Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » LDAP Authentication vs. OpenDirectory Password Server (External authentication service rejected authentication due to invalid password or authentication restriction.)
  •  
Tim Rodriguez

Messages: 10

Karma: 2
Send a private message to this user
I've set up a test installation of Connect 8.1.1 on my xserve running OSX 10.6.8 and have mirrored the settings from my primary installation of 7.4.3 to make sure that everything is in order before updating.

I'm getting this error when I try to test a user that should be authenticating over LDAP (and works on the primary install).

[21/Jun/2013 17:03:06] HTTP/WebMail: Authentication failed for user USERNAME<_at_>DOMAIN.COM. Attempt from IP address 10.0.1.111. External authentication service rejected authentication due to invalid password or authentication restriction.


The LDAP connection tests just fine and imports users with no problem, but I haven't been able to find any reasons why the authentication service would fail this way. Help!
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Enable Authentication in the debug log.
  •  
Tim Rodriguez

Messages: 10

Karma: 2
Send a private message to this user
[21/Jun/2013 18:03:39][4488740864] {auth} Authenticating user USER<_at_>DOMAIN.COM...
[21/Jun/2013 18:03:39][4488740864] {auth} Cannot copy authorization rights for user USER. The authorization was denied. Code -60005
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I would recommend to set up and use Kerberos instead of Password Server for authentication. It is more secure, more modern and more advanced (allows users to change the passwords).
  •  
Tim Rodriguez

Messages: 10

Karma: 2
Send a private message to this user
Sounds good. So does that mean that Password Server isn't supported any longer?
  •  
Vicky Tripp

Messages: 656

Karma: 81
Send a private message to this user
Hi Tim,

Password server is still supported by us but Kerberos is much more advanced. Password server is limited and can be difficult to fix (from a server side prospective) whereas Kerberos like my colleague said is more secure, modern and it will give more flexibility.

All the best,
Vicky

Vicky Tripp
  •  
Tim Rodriguez

Messages: 10

Karma: 2
Send a private message to this user
I've shifted the authentication to OpenDirectory Kerberos5, but I'm still having trouble logging in from the test mailserver to a separate LDAP server.

04/Jul/2013 00:49:01][4505759744] {auth} Authenticating user test<_at_>HOST.COM...
[04/Jul/2013 00:49:01][4505759744] {auth} Krb5: entering auth (user: test<_at_>KRB.REALM.COM)
[04/Jul/2013 00:49:02][4505759744] {auth} Krb5: get_init_creds_password(krbtgt/KRB.REALM.COM@KRB.REALM.COM, test<_at_>KRB.REALM.COM): Cannot resolve network address for KDC in requested realm, error code 0x96c73adc (-1765328164)
[04/Jul/2013 00:49:03][140735072537792] {auth} Krb5: get_init_creds_password(krbtgt/KRB.REALM.COM@KRB.REALM.COM, test<_at_>KRB.REALM.COM): Cannot resolve network address for KDC in requested realm, error code 0x96c73adc (-1765328164)

Finally, I made a replica of the directory on the secondary testing server, and pointed the Directory Service hostname to that testing server, and bound the Kerberos realm to the loopback address. And now finally I've got it working.

I'm still interested in potentially splitting out the services, so I'm still interested in trying to connect to an OD Server that is not on the same machine.
  •  
Jonas Rodrigues (Kerio)

Messages: 262
Karma: 22
Send a private message to this user
HI Tim,

Please see:

http://manuals.kerio.com/connect/adminguide/en/sect-krbmac.h tml

Look at the section "Authentication against Open Directory".

All the best,


Kerio Technical Support
Log Support Incidents here: http://www.kerio.com/support
Also, please use our KB: http://kb.kerio.com
  •  
Tim Rodriguez

Messages: 10

Karma: 2
Send a private message to this user
Thanks so much for your help, got it all working!

-TR
  •  
gskibum

Messages: 35
Karma: 1
Send a private message to this user
I ran into this same thing today on a new Kerio Connect I'm setting up.

The link posted above by Jonas is now dead. I turned up this one instead.
http:// kb.kerio.com/product/kerio-connect/server-configuration/ldap -and-directory-services/kerberos-authentication-with-osx-107 -against-an-opendirectory-server-911.html

Reading through that caused me to realize that I had bound Kerio Control to the OD (which successfully tested just like for the OP), but I had neglected to bind the Mac that is hosting Kerio Control. I bound the Mac host and sure enough the problem went away. It wasn't even necessary to reboot or follow the procedure in the KB.

FYI this environment is a macOS Sierra hosting Kerio Control and the OD server is running Server 5.x.

Thank you.
Previous Topic: NEW RELEASE AVAILABLE: Kerio Connect 9.2.2
Next Topic: IMAP access to server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Jun 28 22:59:47 CEST 2017

Total time taken to generate the page: 0.00455 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.