Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Chapter 24Kerberos AuthenticationThis chapter provides simple and well-organized guidelines to configuration of user authenticationat Kerberos.Kerberos is a client-to-server system which enables authentication and authorization of usersto increase security while using network resources. Kerberos is described by IETF RFC 4120.Kerio MailServer includes support for Kerberos V5.Note: The following logs may be helpful while solving configuration issues:• MS Windows — logs are located in the Start → Settings → Control Panel → AdministrativeTools → Event Viewer menu• Linux — logs can be found in the default directory /var/log/syslogHowever, this applies only to the Kerberos client. Logging of traffic at the server’s side canbe performed by adding the following configuration into the /etc/krb5.conf file:[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.logNote: Settings of logging at the server’s side is regards Kerberos MIT (US implementationof Kerberos applied in the Active Directory and the Apple Open Directory). Setting ofKerberos Heimdal logging (European implementation of Kerberos which can be found inseveral Linux distributions) may be different. 3• Mac OS X Server — logs in the Server Admin application (see chapter 24.4)• Kerio MailServer — logs can be found in the Logs section of the administration console.In this case, the Warning, Error and Debug logs are to be considered (User Authenticationmust be running). For detailed description on individual logs, refer to chapter 22.24.1 Kerio MailServer on Windows3Authentication against Active DirectoryFor authentication at the Active Directory, it is necessary to specify the Active Directory’sdomain name in Kerio MailServer. This can be set under domain settings in the Kerio AdministrationConsole (see figure 24.1).The Kerberos Heimdal’s client is also included in the Linux installation packages of Kerio MailServer. It is, however,not important which version is used on the server (Key Distribution Center) and which is used at the client (KerioMailServer in this case) since the protocol is the same and no problems should occur in the cooperation of the serverand the client side.264
24.1 Kerio MailServer on WindowsFigure 24.1Setting the Active Directory domain in Kerio MailServerSpecify the domain name in the Advanced dialog (see figure 24.1) and ensure that:1. Kerio MailServer is a member of the domain to be authenticated against. If KerioMailServer is not the domain member, the Kerberos system will not be working and theusers will have to use a local password, i.e. different from the password for the domain.2. Kerio MailServer uses Active Directory Controller as the primary DNS server — this shouldbe done automatically by adding the host in the domain (see item 1).If the network configuration requires authentication against multiple domain controllersat a time, add all domain controllers where Kerio MailServer will be authenticated as DNSservers. In this case, however, a special configuration of DNS servers is required. Either itis necessary to set DNS servers to forward queries to each other (if the query is not foundin the proper database, it is forwarded to the domain controller) or all DNS servers mustshare the same primary parent DNS server.3. time of Kerio MailServer and Active Directory is synchronized — this should be doneautomatically by adding a host to the domain (see item 1).Authentication against Open DirectoryFor authentication with Open Directory, Kerio MailServer’s Kerberos realm must be specified(e.g. COMPANY.COM).265
- Page 213 and 214: 18.2 Backup of user folders2. The s
- Page 215 and 216: Chapter 19LDAP serverThe built-in L
- Page 217 and 218: 19.2 Configuring Email ClientsFigur
- Page 219 and 220: 19.2 Configuring Email ClientsMaxim
- Page 221 and 222: 20.2 Creating a Mailing List• con
- Page 223 and 224: 20.2 Creating a Mailing ListFigure
- Page 225 and 226: 20.3 Posting rulesFigure 20.4Creati
- Page 227 and 228: 20.4 Moderators and MembersAdd this
- Page 229 and 230: 20.4 Moderators and MembersAdding a
- Page 231 and 232: 20.5 Mailing list archiving2. This
- Page 233 and 234: 20.7 How to use Mailing ListsExampl
- Page 235 and 236: Chapter 21Status InformationKerio M
- Page 237 and 238: 21.2 Message queue processingFrom,
- Page 239 and 240: 21.3 Active ConnectionsActive Conne
- Page 241 and 242: 21.4 Opened FoldersComponentsThree
- Page 243 and 244: 21.5 Traffic ChartsTime rangeIn the
- Page 245 and 246: 21.6 StatisticsRefreshThis button r
- Page 247 and 248: 22.1 Log settingsFigure 22.2Save lo
- Page 249 and 250: 22.1 Log settingsLog debugSelect th
- Page 251 and 252: 22.3 MailAuth_type=’0’, Passwor
- Page 253 and 254: 22.4 SecurityMailing list messagesT
- Page 255 and 256: 22.4 SecurityAntibombingServer over
- Page 257 and 258: 22.8 Debug• From: jsmith@company.
