OS X Server: Enabling Kerberos authentication for Mail services when connected to an Active Directory server

Summary

To allow users from an Active Directory to use Kerberos authentication to mail services provided by OS X Server, you will need to make the following changes.

Products Affected

Lion Server, OS X Server (Mountain Lion)

After you have configured your OS X Server to provide Mail services to users from the connected Active Directory, use the following steps to enable Kerberos authentication. 

  1. Enable Kerberos authentication for Mail:

    2. OS X Server (Mountain Lion):

    In the Server app, go to Mail > Authentication > click Edit. Choose "Custom" from the pop-up menu and check the Kerberos box.

    Lion Server:

    In Server Admin, go to Mail > Settings > Advanced > Security and check the box to enable Kerberos for IMAP/POP.

  2. Save the changes.

  3. For Mountain Lion: With a text editor, open /Library/Server/Mail/Config/dovecot/conf.d/10-auth.conf
    For Lion Server: With a text editor, open /etc/dovecot/conf.d/10-auth.conf

  4. Look through the document for the auth_gssapi_hostname value, and change the local host name of your server to "$ALL":
    auth_gssapi_hostname = example.server.lan

    ...would become 
    auth_gssapi_hostname = "$ALL"
  5. Restart the Mail service.

 

Additional Information

In OS X Lion only, toggling the Kerberos setting in Server Admin will reset the auth_gssapi_hostname value back to the default of your servers local host name, and you will need to repeat steps 3 through 5.

Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Ask other users about this article
in Apple Support Communities
See all questions on this article See all questions I have asked