Authentication of users belonging to a particular domain can be set under Domains in the administration interface. On the Advanced tab in domain settings, parameters for user authentication can be set. When creating a user account you can choose how the given user will be authenticated (see chapter 8.2 Creating a user account). Different users can be authenticated using different methods in a single email domain.
This option is available only for installation on Linux.
PAM (Pluggable Authentication Modules) are authentication modules that are able to authenticate the user from a specific domain (e.g.
company.com) against the Linux server on which Kerio Connect is running. Use this option to specify the name of the PAM service (configuration file) used for authentication of users in this domain. The Kerio Connect installation package includes a configuration file for the
keriomail PAM service (it can be found under
/etc/pam.d/kerio-connect). It is strongly recommended to use the file. Details about PAM service configuration can be found in the documentation to your Linux distribution.
Kerberos is an authorization and authentication protocol (for details, see information at http://web.mit.edu/Kerberos/). Kerio Connect uses this protocol to authenticate users against the Kerberos server (e.g. in Active Directory).
In the appropriate item of the dialog box, specify the Kerberos system domain, where the users will be authenticated. Capital letters are used automatically for the name of Kerberos realm in Kerio Connect.
If user account are saved in Active Directory or in Open Directory (see the Directory Service tab), it is required to specify name of the Active Directory or the Open Directory domain here. If you use the Directory Service tab for Active Directory or Open Directory definition, this entry will be specified automatically.
If you use Open Directory or a stand-alone Kerberos server, check thoroughly that the Kerberos realm specified on the Advanced tab matches the name of Kerberos realm in the
file, especially this file’s
default_realm value. By result, the line may be for example
default_realm = COMPANY.COM
Authentication settings for the individual platforms are described in chapter 26 Kerberos Authentication.
The NT domain in which all users will be authenticated. The computer which Kerio Connect is running on must be a part of this domain.
company.com domain, the NT domain is
Users can use any interface for connection to Kerio Connect. However, each domain can be bound with one IP address. Binding of an IP address with a domain saves users connecting from such an IP address from the necessity of including domain in username (e.g.
firstname.lastname@example.org) for each login attempt. This implies that such users can use separate user name (e.g.
jsmith) as if connecting to the primary domain.
Correct functionality of binding of domains with an IP address requires at most one domain to be bound to each IP address. Otherwise the server would not recognize to which domain the username with no domain defined belongs.
Example: The computer which Kerio Connect is running on has two interfaces:
192.168.1.10 is deployed to the network of the company called Company and
192.168.2.10 is deployed to the network of AnotherCompany. A new user account called
smith is added to the
anothercompany.com domain (this domain is not primary).
anothercompany.com is bound to the IP address
192.168.2.10. Users of this domain will not need to specify their domain name while connecting to Kerio Connect.
On the other hand, primary domain users have to specify their complete email addresses to connect to this interface.
If a problem arises with any of the authentication methods, in Kerio Connect, it is possible to enable logging of external user authentication:
Go to section Logs and select Debug.
Right-click on the log pane to open a context menu, and select Messages.
In the Logging messages dialog box, select Store Backup.
Confirm changes by OK.
Once your problems are solved, it is recommended to disable the logging.