Home » Knowledgebase » MailStore – User authentication fails if directory service is Kerio Connect

MailStore – User authentication fails if directory service is Kerio Connect

Summary

When the user synchronization is using the Kerio API, the user authentication is performed against Kerio’s IMAP server. When a MailStore user tries to log in into MailStore, MailStore passes the provided credentials to the Kerio IMAP servers and performs a log in attempt. Is this attempt successful, the user is able to log in to MailStore.

Cause

Depending on the environment, there are different reasons that the user authentication against Kerio Connect fails:

1. MailStore connects to the Kerio IMAP server via IMAP-TLS or IMAP-SSL and the Kerio IMAP server is using a certificate that is not trusted by MailStore. The connection to the IMAP server cannot be established and the provided credentials cannot be verified.
2. Kerio Connect is synchronized with an Active Directory and MailStore is synchronized with Kerio Connect. User authentication with Windows Authentication fails.
3. Kerio Connect is synchronized with an Active Directory and MailStore is synchronized with Kerio Connect. User authentication with Standard Authentication fails.
   When a user wants to log in to MailStore, MailStore passes the given user credentials to Kerio Connect’s IMAP server. When the IMAP server offers CRAM-MD5 or DIGEST-MD5 authentication in its capabilities, MailStore will use these authentication methods only. These methods require that Kerio Connect knows the clear text password of the user. When Kerio Connect is synchronized with an Active Directory, it never has access to the users’ passwords. Therefore, the authentication always fails.

Resolution

1. Replace the certificate used by Kerio with a certificate that is trusted by MailStore or enable the option Ignore SSL Warnings in the directory services Authentication section.
2. MailStore’s “Windows Authentication” only works, when MailStore is synchronized with an Active Directory directly. You have to use “Standard Authentication”. The MailStore user’s “Login Name” has to be entered as username which is usually the user’s email address.
3. Log in into Kerio Connect’s admin interface. Navigate to Configuration > Security > Security policy > Enabled authentication methods and disable CRAM-MD5 and DIGEST-MD5 authentication methods. Either the authentication method PLAIN or LOGIN or both must be enabled.
   NTLM is not supported by MailStore, but can be enabled.
   Be aware that disabling these authentication methods force IMAP clients to send user passwords as plain text to Kerio Connect. Only STARTTLS and/or IMAPS connections should be allowed then, to add another layer of security.