Kerio Connect, can't authenticate with windows AD users [message #145711] |
Sun, 05 May 2019 19:36  |
clsinformatica
Messages: 1 Registered: May 2019
|
|
|
|
Hi,
here is my situation:
- Kerio Connect 9.2.9 patch 1 installed on windows server 2019.
- AD and DC running on windows server 2019 with Kerio Active Directory Extension installed.
Kerio Connect succesfully mapped into the AD. In the users field i see all the users in the DC.
When i try to connect via webmail the error is: incorrect username/password.
In the Security Log the error is:
HTTP/WebMail: Authentication failed for user xxx<_at_>domain.com. Attempt from IP address ::1. External authentication service rejected authentication due to invalid password or authentication restriction.
Somebody can help me?
Thanks
|
|
|
|
Re: Kerio Connect, can't authenticate with windows AD users [message #145861 is a reply to message #145811] |
Mon, 27 May 2019 12:22   |
Maerad
Messages: 275 Registered: August 2013
|
|
|
|
- Domain > AD > checked if secure connection is enabled? Test connection also works?
- Is the specified AD User allowed to read the AD? Or even change it, depending on what you want to use?
- Used the right login? With only one Domain, you can login with username/PW without adding Domain\ etc.
- Did you create the users in Kerio or used the "activate exsiting user in AD ..."?
Also go to debug in logs and enable auth etc. msgs.
[Updated on: Mon, 27 May 2019 12:23] Report message to a moderator
|
|
|
|
|
Re: Kerio Connect, can't authenticate with windows AD users [message #145955 is a reply to message #145711] |
Thu, 13 June 2019 20:47   |
robert.koscak
Messages: 8 Registered: May 2009 Location: Zagreb
|
|

|
|
I have the same problem on server 2012 R2 and now on server 2016, I reported the error has over a year of support , they did nothing, they just drove me to the circuit now on 2016 and I do not believe it will solve the problem. GFI / Kerio became totally uninterested in its product, error, partners and users. They are in some of their bad movies.
|
|
|
|
Re: Kerio Connect, can't authenticate with windows AD users [message #145963 is a reply to message #145955] |
Fri, 14 June 2019 13:23   |
Maerad
Messages: 275 Registered: August 2013
|
|
|
|
robert.koscak wrote on Thu, 13 June 2019 20:47I have the same problem on server 2012 R2 and now on server 2016, I reported the error has over a year of support , they did nothing, they just drove me to the circuit now on 2016 and I do not believe it will solve the problem. GFI / Kerio became totally uninterested in its product, error, partners and users. They are in some of their bad movies.
Yeah... no. The problems lies within your system, not kerio. And yes, I'm sure of it. I'm using here a 2012 AD/DC with kerio on a server 2012 R2. AD works for ANY kind of auth. - no matter if webinterface, outlook, kerio client, active sync etc. for YEARS. I even did a testmigration to 2016 and also had no problems.
And with the amount of information given here, it's IMPOSSIBLE to support anything. The error msg from the OP could also be, that he can't login locally, because ::1 is seen as external connection. Or something else is fucked up. IPV6 turned off? Those are config problems, not program errors or bugs.
Give me more details, like the errors from the AD, the auth debug, AD debug etc. and maybe we can get rid of the error.
Did you ever check the AD user? AD user needs rw access to the user tree, otherwise it wont work. That's also why you should use a secured connection.
|
|
|
Re: Kerio Connect, can't authenticate with windows AD users [message #146466 is a reply to message #145963] |
Sat, 24 August 2019 17:09  |
LogitComputer
Messages: 16 Registered: February 2013
|
|
|
|
Hello all,
Yeah - the problem lies definitively within Kerio Connect (or the lack of information) as it doesn't state that the E-Mail Servers Machine (in my case Server 2019) MUST be joined into the respective Active Directory.
Actual Client-Migration:
- Server 2012R2 Active Directory
- Kerio Connect Appliance, old Debian 7.11, older Kerio Connect 9.2.5
- Active Directory under "domain.tld" / Directory Service works since over 4 years like a charm
Today Saturday, the host was replaced from VMware ESXi 6.0 to Hyper-V 2019.
New Kerio Connect Server on vanilla Server 2019 Standalone Server installed (D:\KerioConnect).
Restored Backup with KMSRECOVER, edited .cfg files from Unix-Schema "/opt/kerio/mailserver/..." to "D:\KerioConnect\Mailserver\...", set same IP address, rebooted and voilĂ - Mailbox with Local User (like the info<_at_>domain.tld) was accessible.
But the user mailboxes wich are checked against the Active Directory (name.lastname<_at_>domain.tld) stated following error:
[24/Aug/2019 16:24:14] HTTP/KOFF: Authentication failed for user name.lastname<_at_>domain.tld. Attempt from IP address 172.27.10.105. External authentication service rejected authentication due to invalid password or authentication restriction.
So - double-checked LDAP, LDAP Authentication still the same.
Updated Kerio Active Directory Connector to 9.2.10 - still same.
After reading an article from 2017, there was something stated that the Server was a member of the domain.
So I joined this Server into the "domain.tld", mandatory reboot, then check again and voilĂ - it works.
Conclusion (for me):
if "Kerio Connect Server is on Windows" + "Active Directory User" = Kerio Connect Server must be Member of this Active Directory.
|
|
|