Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio, CentOS7 and AD LDAP KDC Authentication (Solution to problems with authenticating against Active Directory using Kerberos on a CentOS 7 server)
  •  
marketconnections is currently offline marketconnections

Messages: 26
Karma: 0
Send a private message to this user
Fought this one for several hours and am posting a fix in case anyone else runs into problems like we did.

We setup a brand new CentOS 7 instance and installed Kerio and set it up to map accounts from our Active Directory server. Despite setting up in Kerio Admin identically to our previous server on CentOS6, and seeing all the users populate properly, we were unable to actually login using any of the AD accounts.

The Kerio Debug log kept reporting error code 0x00000016

Krb5: entering auth (user: username<_at_>AD.MYDOMAIN.COM)
Krb5: init_context(): failed, error code 0x00000016 (22)

The Security log kept saying
HTTP/WebMail: Authentication failed for user user<_at_>domain.com. Attempt from IP address xx.xx.xx.xx. External authentication service rejected authentication due to invalid password or authentication restriction.

This was despite the fact that we had successfully Tested the config in the Admin interface (Test button responded OK) and that we had successfully bound the machine to AD using SSSD and could successfully login to the machine over SSH against one of our AD accounts.

FIX:
The problem was this line from the top of the default krb5.conf file, which we had left in:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

After commenting out the includedir line, authentication magically started working.

I did a few tests and it doesn't seem to matter where in the krb5.conf file that this line appears. The line seems to shut down the ability for Kerberos to read anything in the main config file.
  •  
88fingerslukee is currently offline 88fingerslukee

Messages: 180
Karma: 0
Send a private message to this user
I had this same problem and support temporarily changed me to LDAP authentication. I'd like to go back to Kerberos.

Unfortunately, this fix did not work for me. I tried it and it still fails. I can't seem to find the debug log options to view Kerberos logs. I had it at one point but I can't find it anymore.

Can you point out where that is?
  •  
marketconnections is currently offline marketconnections

Messages: 26
Karma: 0
Send a private message to this user
Kerberos logs should be in /var/log. The logging directives are in the default krb5.conf file. Docs have the config options:

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-adm in/logging.html#logging

Mind you, mine never worked because of the include directive (I assume) and I never checked if they were working after I fixed that.
  •  
kaylab is currently offline kaylab

Messages: 3
Karma: 0
Send a private message to this user
It seems to me, that the root of the issue is Kerberos tickets lifetime.
Previous Topic: 9.2.6 build 3811 - Faulting module name: MSVCR100.dll
Next Topic: iPhone Sync error
Goto Forum:
  

 ] [ PDF ]

Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jul 21 08:00:31 CEST 2018

Total time taken to generate the page: 0.94324 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.