Login problem on 64bit Windows when using Kerberos

Issue encountered

This article applies only to Windows 64-bit system, 32-bit versions of Windows do not requires these steps for Kerio MailServer user authentication.

This problem occurs when all of the following are true:

  1. When users are mapped from some Unix KDC (eg. OpenDirectory) according to the following Microsoft's Knowledge Base article
  2. KerberosAn authentication protocol for client/server applications. authentication enabled
  3. Users are not mapped to local database (using "ksetup /mapuser ldapuser@REALM localuser")

Then they cannot authenticate even their username and password is correct. Warning log reports a problem similar to Authenticating user xxx failed, error codes c000006d, 0, (1326) Logon failure: unknown user name or bad password.

Cause

This problem is based on current API limitations.

Solutions

To solve this problem, you must map LDAPLightweight Directory Access Protocol - A protocol that enables users to access centrally managed contacts. users to local user accounts. The solution is devided into two parts, the OpenDirectory part and the MS Windows part. We used COMPANY.COM as a realm in following example.

Apple Open Directory configuration

  1. Open Workgroup manager and switch to the user manangement. You will see a list of users stored in the directory service.
  2. Create some testing user in the directory service, for example testuser account.
  3. Run kadmin or kadmin.local again and verify that the user (Principal Name) testuser@COMPANY.COM was created using the listprincs command.

MS Windows configuration

  1. Now we can map the Open Directory users (authenticated via Kerberos5) to the Windows local users. The Open Directory user has testuser login name, create the same user locally in Windows.
  2. Open the Support Tools command line again and run ksetup /mapuser testuser@COMPANY.COM testuser
  3. The user mapping can be done several times, each run of ksetup /mapuser adds a new user mapping. Do it for all user accounts. See example below:
ksetup /mapuser diradmin@COMPANY.COM administrator
ksetup /mapuser user1@COMPANY.COM user1
ksetup /mapuser user2@COMPANY.COM user1
ksetup /mapuser *@COMPANY.COM anotheruser
ksetup /mapuser * guest
		

The diradmin will be mapped to the local administrator account on Windows, user1 and user2 accounts will be mapped to the user1 local account on Windows machine. The other accounts from the COMPANY.COM realm will be mapped to anotheruser account. Accounts from another Kerberos realms will be mapped to the local windows guest account.

If the directory service username matches the windows local one, it's a good practice to set some random password for the local user account to be sure the authentication runs via Kerberos (local account can be used instead of Kerberos one if the password is same for the Kerberos and the local account).