How to change a user’s authentication method from internal, to Active Directory or Open Directory

In some situations, you may have users configured in Kerio Connect with internal authentication and you would like to change their authentication method to a Directory Service. This can be done quite easily, and with little or no disruption to the user. The steps for this procedure are described below:

  1. Make sure that your Kerio Connect server is properly authenticated on the KerberosAn authentication protocol for client/server applications. domain of your Directory Server.
  2. Make sure that your Kerio Connect server is properly mapped to the Directory Server and the schema extensions have been installed.
  3. Log into the Web Administration and navigate to the Users dialog. (Accounts > Users).
  4. Edit the user and take note of any custom configurations such as email addresses, quotas, rights, or message restrictions.
  5. Remove the user you would like to authenticate against your Directory Server.
  6. When prompted, choose "Do not delete the user's message folder". Also, uncheck the option to remove aliases and other memberships as you will be immediately re-adding the user.
  7. Choose to add a user, and specify that they will be mapped from a directory service.
  8. Locate the user from the list and add them. Update any custom configuration regarding email addresses, quotas, rights or message restrictions.


The login name of the Directory based account must match the login name of the internal user account. If they differ, you will need to follow the instructions outlined in KB 243


You can also switch users from Directory based to Internal by reversing the instructions above.