Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Not Failing Over to Secondary Active Directory Server
  •  
88fingerslukee

Messages: 172
Karma: 0
Send a private message to this user
Hi there,

Does Kerio Connect actually fail over to the secondary AD server? I have it configured but logins always fail when the primary server goes down. What am I doing wrong?
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
Yes it does. Question is whether also Kerberos client does this. If you are on Windows, check Kerberos client setting on server with Kerio Connect. On Linux, check setting in /etc/krb5.conf file.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Lionel Hutts

Messages: 13
Karma: 0
Send a private message to this user
We've got the same problem. The entry "admin_server" in krb5.conf only contains one DC. Is it possible to enter the other DC too? I didn't find any hints in the Kerberos Manual.
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
Lionel Hutts wrote on Mon, 01 August 2016 10:26
We've got the same problem. The entry "admin_server" in krb5.conf only contains one DC. Is it possible to enter the other DC too? I didn't find any hints in the Kerberos Manual.


Authentication uses KDC servers, not admin_server. You can put multiple "kdc" lines to the krb5.conf file. See example at http://www.h5l.org/manual/HEAD/info/heimdal/Configuration-fi le.html

[Updated on: Mon, 01 August 2016 17:46]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Lionel Hutts

Messages: 13
Karma: 0
Send a private message to this user
Thank you Pavel.

Does it mean the following kb article contains wrong instructions?
http://kb.kerio.com/product/kerio-connect/virtual-appliance- linux/joining-kerio-connect-running-on-linux-to-open-directo ry-or-active-directory-308.html#krb5steps

------------------------------------------------------------ ------------
[realms]
KERIO.COM = {
kdc = master.kerio.com:88
admin_server = master.kerio.com:749
default_domain = kerio.com
}
------------------------------------------------------------ ------------

[Updated on: Mon, 01 August 2016 19:59]

  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
The KB article is correct. The example is for one KDC server. If you have more KCD servers in your domain, you can use more "kcd" lines.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Lionel Hutts

Messages: 13
Karma: 0
Send a private message to this user
That's not the point. The sample configuration contains the "admin_server" option and you say this is not necessary.
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
Lionel Hutts wrote on Tue, 02 August 2016 09:37
That's not the point. The sample configuration contains the "admin_server" option and you say this is not necessary.


I am not saying it is unnecessary. I am saying that authentication is performed against KDC servers and you can have more of them (eg. master and replica). For changing a password you need access to Kerberos password server. Either via kpasswd_server option or admin_server option. So "admin_server" is important if users want to change their passwords.

[Updated on: Tue, 02 August 2016 12:54]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Lionel Hutts

Messages: 13
Karma: 0
Send a private message to this user
Thank you for the clarification.
Mockrát děkuji! Smile
  •  
88fingerslukee

Messages: 172
Karma: 0
Send a private message to this user
Just an FYI for people, there's an easier fix for this if you're using AD DNS with the AD servers under the top level domain. instead of entering XXXX.domain.com you can enter just domain.com and it'll use DNS to figure try all the AD servers. If one isn't online it'll fail over to the next one.
Previous Topic: Kerio Mail Security Log
Next Topic: Not able to log as Admin no more
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Dec 03 22:44:56 CET 2016

Total time taken to generate the page: 0.01146 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.