OS X Server: Enabling Kerberos authentication for Mail services when connected to an Active Directory server
To allow users from an Active Directory to use Kerberos authentication to mail services provided by OS X Server, you will need to make the following changes.
After you have configured your OS X Server to provide Mail services to users from the connected Active Directory, use the following steps to enable Kerberos authentication.
Enable Kerberos authentication for Mail:
OS X Server (Mountain Lion):
In the Server app, go to Mail > Authentication > click Edit. Choose "Custom" from the pop-up menu and check the Kerberos box.
Lion Server:
In Server Admin, go to Mail > Settings > Advanced > Security and check the box to enable Kerberos for IMAP/POP.
Save the changes.
For Mountain Lion: With a text editor, open /Library/Server/Mail/Config/dovecot/conf.d/10-auth.conf
For Lion Server: With a text editor, open /etc/dovecot/conf.d/10-auth.conf
Look through the document for the auth_gssapi_hostname value, and change the local host name of your server to "$ALL":
auth_gssapi_hostname = example.server.lan...would become
auth_gssapi_hostname = "$ALL"Restart the Mail service.
Learn more
In OS X Lion only, toggling the Kerberos setting in Server Admin will reset the auth_gssapi_hostname value back to the default of your servers local host name, and you will need to repeat steps 3 through 5.