SYMPTOMS
After upgrading MailEnable and selecting to upgrade ASP web mail to ASP.NET web mail, users can no longer authenticate via web mail when using integrated Active Directory authentication. The response when that is returned is "unknown user name / disabled user". This happens to all users when logging in using a browser on both remote machines and the local machine.
CAUSE
Server security policies are preventing the IME_ADMIN account from authenticating the instance of web mail or web administration. This will be a result of the servers effective policies or the IME_ADMIN account not being assigned the policy rights as outlined in the resolution section below.
RESOLUTION
These are the requirements for the IME_ADMIN account. This account also has to be a member of the domain.
- Logon as batch job enables IME_ADMIN to run COM
under this user account.
- Logon as service enables users to set the
IME_ADMIN to logon using the configured account.
- Shut down the system
allows the IME_ADMIN to restart the server if configured to do so when recovery
of a service fails.
- Debug programs enables IME_ADMIN to contact processes
that are secured, such as ASP and IIS applications.
- Increase quotas
required for operating system CreateProcessAsUser call.
- Act as part of the
operating system Required for operating system LogonUser call.
- Bypass
traverse checking required for operating system LogonUser call.
- Replace a
process level token required for operating system LogonUser call.
If the above policy changes do not work then the following may help diagnose the problem further. The problem could be because the IME_ADMIN account used to run web mail does not have permissions to update the account information. To test this add the IME_ADMIN account to the administrators group for the domain. After testing if it is successful then you can look into changing the access to only allow access to Active Directory.
It is possible to test this and prove that the IME_ADMIN account does not have correct permissions by completing the following;
1. Create a domain account called "mailenable". Log on to web mail using
this new domain account. This should fail to login, stating that the user
is unknown.
2. Log in
using the "mailenable" account using POP. This authentication method
should work as the services are running under the system account which will most
likely have permissions. This will prove that the reason for the
authentication failure is due to permisssion deficiencies for the IME_ADMIN
account, as it only occurs for the web mail service which runs using the
IME_ADMIN account.
While trying to diagnose these permission errors the Event Logs will contain further information and reasons why authentication is failing.
MORE INFORMATION
Unable to login to web mail: http://www.mailenable.com/kb/content/article.asp?ID=ME020255
Product: | MailEnable (ME-2.X) |
Category: | Other |
Article: | ME020464 |
Module: | General |
Keywords: | integrated,authentication,ad,.net,fail,login,error,unknown |
Class: | BUG: Product Defect/Bug |
Revised: | Wednesday, May 4, 2016 |
Author: | MailEnable |
Publisher: | MailEnable |