Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » CentOS Can't Authenticate Using macOS Open Directory (Kerberos is working from the OS but not from Kerio Connect)

Messages: 12

Karma: 1
Send a private message to this user
I encountered this once before so I feel really bad that I can't find my notes on how I resolved this...

We have a centos 7 server with Kerio Connect 9.2.4 (3252) and we've set up kerberos to work with our macOS 10.11.6 Open Directory server. Kerio gets a complete list of all users from LDAP but it can't authenticate any LDAP users using kerberos. I can authenticate a user through kerberos using kinit against the OD server. That works perfectly. Email is being delivered into all the directory user's inboxes.

On the mail server A sample of the relevant error -

HTTP/EWS: Authentication failed for user training<_at_> Attempt from IP address External authentication service rejected authentication due to invalid password or authentication restriction.

But on the directory server its not so clear there are 'errors' and non-errors -

Oct  2 15:39:15 od kdc[104]: AS-REQ [email]diradmin@OD.SERVER.COM[/email] from for krbtgt/OD.SERVER.COM<_at_>OD.SERVER.COM
Oct  2 15:39:15 --- last message repeated 1 time ---
Oct  2 15:39:15 od kdc[104]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Oct  2 15:39:15 od kdc[104]: ENC-TS pre-authentication succeeded -- diradmin<_at_>OD.SERVER.COM
Oct  2 15:39:15 od kdc[104]: DSUpdateLoginStatus: Unable to synchronize login time for diradmin: 77009 
Oct  2 15:39:15 od kdc[104]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct  2 15:39:15 od kdc[104]: Requested flags: renewable, forwardable

Both servers are sync'd to the same time server and their times match up to less than one second. The error about not being able to synchronize time may be unimportant as I see that one all over my searches and mostly the causes don't apply in our environment. We have good tested DNS and a working internal time server. As mentioned earlier if I connect to the Kerio server using ssh and then authenticate any user using kinit the user gets logged in but when this is done through Kerio it fails even though it looks like on the OD server side there is no error.

[server names have been changed to protect the guilty]

[Updated on: Wed, 04 October 2017 00:57]


Messages: 14
Karma: 0
Send a private message to this user

I recently had this exact same problem. I was getting "external authentication service rejected authentication due to invalid password or authentication restriction." LDAP worked fine, as did kinit from the server command line. We are running Kerio on Centos 7 64 bit, connecting to an OD server for authentication.

In our case, it turned out something was wrong with our krb5.keytab file. If you navigate to /etc on your server, you will find it there. What I did was copy it to a different file as a backup, like this:

$ cp krb5.keytab krb5.keytab.sep.2017.bak

Then remove the original:

$ rm krb5.keytab

Just doing this immediately resolved the issue for us. Give it a shot, it may help in your case. If not, you can always rename the backup file back to the original name.


Messages: 12

Karma: 1
Send a private message to this user
Thank you for the suggestion. Actually, our centOS 7 64-bit system did not have a .keytab file. I had manually created the krb5.conf file as well as trying to use the authconfig app to create one. In both cases it made no difference to Kerio. In the spirit of trying everything I went ahead a created a keytab file, tested it, but it hasn't made a difference.
Previous Topic: Outlook 2016 KOFF not available
Next Topic: New Kerio prodicts price list: what do you think?
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 08:19:48 CET 2017

Total time taken to generate the page: 0.00569 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.