This article describes the resolution when the domain users can not log in to their accounts, and security logs show the following:
.... Authentication failed for user <username>. Attempt from IP address <IP address>. External authentication service rejected authentication due to invalid password or authentication restriction.
Debug logs with enabled ‘User Authentication’ show entries such as:
.... Clock skew too great. error code 0x96c73a25 (-1765328347)
The clock offset between Kerio and Active Directory (AD) is the root cause of the Kerberos authentication issue. Because Kerberos is very time-sensitive, you should configure your client machines to use one of your domain controllers as a Network Time Protocol (NTP) server.
- On domain controller (AD), open Group Policy Management Editor.
- Navigate to Kerberos Policy and open Maximum tolerance for computer clock synchronization Properties. If needed, decrease the variable to a lower value, i.e., 2 minutes instead of 3.
- On Linux, check Timesync daemon (
The domain users can log in to their accounts.