27.1  Kerio MailServer on Windows

Authentication against Active Directory

For authentication at the Active Directory, it is necessary to specify the Active Directory's domain name in Kerio MailServer. This can be set under domain settings in the Kerio Administration Console (see figure 27.1  Setting the Active Directory domain in Kerio MailServer).

Setting the Active Directory domain in Kerio MailServer

Figure 27.1. Setting the Active Directory domain in Kerio MailServer


Specify the domain name in the Advanced dialog (see figure 27.1  Setting the Active Directory domain in Kerio MailServer) and ensure that:

  1. Kerio MailServer is a member of the domain to be authenticated against. If Kerio MailServer is not the domain member, the Kerberos system will not be working and the users will have to use a local password, i.e. different from the password for the domain.

  2. Kerio MailServer uses Active Directory Controller as the primary DNS server — this should be done automatically by adding the host in the domain (see item 1).

    If the network configuration requires authentication against multiple domain controllers at a time, add all domain controllers where Kerio MailServer will be authenticated as DNS servers. In this case, however, a special configuration of DNS servers is required. Either it is necessary to set DNS servers to forward queries to each other (if the query is not found in the proper database, it is forwarded to the domain controller) or all DNS servers must share the same primary parent DNS server.

  3. time of Kerio MailServer and Active Directory is synchronized — this should be done automatically by adding a host to the domain (see item 1).

Authentication against Open Directory

For authentication with Open Directory, Kerio MailServer's Kerberos realm must be specified (see figure 27.1  Setting the Active Directory domain in Kerio MailServer).

Specify the Open Directory domain name (Kerberos realm) in Kerio MailServer and ensure that:

  1. Kerio MailServer is a member of the Open Directory domain to be authenticated against. If Kerio MailServer is not the domain member, the Kerberos system will not be working and the users will have to use a local password, i.e. different from the password for the domain.

  2. DNS server (IP address or DNS name of the computer where Apple Open Directory is running) is set correctly at the computer with  Kerio MailServer.

  3. time of Kerio MailServer and Open Directory is synchronized — this should be done automatically by adding a host to the domain (see item 1).

Authentication against a stand-alone Kerberos server

To use authentication against a stand-alone Kerberos server (Key Distribution Center), it is necessary to maintain the username and password database both in Key Distribution Center and in Kerio MailServer.

Specify the Kerberos area (Kerberos realm) name in Kerio MailServer (see figure 27.1  Setting the Active Directory domain in Kerio MailServer) and ensure that:

  1. Kerio MailServer is a member of the Kerberos area to be authenticated against. Usernames and passwords of all users created in Kerio MailServer must be defined in the Key Distribution Center (required for authentication in Kerberos).

  2. DNS server must be set correctly at Kerio MailServer's host (Key Distribution Center uses DNS queries).

  3. Time of Kerio MailServer and Key Distribution Center (all hosts included in the Kerberos area) must be synchronized.

Using the Kerbtray utility, it is possible to test whether Kerio MailServer is able to authenticate against the Key Distribution Center.

This can be checked from the computer where Kerio MailServer will be installed. To check authentication from MS Windows, use the Kerbtray utility (see figure 27.2  Kerberos tickets displayed in Kerbtray) which can be downloaded for free at the Microsoft's website. If no allocated tickets are found by Kerbtray, authentication does not work and it is necessary to enable it in KDC and start it.

Kerberos tickets displayed in Kerbtray

Figure 27.2. Kerberos tickets displayed in Kerbtray


When the previous steps are followed successfully, set authentication in Kerio MailServer on the Advanced tab under Configuration → Domains, (see chapter 7.7  Authentication of domain users.