Kerberos External Authentication Service Rejected in Kerio Connect

Overview

Kerberos authentication is not working and Kerio Connect users are unable to authenticate their accounts.

The security log shows the following errors:

[25/Aug/2019 01:32:02] HTTP/CardDav: Authentication failed for user username1@domain.com. Attempt from IP address x.x.x.x. External authentication service rejected authentication due to invalid password or authentication restriction.

[25/Aug/2019 01:32:17] HTTP/CardDav: Authentication failed for user username2@domain.com. Attempt from IP address x.x.x.x. External authentication service rejected authentication due to invalid password or authentication restriction.

The Authentication debug logs may also show a krb5 realm error:

{auth} Krb5: get_init_creds_password(****@****, ****@****): Cannot contact any KDC for requested realm, error code 0x96c73a9c (-1765328228)

This article provides the steps to establish a proper Kerberos connection and a reference document to the Kerberos login tags.

Prerequisites

Kerio Connect installed on CentOS.
Join Active Directory using Kerberos.
Access to both Kerio Connect Webadmin and server.

Process

Follow the article Configuring krb5.conf File on Linux to establish the Kerberos connection properly.

Add the following lines to your krb5.conf file:

[login]
krb4_convert = true
krb4_get_tickets = false

An example of a modified file is below:

NOTE: Please check the Kerberos V5 System Administration Guide for more detailed information about the [login] section.

Confirmation

Kerio Connect users can now access their accounts. Security log does not show any entries about external authentication service rejection.

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment