How do I configure KMS on a child Active Directory domain?
Step 1 - Configure Active Directory
Ensure that the entire Active Directory structure is configured properly, including setting up internal DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. properly and setting up appropriate trusts between the parent and child domains.
Step 2 - Install Kerio Active Directory Extensions
The Kerio Active Directory Extensions (KADE) only need to be installed on the schema master, which is normally the parent domain controllerA server that runs the authentication process in Microsoft Active Directory.. The Kerio Active Directory Extensions can be downloaded here. For more information refer to Kerio Active Directory Extension.
Step 3 - Join KMS Machine To Domain
Because of trust relationships that are setup between the parent and the child domains, you can technically join the KMS machine to either the parent domain or any child domain. Please contact your operating system vendor for more information on joining a computer to an Active Directory domain.
Step 4 - Configure Domains Within KMS
Now you need to configure your mail domains inside of KMS and set each of them to map to the appropriate Active Directory domain name. For more information refer to Connecting Kerio Connect to directory service. Please note that on the Advanced tab you will need to modify the KerberosAn authentication protocol for client/server applications. 5 Realm field to be the Active Directory domain name you are mapping to. So if you are mapping to a child domain, you will need to enter the full child domain name in that field.
Step 5 - Testing/Troubleshooting
Now that everything is configured you should test to make sure that users are able to login sucessfully. The easiest way to verify that authentication is working is to login as a user from each domain in Webmail. Please remember that any user not in the primary mail domain will need to use the full email address in the username field. If you are unable to login as a user this usually indicates a possible configuration issue either in Active Directory or within KMS. The best place to look is the Warning log.
Example Error Messages In Warning Log
[29/Nov/2005 16:26:18] Kerberos 5 auth: user user@CHILD.ADDOMAIN.TEST not authenticated, error code c000005e [29/Nov/2005 16:26:18] Win Error: 1311 - There are currently no logon servers available to service the logon request. [29/Nov/2005 16:26:18] HTTPHypertext Transfer Protocol - A protocol for exchange of hypertext documents in HTML./Webmail: Invalid password for user firstname.lastname@example.org. Attempt from IP addressAn identifier assigned to devices connected to a TCP/IP network. 10.0.0.180.
One cause of this is that the Kerberos 5 setting in the Advanced tab when editing the domain is not set properly. This needs to be set to the actual Active Directory domain. In this example you will notice that the warning log gives the full user info (user@CHILD.ADDOMAIN.TEST) which tells you what the Kerberos 5 setting is. The "user" is actually in the parent domain, ADDOMAIN.TEST, but for this example I specified the wrong Active Directory domain in order to generate this error message.This same error message will also be displayed if the machine that is running KMS is not joined to the domain. Ensure that the machine is properly joined to the Active Directory domain. Again it does not matter which Active Directory it is joined to.
[29/Nov/2005 16:24:53] HTTP/Webmail: User email@example.com doesn't exist. Attempt from IP address 10.0.0.180
This indicates that the user used the wrong mail domain in the username field. Please ensure that the user is specifying the correct mail domain when logging into the server.