Authentication of users belonging to a particular domain can be set under Domains in the administration interface. On the Advanced tab in domain settings, parameters for user authentication can be set. When creating a user account you can choose how the given user will be authenticated (see chapter 8.2 Creating a user account). Different users can be authenticated using different methods in a single email domain.
In the Kerio Administration Console, this option is available only in installations for Linux.
PAM (Pluggable Authentication Modules) are authentication modules that are able to authenticate the user from a specific domain (e.g. company.com
) against the Linux server on which Kerio MailServer is running. Use this option to specify the name of the PAM service (configuration file) used for authentication of users in this domain. The Kerio MailServer installation package includes a configuration file for the keriomail
PAM service (it can be found under /etc/pam.d/keriomail
). It is strongly recommended to use the file. Details about PAM service configuration can be found in the documentation to your Linux distribution.
Kerberos is an authorization and authentication protocol (for details, see information at http://web.mit.edu/Kerberos/). Kerio MailServer uses this protocol to authenticate users against the Kerberos server (e.g. in Active Directory).
In the appropriate item of the dialog box, specify the Kerberos system domain, where the users will be authenticated. Since Kerio MailServer 6.0.9, the name of the Kerberos realm must be in capital letters.
If user account are saved in Active Directory or in Open Directory (see the Directory Service tab), it is required to specify name of the Active Directory or the Open Directory domain here. If you use the Directory Service tab for Active Directory or Open Directory definition, this entry will be specified automatically.
If you use Open Directory or a stand-alone Kerberos server, check thoroughly that the Kerberos realm specified on the Advanced tab matches the name of Kerberos realm in the /Library/Preferences/edu.mit.Kerberos
file. In particular, it must match the default_realm
value in this file. By result, the line may be for example default_realm = COMPANY.COM
Authentication settings for the individual platforms are described in chapter 27 Kerberos Authentication.
The NT domain in which all users will be authenticated. The computer which Kerio MailServer is running on must be a part of this domain.
Example:
For the company.com
domain, the NT domain is COMPANY
.
Users can use any interface for connection to Kerio MailServer. However, each domain can be bound with one IP address. Binding of an IP address with a domain saves users connecting from such an IP address from the necessity of including domain in username (e.g. wsmith@company.com
) for each login attempt. This implies that such users can use separate user name (e.g. jsmith
) as if connecting to the primary domain.
Correct functionality of binding of domains with an IP address requires at most one domain to be bound to each IP address. Otherwise the server would not recognize to which domain the username with no domain defined belongs.
Example: Kerio MailServer host uses two interfaces. 192.168.1.10
is deployed to the network of the company called Company and 192.168.2.10
is deployed to the network of AnotherCompany. A new user account called smith
is added to the anothercompany.com
domain (this domain is not primary).
The anothercompany.com
is bound to the IP address 192.168.2.10
. Users of this domain will not need to specify their domain name while connecting to Kerio MailServer.
Note: On the other hand, primary domain users have to specify their complete email addresses to connect to this interface.
If a problem arises with any of the authentication methods, in Kerio MailServer, it is possible to enable logging of external user authentication:
In the Kerio Administration Console, go to the Logs section and select the Debug log.
Right-click on the log pane to open a context menu, and select Messages.
In the Logging messages dialog box, select User Authentication.
Confirm changes by OK.
Once your problems are solved, it is recommended to disable the logging.