- Page 259 and 260: 22.8 Debug• IMAP Server — commu
- Page 261 and 262: 22.9 Performance Monitor (under Win
- Page 263: 23.1 Viewing public folders in indi
- Page 267 and 268: 24.1 Kerio MailServer on WindowsFig
- Page 269 and 270: 24.2 Kerio MailServer on LinuxExamp
- Page 271 and 272: 24.2 Kerio MailServer on Linuxdebug
- Page 273 and 274: 24.3 Kerio MailServer on Mac OSTo e
- Page 275 and 276: 24.3 Kerio MailServer on Mac OSFigu
- Page 277 and 278: 24.3 Kerio MailServer on Mac OSFigu
- Page 279 and 280: 24.3 Kerio MailServer on Mac OSFigu
- Page 281 and 282: 24.4 Starting Open Directory and Ke
- Page 283 and 284: 24.4 Starting Open Directory and Ke
- Page 285 and 286: Figure 25.1Setting Windows NT domai
- Page 287 and 288: 25.1 Setting NTLM in MS Outlook ext
- Page 289 and 290: Chapter 26Kerio MailServer Environm
- Page 291 and 292: 26.3 FirewallFrom technical reasons
- Page 293 and 294: Chapter 27Deployment ExamplesThis c
- Page 295 and 296: 27.2 Dial-up Line + Domain Mailboxi
- Page 297 and 298: 27.4 A company with multiple sites5
- Page 299 and 300: 27.4 A company with multiple sitesF
- Page 301 and 302: 27.5 Setting up the backup mail ser
- Page 303 and 304: Chapter 28Troubleshooting in Kerio
- Page 305 and 306: 28.2 Configuration Backup and Trans
- Page 307 and 308: 29.1 Installation of Active Directo
- Page 309 and 310: 29.3 User Account DefinitionFigure
- Page 311 and 312: Chapter 30Kerio Open Directory Exte
- Page 313 and 314: Chapter 31KMS Web AdministrationKMS
Chapter 24Kerberos AuthenticationThis chapter provides simple and well-organized guidelines to configuration of user authenticationat Kerberos.Kerberos is a client-to-server system which enables authentication and authorization of usersto increase security while using network resources. Kerberos is described by IETF RFC 4120.<strong>Kerio</strong> MailServer includes support for Kerberos V5.Note: The following logs may be helpful while solving configuration issues:• MS Windows — logs are located in the Start → Settings → Control Panel → AdministrativeTools → Event Viewer menu• Linux — logs can be found in the default directory /var/log/syslogHowever, this applies only to the Kerberos client. Logging of traffic at the server’s side canbe performed by adding the following configuration into the /etc/krb5.conf file:[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.logNote: Settings of logging at the server’s side is regards Kerberos MIT (US implementationof Kerberos applied in the Active Directory and the Apple Open Directory). Setting ofKerberos Heimdal logging (European implementation of Kerberos which can be found inseveral Linux distributions) may be different. 3• Mac OS X Server — logs in the Server Admin application (see chapter 24.4)• <strong>Kerio</strong> MailServer — logs can be found in the Logs section of the administration console.In this case, the Warning, Error and Debug logs are to be considered (User Authenticationmust be running). For detailed description on individual logs, refer to chapter 22.24.1 <strong>Kerio</strong> MailServer on Windows3Authentication against Active DirectoryFor authentication at the Active Directory, it is necessary to specify the Active Directory’sdomain name in <strong>Kerio</strong> MailServer. This can be set under domain settings in the <strong>Kerio</strong> AdministrationConsole (see figure 24.1).The Kerberos Heimdal’s client is also included in the Linux installation packages of <strong>Kerio</strong> MailServer. It is, however,not important which version is used on the server (Key Distribution Center) and which is used at the client (<strong>Kerio</strong>MailServer in this case) since the protocol is the same and no problems should occur in the cooperation of the serverand the client side.264