OS X Server: Enabling Kerberos authentication for Mail services when connected to an Active Directory server

To allow users from an Active Directory to use Kerberos authentication to mail services provided by OS X Server, you will need to make the following changes.

This article has been archived and is no longer updated by Apple.

After you have configured your OS X Server to provide Mail services to users from the connected Active Directory, use the following steps to enable Kerberos authentication. 

  1. Enable Kerberos authentication for Mail:
  2. OS X Server (Mountain Lion):

    In the Server app, go to Mail > Authentication > click Edit. Choose "Custom" from the pop-up menu and check the Kerberos box.

    Lion Server:

    In Server Admin, go to Mail > Settings > Advanced > Security and check the box to enable Kerberos for IMAP/POP.

  3. Save the changes.

  4. For Mountain Lion: With a text editor, open /Library/Server/Mail/Config/dovecot/conf.d/10-auth.conf
    For Lion Server: With a text editor, open /etc/dovecot/conf.d/10-auth.conf

  5. Look through the document for the auth_gssapi_hostname value, and change the local host name of your server to "$ALL":
    auth_gssapi_hostname = example.server.lan

    ...would become 
    auth_gssapi_hostname = "$ALL"
  6. Restart the Mail service.


Learn more

In OS X Lion only, toggling the Kerberos setting in Server Admin will reset the auth_gssapi_hostname value back to the default of your servers local host name, and you will need to repeat steps 3 through 5.

Published Date: