Overview
This article describes the resolution when the domain users can not log in to their accounts, and security logs show the following:
.... Authentication failed for user <username>. Attempt from IP address <IP address>. External authentication service rejected authentication due to invalid password or authentication restriction.
Debug logs with enabled ‘User Authentication’ show entries such as:
.... Clock skew too great. error code 0x96c73a25 (-1765328347)
Diagnosis
The clock offset between Kerio and Active Directory (AD) is the root cause of the Kerberos authentication issue. Because Kerberos is very time-sensitive, you should configure your client machines to use one of your domain controllers as a Network Time Protocol (NTP) server. It's recommended to adjust the clocks on the system so that they are within one minute max of each other. Make sure to have timezones set identical in DC (domain controller) and in the server on which Kerio Connect is installed.
Solution
- On domain controller (AD), open Group Policy Management Editor.
- Navigate to Kerberos Policy and open Maximum tolerance for computer clock synchronization Properties. Check the value and increase or decrease it accordingly.
Note: MS recommends having 5 as the Maximum tolerance for computer clock synchronization value.
- On Linux, check Timesync daemon (
/etc/systemd/timesyncd.conf).
[Time]
NTP=domaincontroller.yourdomain.com
FallbackNTP=ntp.ubuntu.com pool.ntp.org
Useful Links
Kerberos authentication: clock skew too great
Clock skew vs. clock offset in the context of clock synchronization network protocols
Related Articles
Kerberos External Authentication Service Rejected in Kerio Connect
Connecting Kerio Connect to Directory Services
Configuring krb5.conf File on Linux
Confirmation
The domain users can log in to their accounts.