GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from

Home » GFI User Forums » Kerio Connect » CentOS Can't Authenticate Using macOS Open Directory (Kerberos is working from the OS but not from Kerio Connect)
CentOS Can't Authenticate Using macOS Open Directory [message #137129] Wed, 04 October 2017 00:55 Go to previous message
stahancyk is currently offline  stahancyk
Messages: 15
Registered: March 2010
Location: Portland, OR USA

I encountered this once before so I feel really bad that I can't find my notes on how I resolved this...

We have a centos 7 server with Kerio Connect 9.2.4 (3252) and we've set up kerberos to work with our macOS 10.11.6 Open Directory server. Kerio gets a complete list of all users from LDAP but it can't authenticate any LDAP users using kerberos. I can authenticate a user through kerberos using kinit against the OD server. That works perfectly. Email is being delivered into all the directory user's inboxes.

On the mail server A sample of the relevant error -

HTTP/EWS: Authentication failed for user training<_at_> Attempt from IP address External authentication service rejected authentication due to invalid password or authentication restriction.

But on the directory server its not so clear there are 'errors' and non-errors -

Oct  2 15:39:15 od kdc[104]: AS-REQ [email]diradmin@OD.SERVER.COM[/email] from for krbtgt/OD.SERVER.COM<_at_>OD.SERVER.COM
Oct  2 15:39:15 --- last message repeated 1 time ---
Oct  2 15:39:15 od kdc[104]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Oct  2 15:39:15 od kdc[104]: ENC-TS pre-authentication succeeded -- diradmin<_at_>OD.SERVER.COM
Oct  2 15:39:15 od kdc[104]: DSUpdateLoginStatus: Unable to synchronize login time for diradmin: 77009 
Oct  2 15:39:15 od kdc[104]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct  2 15:39:15 od kdc[104]: Requested flags: renewable, forwardable

Both servers are sync'd to the same time server and their times match up to less than one second. The error about not being able to synchronize time may be unimportant as I see that one all over my searches and mostly the causes don't apply in our environment. We have good tested DNS and a working internal time server. As mentioned earlier if I connect to the Kerio server using ssh and then authenticate any user using kinit the user gets logged in but when this is done through Kerio it fails even though it looks like on the OD server side there is no error.

[server names have been changed to protect the guilty]

[Updated on: Wed, 04 October 2017 00:57]

Report message to a moderator

Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Kerio Connect Client cannot change contact photo
Next Topic: Cryptosetup - Offsite Archive and Restore
Goto Forum:

Current Time: Fri Sep 29 03:26:21 CEST 2023

Total time taken to generate the page: 0.07027 seconds