Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Modify AD password in Kerio Connect
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
My Kerio Connect is authenticated by Windows AD.

For those employees working remotely, I asked them to use "change password" function in Kerio Connect.

But from one day, I found this does NOT workable. Kerio only prompts "new password is invalid".

Of course the password is OK for AD's rule.

Which debug option should I enable to see the details?
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
  •  
hberm001

Messages: 30
Karma: 0
Send a private message to this user
I wonder, are your users added as users from directory service or as local users with kerberos authentication?
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
add local user (because template can not automatic apply to AD-wizard users)

then set its authentication to kerberos.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Are you sure the passwords don't contain some special characters?
Enable debug logging for User Authentication it should give you a hint what's wrong.
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
OK, I opened the debug, made the test, please see below

Login successful
[30/Aug/2012 10:12:39][2832] {auth} Krb5: entering auth (user chenjian<_at_>DOMAIN.LOCAL)
[30/Aug/2012 10:12:39][2832] {auth} Krb5 auth: user chenjian<_at_>DOMAIN.LOCAL authenticated

Password change failed
[30/Aug/2012 10:13:14][5208] {auth} USERS: Changing password for user chenjian<_at_>hztrust.com, type=3
[30/Aug/2012 10:13:14][5208] {auth} Krb5: entering auth (user chenjian<_at_>DOMAIN.LOCAL)
[30/Aug/2012 10:13:14][5208] {auth} Krb5 auth: user chenjian<_at_>DOMAIN.LOCAL authenticated
[30/Aug/2012 10:13:14][5208] {auth} Kerberos 5 auth: password for chenjian<_at_>DOMAIN.LOCAL not changed, error code c000006c
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
If you would google that error code, you would get following explanation:

Quote:
This problem occurs if the following conditions are true:

The user does not meet some password policy requirements when the user changes the password.

Petr Dobry
Product Development Manager | Kerio
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
I do have some password policy requirements in AD, but I'm sure the new password met the requirement.

With the same password, it can be changed by Windows, but failed in Kerio...
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
please help. for those employees outside, it's a simple way to use Kerio Connect to modify their password
  •  
Charles B

Messages: 77
Karma: 3
Send a private message to this user
imcj,

I figured I would duplicate your issue with a test account on my server.

I was able to log into webmail using a normal user's account, change the password successfully, and then log out and back into webmail using the new password. It all worked with no problems using basic numbers and letters


I then tried a few passwords that didn't meet the complexity requirements. It wouldn't let me, although I was never able to get the error code you got. They all gave errors that looked like this:
[18/Sep/2012 18:10:22][22140] {auth} USERS: Changing password for user Test<_at_>Charles_B.COM, type=3
[18/Sep/2012 18:10:22][22140] {auth} Trying to change password for user Test<_at_>Charles_B.COM
[18/Sep/2012 18:10:23][22140] {auth} Krb5: change_password(): Soft error, result code 0x00000004 (4 ) 


As soon as I went back to using passwords that met the AD policy, they worked again.
Sorry, I tried to help--Unfortunately, it worked fine for me.


I did run into a pretty nasty bug with Kerio in the process.
It seems that Kerio will let you change your password to something that it then will not let you use. And since you can't log back into webmail with your new password, you are not able to change it to something that Kerio will accept. Confused

I tried adding some box drawing characters to the password (like └┼┬┤). Both Windows and Kerio accept them as valid password characters, and both AD and Kerio (as long as it is a local account) will let me log in using them , but Kerio won't let me authenticate with AD if the password contains them.

Kerio accepted the password, Windows accepted the change, and then Kerio wouldn't let me get email or log into webmail any more. The error looked like this:
[18/Sep/2012 17:57:22][21590] {auth} Krb5: get_init_creds_password(krbtgt/Charles_B.COM@Charles_B.COM, Test<_at_>Charles_B.COM): Preauthentication failed, error code 0x96c73a18 (-1765328360)
[18/Sep/2012 17:57:23][1033] {auth} Krb5: get_init_creds_password(krbtgt/Charles_B.COM@Charles_B.COM, Test<_at_>Charles_B.COM): Preauthentication failed, error code 0x96c73a18 (-1765328360)


I had to log my test user into a windows machine using my new password in order to change the password to something without extended characters.

Mid 2015: Quit Kerio and moved to Exchange 2013 and Meraki.
Kerio Control 8.4.0--Used since it was WinRoute, many years ago
Kerio Connect 8.4.0 on Ubuntu. Bought Connect just in time for the switch to NO SUPPORT(aka pay for support). Not. Happy.
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
Thanks Charles B, by your guide I have located the exact error, that is caused by the characters.

We all know there can be a complexity rule for the password in AD, that's a unique rule which can not be modified, we can only choose to use or not.

For example,my old password which met the complexity rule, is Qwerty))
now I can use this password in bother AD and kerio(auth by AD)

1, change to Asdfgh1 success, both AD and Kerio can use the new password
2, change to Zxcvbn(( failed, seems Kerio can not accept the characters like !@#$%^&*()

so it's clear, Kerio's "change password" function can only use basic numbers and letters, but not other standard characters. it's an obvious ploblem.

and, in my memory, some old version of Kerio do NOT have this issue.
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
just want to know if anyone can confirm this:)
  •  
iamcj

Messages: 70
Karma: 1
Send a private message to this user
Previous Topic: Kerio Outlook Connector Offline Edition 6.7.1
Next Topic: Full calender for some users, on server.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 00:36:58 CEST 2017

Total time taken to generate the page: 0.00459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.