Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Active Directory authentication slow (AD authentication is extremely slow)
  •  
irow

Messages: 56
Karma: 4
Send a private message to this user
I have a fresh Kerio 8.0.0 install on CentOS 6.0 authenticating users against Active Directory (Windows Server 2008 R2). I have 12 Active Directory users. Kerio is fast all around except for the initial authentication; I have tested both the webmail and Outlook 2012 (Mac) and both take around 20-30 seconds to respond.

Has anyone else come across this problem?
  •  
t.trumpfheller@moovit.de

Messages: 2
Karma: 0
Send a private message to this user
Hi irow,

i have exactly the same problem with the latest version of kerio 8.5.3 (runs on linux) and a windows 2012 R2 server as AD. the AD server does only authentication, nothing else. i already raised the maximum result size which does not help at all. Does anyone has a idea or maybe found a solution for this?
  •  
Pavel Dobry (Kerio)

Messages: 5178
Karma: 245
Send a private message to this user
Looks like a DNS problem in your network. Make sure that Kerberos client is configured properly and krb5.conf file contains hostnames for your AD server: http://kb.kerio.com/product/kerio-connect/virtual-appliance- linux/joining-kerio-connect-running-on-linux-to-open-directo ry-or-active-directory-308.html#krb5steps

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
t.trumpfheller@moovit.de

Messages: 2
Karma: 0
Send a private message to this user
Hi Pavel,

thanks fo rthe quick reply. i cannot see any dns problem sin my newtork, also the krb5 config looks good for me.

here is my config file:
[libdefaults]
default_realm = MOOVIT.HOME
dns_lookup_realm = false
dns_lookup_kdc = false

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
MOOVIT.HOME = {
kdc = ad1.moovit.home
admin_server = ad1.moovit.home
default_domain = moovit.home
}

[domain_realm]
.moovit.home = MOOVIT.HOME
moovit.home = MOOVIT.HOME

[login]
krb4_convert = true
krb4_get_tickets = false


and here are some nslookups:
root@kerio-connect-appliance:~# nslookup ad1
Server: 192.168.123.221
Address: 192.168.123.221#53

Name: ad1.moovit.home
Address: 192.168.123.221

root<_at_>kerio-connect-appliance:~# nslookup ad1.moovit.home
Server: 192.168.123.221
Address: 192.168.123.221#53

Name: ad1.moovit.home
Address: 192.168.123.221

root<_at_>kerio-connect-appliance:~# nslookup 192.168.123.221
Server: 192.168.123.221
Address: 192.168.123.221#53

221.123.168.192.in-addr.arpa name = ad1.moovit.home.
Previous Topic: Public folders missing
Next Topic: big issues with Outlook 2011 and meeting changes
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Mar 24 05:15:00 CET 2017

Total time taken to generate the page: 0.00918 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.