GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Kerio Connect, can't authenticate with windows AD users (Authentication rejected)
Kerio Connect, can't authenticate with windows AD users [message #145711] Sun, 05 May 2019 19:36 Go to next message
clsinformatica is currently offline  clsinformatica
Messages: 1
Registered: May 2019
Hi,
here is my situation:
- Kerio Connect 9.2.9 patch 1 installed on windows server 2019.
- AD and DC running on windows server 2019 with Kerio Active Directory Extension installed.

Kerio Connect succesfully mapped into the AD. In the users field i see all the users in the DC.

When i try to connect via webmail the error is: incorrect username/password.

In the Security Log the error is:
HTTP/WebMail: Authentication failed for user xxx<_at_>domain.com. Attempt from IP address ::1. External authentication service rejected authentication due to invalid password or authentication restriction.

Somebody can help me?
Thanks
Re: Kerio Connect, can't authenticate with windows AD users [message #145811 is a reply to message #145711] Fri, 17 May 2019 22:57 Go to previous messageGo to next message
shufflez is currently offline  shufflez
Messages: 1
Registered: January 2007
Location: Amsterdam, The Netherland...
Having the exact same problem after migrating from (EOL) VMware appliance to Ubuntu 18.04.2 (version 9.2.9p1 on VMware&Ubuntu).
Re: Kerio Connect, can't authenticate with windows AD users [message #145861 is a reply to message #145811] Mon, 27 May 2019 12:22 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013

  • Domain > AD > checked if secure connection is enabled? Test connection also works?
  • Is the specified AD User allowed to read the AD? Or even change it, depending on what you want to use?
  • Used the right login? With only one Domain, you can login with username/PW without adding Domain\ etc.
  • Did you create the users in Kerio or used the "activate exsiting user in AD ..."?

Also go to debug in logs and enable auth etc. msgs.

[Updated on: Mon, 27 May 2019 12:23]

Report message to a moderator

Re: Kerio Connect, can't authenticate with windows AD users [message #145919 is a reply to message #145711] Wed, 05 June 2019 14:38 Go to previous messageGo to next message
ITC Solutions GmbH is currently offline  ITC Solutions GmbH
Messages: 18
Registered: August 2015
Location: Geroldswil
hello

i have the same problem. Confused
Re: Kerio Connect, can't authenticate with windows AD users [message #145953 is a reply to message #145919] Thu, 13 June 2019 16:19 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
Yeah. More information would be helpfull...

BTW. I saw something - connection from ::1. You might need to add the local ipv6 address to the IP ranges of kerio (to accept the connection of users in that network)
Re: Kerio Connect, can't authenticate with windows AD users [message #145955 is a reply to message #145711] Thu, 13 June 2019 20:47 Go to previous messageGo to next message
robert.koscak is currently offline  robert.koscak
Messages: 8
Registered: May 2009
Location: Zagreb

I have the same problem on server 2012 R2 and now on server 2016, I reported the error has over a year of support Mad , they did nothing, they just drove me to the circuit now on 2016 and I do not believe it will solve the problem. GFI / Kerio became totally uninterested in its product, error, partners and users. They are in some of their bad movies. Cool
Re: Kerio Connect, can't authenticate with windows AD users [message #145962 is a reply to message #145955] Fri, 14 June 2019 12:30 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
Hi all

Was the C:\Program Files\Kerio\MailServer\ldapmap\gal_ads.map modified?

Is the domain name identical to the email address domain or is it different?



Ian Bugeja
GFI Software
Re: Kerio Connect, can't authenticate with windows AD users [message #145963 is a reply to message #145955] Fri, 14 June 2019 13:23 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
robert.koscak wrote on Thu, 13 June 2019 20:47
I have the same problem on server 2012 R2 and now on server 2016, I reported the error has over a year of support Mad , they did nothing, they just drove me to the circuit now on 2016 and I do not believe it will solve the problem. GFI / Kerio became totally uninterested in its product, error, partners and users. They are in some of their bad movies. Cool
Yeah... no. The problems lies within your system, not kerio. And yes, I'm sure of it. I'm using here a 2012 AD/DC with kerio on a server 2012 R2. AD works for ANY kind of auth. - no matter if webinterface, outlook, kerio client, active sync etc. for YEARS. I even did a testmigration to 2016 and also had no problems.

And with the amount of information given here, it's IMPOSSIBLE to support anything. The error msg from the OP could also be, that he can't login locally, because ::1 is seen as external connection. Or something else is fucked up. IPV6 turned off? Those are config problems, not program errors or bugs.

Give me more details, like the errors from the AD, the auth debug, AD debug etc. and maybe we can get rid of the error.

Did you ever check the AD user? AD user needs rw access to the user tree, otherwise it wont work. That's also why you should use a secured connection.
Re: Kerio Connect, can't authenticate with windows AD users [message #146466 is a reply to message #145963] Sat, 24 August 2019 17:09 Go to previous message
LogitComputer is currently offline  LogitComputer
Messages: 16
Registered: February 2013
Hello all,

Yeah - the problem lies definitively within Kerio Connect (or the lack of information) as it doesn't state that the E-Mail Servers Machine (in my case Server 2019) MUST be joined into the respective Active Directory.

Actual Client-Migration:
- Server 2012R2 Active Directory
- Kerio Connect Appliance, old Debian 7.11, older Kerio Connect 9.2.5
- Active Directory under "domain.tld" / Directory Service works since over 4 years like a charm

Today Saturday, the host was replaced from VMware ESXi 6.0 to Hyper-V 2019.

New Kerio Connect Server on vanilla Server 2019 Standalone Server installed (D:\KerioConnect).
Restored Backup with KMSRECOVER, edited .cfg files from Unix-Schema "/opt/kerio/mailserver/..." to "D:\KerioConnect\Mailserver\...", set same IP address, rebooted and voilĂ  - Mailbox with Local User (like the info<_at_>domain.tld) was accessible.

But the user mailboxes wich are checked against the Active Directory (name.lastname<_at_>domain.tld) stated following error:

[24/Aug/2019 16:24:14] HTTP/KOFF: Authentication failed for user name.lastname<_at_>domain.tld. Attempt from IP address 172.27.10.105. External authentication service rejected authentication due to invalid password or authentication restriction.

So - double-checked LDAP, LDAP Authentication still the same.
Updated Kerio Active Directory Connector to 9.2.10 - still same.

After reading an article from 2017, there was something stated that the Server was a member of the domain.

So I joined this Server into the "domain.tld", mandatory reboot, then check again and voilĂ  - it works.

Conclusion (for me):
if "Kerio Connect Server is on Windows" + "Active Directory User" = Kerio Connect Server must be Member of this Active Directory.
Previous Topic: Filtering in HTML part?
Next Topic: 9.2.10 is out and still 0 improvement on KOFF and Outlook
Goto Forum:
  


Current Time: Wed Sep 27 23:32:32 CEST 2023

Total time taken to generate the page: 0.07323 seconds