Company2 with multiple users logs in with <name><_at_>domain3.com
Etc...

How can I do this? In AD there is no way as far as I know to create more domains for authentication.
I want a singe point of control for users not having to create each user seperately with different passwords.

Anybody got a brilliant idea for this or is there someone who has done this in a different way?

Any help will be appreciated!

Stefan.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Do all customers have to belong to different AD domains? We have one generic AD domain for most of our customers. Windows/AD Rights are done with OUs, groups and trusts (we have domains with just resources in), and their respective Kerio accounts are authenticated against that single AD domain.
  •  
WideConnect

Messages: 18
Karma: 0
Send a private message to this user
I want 1 AD for all users / customers to authenticate to.

But how let you users authenticate to a DC with AD to a second domain? As far as I know, DC can only host 1 domain.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Not sure what you mean, but you can have several different mail domains authenticate against a single AD domain. The login account on the client is different than whatever mail address the user have in ADUC.
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Do you know ... is it possible to authenticate KC to multiple AD's? For example, company A has an internal AD, but they want hosted Kerio with AD authentication. Company B has an internal AD, and they also want hosted Kerio with AD authentication?
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
For each domain config in Kerio you can enter an AD host and an AD domain name to find users in. In other words yes. You will have to tweak the kerberos config accordingly if you run KMS/KC on Linux.
  •  
netground

Messages: 21
Karma: 0
Send a private message to this user
Hi,

Would your setup also make it possible to have 1 single logon screen for webmail?

And where you can connect with username@domain and it would redirect you to the correct server which hosts the domain and user?

This would benefit us for large customers with several users and domains spread over several servers.

Hans

Net Ground B.V.
Domainname registration, webhosting, Kerio hostedmail, Streaming VOD and Live streams, Virtual servers (VMware), dedicated servers, managed servers, cloudhosting.

http://www.netground.nl
  •  
jce

Messages: 1
Karma: 0
Send a private message to this user
I guess I had the same question.
I found an interesting knowledge base article :

http: support.kerio.com/index.php?_m=knowledgebase&_a=viewarti cle&kbarticleid=413&nav=0,1,38

It says that you can have multiple mail domains (company1.com, company2.com) authenticating through the same AD (ad.com).
For this, you need different OU within the AD (comapny1, company2).

You can edit the mailserver.cfg file or do it the graphical way:
Edit the choosen domain (company1.com),
go to the directory service tab,
check different from this mail domain name,
enter the value of the ad name, preceded by the name of the OU (company1.ad.com).

This way, the users from this OU will get an email address user<_at_>company1.com
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The method outlined in http://support.kerio.com/kb/413 appears to not work anymore in 7.2.2. When I edit mailserver.cfg to include the OU with the relevant users in, the literal string in mailserver.cfg appears in several text boxes in the admin console once the server starts.

E.g. if I change (in mailserver.cfg):
<variable name="UserBaseDn">dc=example,dc=local</variable>
to
<variable name="UserBaseDn">ou=customer1,dc=example,dc=local</variable >

the invalid string "OU=customer1,example.local" appears in the "Active Directory domain name" setting and in the "Kerberos realm" setting in the admin console. The domain part of the LDAP credentials is also changed to this string. At that point, no new users can be added from AD, existing users can't authenticate anymore, and the domain is effectively dead as far as AD integration is concerned.

Also, the various text fields in the admin console under Domain -> "Directory Service" and "Advanced" appears to chage themselves according to what you write in other fields.

Anyone from Kerio care to comment? Is it not possible to map AD users from a specific OU to a mail domain anymore, or is there a different way?
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Never mind, I got it to work by creating separate Kerberos realms for every mail domain that is mapped to the specific AD domain, using the relevant realm in the Advanced tab in the domain setup, and lastly putting the complete (canonical) OU and DC in mailserver.cfg. The downside is that you absolutely cannot touch anything on the "Directory Service" tab in the domain setup afterwards.

The latter is due to some over-eager and "helpful" validation when you enter or leave the various text fields in the Directory Service setup.

Also, the OUs have to be entered as below if they are nested, i.e. you have an OU named AcmeWidgets in an OU named Customers. KB article 413 only deals with an OU directly under the root container.
<variable name="UserBaseDn">ou=AcmeWidgets,ou=Customers,dc=example,dc=com>/variable>


The relevant parts of the Kerberos config file (usually /etc/krb5.conf) now looks like this. Mail domain is acmewidgets.com and AD domain is example.com. 10.99.1.12 is the domain controller's IP.

[realms]
ACMEWIDGETS.EXAMPLE.COM = {
	kdc = 10.99.1.12:88
	admin_server = 10.99.1.12:88
	default_domain = acmewidgets.com
}

[domain_realm]
acmewidgets.com = ACMEWIDGETS.EXAMPLE.COM

[Updated on: Thu, 25 August 2011 20:54]

Previous Topic: mailing list subscription: precedence header bulk rejected
Next Topic: no control panel/billing support?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 15:39:30 CEST 2017

Total time taken to generate the page: 0.00533 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.