Overview
Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server, or just server) without sending data across the network that might allow an attacker or the verifier to subsequently impersonate the principal. Kerberos optionally provides integrity and confidentiality for data sent between the client and the server.
This article describes the steps in configuring Kerberos Authentication with Kerio Connect.
Solution
- Verify that Kerio Connect belongs to the Active Directory or Open Directory domain. Refer to the article Connecting Kerio Connect to Microsoft Active Directory
- In the Kerio Connect administration interface, go to Configuration > Domains.
- Double-click a domain and go to the Advanced tab.
- (For Linux installations only) Type the PAM service name.
- Type the Kerberos realm name. The Kerberos realm name is your domain name and Kerio Connect specifies it automatically upon domain creation.
- If you are using the Windows NT domain, type the domain name.
- Select Bind this domain to specific IP address and type the IP address (Optional). Users accessing Kerio Connect from this IP address are using only their username (without the domain name) to log in.
- Click OK.
You may confirm if the settings were saved by going to Configuration > Domains and check if the Kerberos information is reflected under the Kerberos Column.
Troubleshooting
For detailed output, enable User Authentication option in Debug logs.
If you're getting Kerberos-related error in the logs, verify the Kerberos settings on your DC. For example, for the error
{auth} Krb5: get_init_creds_password(krbtgt/KCC.LOCAL@KCC.LOCAL, joe.doe@KCC.LOCAL): KDC has no support for encryption type, error code 0x96c73a0e (-1765328370)
review the Encryption Options or msDS-SupportedEncryptionTypes attribute via AD Administrative Center > Select Domain Controller > Extensions > Attribute Editor.
