Overview
When mapping users to Active Directory services, the following errors are displayed:
"Cannot contact domain controller right now."
"Success. But note the fact that the firewall has been disconnected only locally due to the following error."
Environment
Kerio Control bonded to Active Directory
Prerequisites
Admin access to the DNS Server
Root Cause
The customer is using the Kerberos authentication method that uses the SASL/MD5 Digest. Kerio Control does not support this by default, but the server will still connect using the default authentication method. This error message indicates that the server connected successfully but with limited functionality.
The following log string shows an error you may find in the debug logs.
[01/Feb/2018 19:29:42] {user_db} ldapc: Can't bind to LDAP server ug-print1.ug.local using SASL/DIGEST-MD5 authentication. User name: test.userv@UG.local. Message: Authentication method not supported, code: 7. ThreadId: 3309.
To resolve this issue, you can configure the server settings to use SASL/MD5 authentication by creating .txt
records for the domains to the DNS server, as detailed in this article.
Process
-
Add a TXT record named
_kerberos
with your domain name value to the DNS server, as shown below. In the example below, the domain name isUG.local
. -
Add a TXT record named
_kerberos
with the value of the IP address of the subdomain to the DNS server. In the example below, the IP address of the subdomain is10.1.0.6
. -
Unjoin Kerio Control from AD, reboot Kerio Control from Status > System Health, then re-join Control back to AD.
Additional Information
For advanced verbose mode, you can enable the following Debug logs:
- User authentication
- User database
Confirmation
The error messages are no longer displayed, and the settings will be saved and applied successfully.