This article describes the resolution when the domain users can not log in to their accounts, and security logs show the following:
.... Authentication failed for user <username>. Attempt from IP address <IP address>. External authentication service rejected authentication due to invalid password or authentication restriction.
Debug logs with enabled ‘User Authentication’ show entries such as:
.... Clock skew too great. error code 0x96c73a25 (-1765328347)
The clock offset between Kerio and Active Directory (AD) is the root cause of the Kerberos authentication issue. Because Kerberos is very time-sensitive, you should configure your client machines to use one of your domain controllers as a Network Time Protocol (NTP) server. It's recommended to adjust the clocks on the system so that they are within one minute max of each other. Make sure to have timezones set identical in DC (domain controller) and in the server on which Kerio Connect is installed.
- On domain controller (AD), open Group Policy Management Editor.
- Navigate to Kerberos Policy and open Maximum tolerance for computer clock synchronization Properties. Check the value and increase or decrease it accordingly.
- On Linux, check Timesync daemon (
The domain users can log in to their accounts.