7.7  Authentication of domain users

Authentication of users belonging to a particular domain can be set under Domains in the administration interface. On the Advanced tab in domain settings, parameters for user authentication can be set. When creating a user account you can choose how the given user will be authenticated (see chapter 8.2  Creating a user account). Different users can be authenticated using different methods in a single email domain.

Domain settings — parameters for users authentication

Figure 7.8. Domain settings — parameters for users authentication


Linux PAM

In the Kerio Administration Console, this option is available only in installations for Linux.

PAM (Pluggable Authentication Modules) are authentication modules that are able to authenticate the user from a specific domain (e.g. company.com) against the Linux server on which Kerio MailServer is running. Use this option to specify the name of the PAM service (configuration file) used for authentication of users in this domain. The Kerio MailServer installation package includes a configuration file for the keriomail PAM service (it can be found under /etc/pam.d/keriomail). It is strongly recommended to use the file. Details about PAM service configuration can be found in the documentation to your Linux distribution.

Kerberos 5

Kerberos is an authorization and authentication protocol (for details, see information at http://web.mit.edu/Kerberos/). Kerio MailServer uses this protocol to authenticate users against the Kerberos server (e.g. in Active Directory).

In the appropriate item of the dialog box, specify the Kerberos system domain, where the users will be authenticated. Since Kerio MailServer 6.0.9, the name of the Kerberos realm must be in capital letters.

If user account are saved in Active Directory or in Open Directory (see the Directory Service tab), it is required to specify name of the Active Directory or the Open Directory domain here. If you use the Directory Service tab for Active Directory or Open Directory definition, this entry will be specified automatically.

Warning

If you use Open Directory or a stand-alone Kerberos server, check thoroughly that the Kerberos realm specified on the Advanced tab matches the name of Kerberos realm in the /Library/Preferences/edu.mit.Kerberos file. In particular, it must match the default_realm value in this file. By result, the line may be for example default_realm = COMPANY.COM

Authentication settings for the individual platforms are described in chapter 27  Kerberos Authentication.

Windows NT domain

The NT domain in which all users will be authenticated. The computer which Kerio MailServer is running on must be a part of this domain.

Example:

For the company.com domain, the NT domain is COMPANY.

Bind this domain to specific IP address

Users can use any interface for connection to Kerio MailServer. However, each domain can be bound with one IP address. Binding of an IP address with a domain saves users connecting from such an IP address from the necessity of including domain in username (e.g. wsmith@company.com) for each login attempt. This implies that such users can use separate user name (e.g. jsmith) as if connecting to the primary domain.

Correct functionality of binding of domains with an IP address requires at most one domain to be bound to each IP address. Otherwise the server would not recognize to which domain the username with no domain defined belongs.

Example: Kerio MailServer host uses two interfaces. 192.168.1.10 is deployed to the network of the company called Company and 192.168.2.10 is deployed to the network of AnotherCompany. A new user account called smith is added to the anothercompany.com domain (this domain is not primary).

The anothercompany.com is bound to the IP address 192.168.2.10. Users of this domain will not need to specify their domain name while connecting to Kerio MailServer.

Note: On the other hand, primary domain users have to specify their complete email addresses to connect to this interface.

Troubleshooting of external authentication issues

If a problem arises with any of the authentication methods, in Kerio MailServer, it is possible to enable logging of external user authentication:

  1. In the Kerio Administration Console, go to the Logs section and select the Debug log.

  2. Right-click on the log pane to open a context menu, and select Messages.

  3. In the Logging messages dialog box, select User Authentication.

  4. Confirm changes by OK.

Once your problems are solved, it is recommended to disable the logging.