Overview
Kerio Connect User Authentication can be configured using Kerberos. The set up in Virtual Appliance requires advanced configuration both on the Kerio Connect side and Active Directory server.
Process
Setting up Kerberos User Authentication Against Active Directory
-
Log in to the system console.
-
Install the Kerberos 5 packages:
apt-get updateapt-get install krb5-config krb5-user
-
For Kerio Connect 8.5 and older, install the following packages:
apt-get install krb5-clients krb5-config krb5-user
-
In the Kerberos 5 configuration wizard, configure the Kerberos realm and domain server hostname.
-
Add a new computer to your Active Directory. Use the same hostname as defined in the appliance (run
hostname -f
to display the hostname). If you set up a wrong hostname, change the following configuration files:/etc/hostname
and/etc/hosts
-
Add the Service Principal Name for the computer to the Kerberos database.
-
Run the following command on your Windows Active Directory (master):
setspn.exe -R hostname
Verification
Run the following command on your Kerio Connect console:
kinit -S host/<hostname_domain.com>@<DOMAIN.COM>
Where <hostname_domain.com>
is the appliance hostname that corresponds to the computer name in the Active Directory, and <DOMAIN.COM>
is the Kerberos realm that is in use by your Active Directory.
The command throws a Kerberos error if the mail server machine is not properly joined.