Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Active Directory Password
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
We're having problems with some outside users trying to change their password through the webmail interface. The particular account is tied to Active Directory. I've changed my password before, and other have. This user gets a message "New password is invalid". I've tried to change their password through the web interface and get the same error. Kerio logs:
[16/Dec/2004 11:19:57] Kerberos 5 auth: password for user<_at_>doman.com not changed, error code c00002c3

I've checked Active directory, and the account is not locked. Any ideas?

Scott
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Error code c00002c3 is an STATUS_MUTUAL_AUTHENTICATION_FAILED error in Windows. I've seen similar messages with GSS and Kerberos stuff on UNIX.

Some things to try:
- Try another password. Maybe even one you know has worked for your account.

- Turn on all your AD and authentication-related options in the debug log section of the KMS Admin Console. Grok the logs and see if you can come up with anything, or post em here and let us pour over them.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I tried another password. Same issue. The debug log looks like:

[16/Dec/2004 14:20:51][3576] {http} HTTP connection from mfpc90.internaldomain.com:4848 started
[16/Dec/2004 14:20:51][3576] {http} POST request for URI /default/passwordEdit.php
[16/Dec/2004 14:20:51][3576] {ldapdb} person<_at_>externaldomain.com: Looking up in cache...
[16/Dec/2004 14:20:51][3576] {ldapdb} person<_at_>externaldomain.com: found in cache
[16/Dec/2004 14:20:51][3576] {ldapdb} person<_at_>externaldomain.com: Looking up in cache...
[16/Dec/2004 14:20:51][3576] {ldapdb} person<_at_>externaldomain.com: found in cache
[16/Dec/2004 14:20:51][3576] {auth} Changing password for user person<_at_>externaldomain.com, type=3
[16/Dec/2004 14:20:51][3576] {auth} Krb5 auth: user person<_at_>internaldomain.com authenticated
[16/Dec/2004 14:20:54][3576] {http} HTTP connection from mfpc90.internaldomain.com:4848 finished

Kinda looks like it worked actually, doesn't it? Still get a "New password is invalid".

Scott



  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
sedell wrote on Thu, 16 December 2004 11:29


[16/Dec/2004 14:20:51][3576] {auth} Changing password for user person<_at_>externaldomain.com, type=3
[16/Dec/2004 14:20:51][3576] {auth} Krb5 auth: user person<_at_>internaldomain.com authenticated
[16/Dec/2004 14:20:54][3576] {http} HTTP connection from mfpc90.internaldomain.com:4848 finished

Kinda looks like it worked actually, doesn't it? Still get a "New password is invalid".



Well this is what I would expect to see, since the user isn't complaining about an invalid password. Either the debug option that shows the problem wasn't enabled (looks like you enabled everything that mattered, though), or there isn't anything in the debug options that would provide more insight.

Dumb question, but the user account doesn't have "User cannot change password" checked or anything, do they? If you're an AD guru, you might load up LDP.EXE from the Server Support tools and compare the LDAP attributes from this account with a known-working account.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Aha... found the problem. The user changed his password recently... within the 'Minimum password age' set in Group Policy. I tried to change his password from a Windows terminal, and I got 'The password on this account cannot be changed at this time.'

Not really an AD error, or a Kerio error, but the error message returned by Kerio could be a little better.




Previous Topic: Outlook2003&Kerio Outlook Connector
Next Topic: Kerio 6.05 - first impression
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 12:35:14 CET 2017

Total time taken to generate the page: 0.00403 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.