Overview

When mapping users to Active Directory services, the following errors are displayed:

"Cannot contact domain controller right now."

"Success. But note the fact that the firewall has been disconnected only locally due to the following error."

---

Environment

Kerio Control bonded to Active Directory

---

Prerequisites

Admin access to the DNS Server

---

Root Cause

The customer is using the Kerberos authentication method that uses the SASL/MD5 Digest. Kerio Control does not support this by default, but the server will still connect using the default authentication method. This error message indicates that the server connected successfully but with limited functionality.

The following log string shows an error you may find in the debug logs.

[01/Feb/2018 19:29:42] {user_db} ldapc: Can't bind to LDAP server ug-print1.ug.local using SASL/DIGEST-MD5 authentication. User name: test.userv@UG.local. Message: Authentication method not supported, code: 7. ThreadId: 3309.

To resolve this issue, you can configure the server settings to use SASL/MD5 authentication by creating .txt records for the domains to the DNS server, as detailed in this article.

Back to top

---

 

Process

1. Add a TXT record named _kerberos with your domain name value to the DNS server, as shown below. In the example below, the domain name is UG.local.

   

2. Add a TXT record named _kerberos with the value of the IP address of the subdomain to the DNS server. In the example below, the IP address of the subdomain is 10.1.0.6. 

   

3. Unjoin Kerio Control from AD, reboot Kerio Control from Status > System Health, then re-join Control back to AD.

   

Back to top

---

Additional Information

For advanced verbose mode, you can enable the following Debug logs:

• User authentication
• User database

Back to top

---

Confirmation

The error messages are no longer displayed, and the settings will be saved and applied successfully.

---

 

Back to top