Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Active Directory authentication problem
  •  
Robert D Moore

Messages: 4
Karma: 0
Send a private message to this user
My Kerio connect server died last Friday. Luckily I had a backup of the data.

I rebuilt using new hardware, running Centos 6.3 and Kerio Connect 7.4.2 build 7694
Restored from backup, and after some messing around it is mostly working.
Except for one thing.

No one can check email.
I can log into the Administration web app with the Admin user.
I can see email coming into the server.
I can not log into the webmail. When I try I get "Incorrect username or Password."
Imap also fails.

It did work prior to the death of my server.


I use a Windows 2003 AD server.
When I go to "Directory Service" and click "Test Connection" It tells me it was successful.
I even tried changing the password to be incorrect, and tested. Sure enough the test told me the password was wrong.

I am obviously missing something, but I just have no idea what it is.


Last note, before the server died. If I rebooted it, it would take over an hour to allow logins. But once that time was up it would work fine.
Restarting just the mailserver with "/etc/init.d/kerio-connect restart" would not have this delay.

[Updated on: Mon, 17 September 2012 07:44]

  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Is it possible that you accidentally changed the default domain? That could cause the symptoms you see.

Try logging in as "user<_at_>their_domain" rather than just "user".

The other issue that can do similar things what you are seeing is a slightly bad Kerberos file. I've seen some strange things happen there where the testing appears to pass but it won't actually work. You can test Kerberos from the command line:

kinit -S host/hostname@KERBEROS_REALM

It's really strange, but this stuff can be "wrong" and yet partially work. I don't begin to understand exactly how Kerio interfaces with Kerberos and AD, but little errors can cause very odd things.

See http://forums.kerio.com/m/88230/?srch=error+code+801#msg_882 30 also.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I bet the problem is in /etc/krb5.conf configuration and/or the Linux server is not joined into AD domain.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
A KB article on testing and troubleshooting Kerberos issues would be a nice addition.. I've thought about writing up something like that but honestly there's a lot about Kerberos I just do not grok and how it interfaces with Kerio is way beyond my understanding.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Robert D Moore

Messages: 4
Karma: 0
Send a private message to this user
I inherited the server from the previous IT person at my company, and it has just run, apart from an occasional software upgrade.
So if I understand correctly I need to do the Kerberos config on the mail server, from the Linux side?

I ask because it seems odd that the test can be run successfully.

Thanks, at least I have a place to start. I was all out of ideas.

[Updated on: Mon, 17 September 2012 14:50]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The tests checks only AD server availability over LDAP. It does not check Kerberos client configuration (because it is in the system).

http://kb.kerio.com/article/how-do-i-join-kerio-connect-runn ing-on-linux-to-open-directory-or-active-directory-308.html
  •  
Robert D Moore

Messages: 4
Karma: 0
Send a private message to this user
Well you guys were partly right.
I wasn't connected to the domain.
That is corrected.

But I still can't login.


kinit -S host/hostname@KERBEROS_REALM
Now works successfully.

wbinfo -u
Will give me a list of all my users.

kinit username
Will work with any user I throw at it.


I am still confused.
I have some vague memory that somehow you needed to tell Kerberos what application was using it.

Maybe some kerio config file?


Thanks for the good ideas so far.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Enable User authentication in Kerio Connect debug log. It will show you what's wrong.
  •  
Robert D Moore

Messages: 4
Karma: 0
Send a private message to this user
I got it!
"Try logging in as "user<_at_>their_domain" rather than just "user". "
The above line gave me the hint.
Then I saw something in the Kerio docs about the "advanced" tab under Domain properties. I checked that and there seemed like what was entered there was not what it should be.

Changed it and within seconds I could see people connecting.

I am back in business. Thanks everyone.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Well, that's odd if the server has been running all along..

Unless.. are you on an old version that did not include configuration files in the backup? That might explain why you lost important settings.

If so, you should upgrade.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
Previous Topic: Mail going to wrong address
Next Topic: Migrate to MS Exchange
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 06:48:50 CEST 2017

Total time taken to generate the page: 0.00460 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.