Overview
When Kerio Control users are mapped from an AD, if there are issues with the synchronization between Kerio Control and AD, then, the users can't browse using Kerio Control due to authentication failures. Errors seen in the Kerio Control logs:
{auth} Krb5: get_init_creds_password(krbtgt/domain.com@domain.com,
username@domain.com): Preauthentication failed, error code 0x96c73a18 (-1765328360)
{auth} Krb5: get_init_creds_password(krbtgt/domain.com@domain.com,
username@domain.com): Clock skew too great, error code 0x96c73a25 (-1765328347)
Solution
This issue occurs when the clock offset difference between Kerio Control (KC) and the Domain Controller (DC) server is too high when using Kerberos. Since Kerberos is too sensitive to time offsets, this may be causing synchronization problems. Below steps to fix this issue require administration access to Kerio Control:
- Synchronize KC's and DC's server time by using Kerio Control's global NTP servers.
If you are using an on-premise NTP server, then, synchronize KC's and DC's server time with this on-premise server. - To optimize the communication timeout between KC and the AD, SSH into KC and run the below 2 commands:
/opt/kerio/winroute/tinydbclient "update LdapAttributes set ConnectionTimeout=300 where Type=ADS"
/opt/kerio/winroute/tinydbclient "update LdapAttributes set OpTimeout=60 where Type=ADS"
- In KC, delete all the contents under
/var/winroute/star/cache/
- Reboot KC by executing
/etc/boxinit.d/60winroute restart
. - Login to the KC web console as an administrator.
- Go to Configuration > Domains and User Login > Directory Services and unjoin KC from AD domain.
- Go to Status > System Health and click on Reboot.
- Rejoin KC to AD.