We have Kerio Connect (mail server) running on a Windows Server 2003 server on a domain. In the webmail client, users are able to change their domain password. This functionality used to work fine until a user tried to change their password a few days ago, when every password they'd try would result in the webmail client claiming their password was "invalid". I spoke to Kerio about this and they claim that this error is returned by the domain controller, which supports my initial investigations.
The error that the DC is logging when an attempt is made to change the password is this:
"80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece"
The "data 52e" part indicates that this is an "invalid credentials" error. I don't see how this can be as I've tried (in the Kerio Connect configuration) various accounts that have privileges to modify accounts, including my own as I am a domain admin.
I have ran 'dcdiag' (all tests) on the DC and it came back passing every single one of them. I've searched high and low for an answer to this and came up empty.
Does anyone have any idea why this may have suddenly started happening?
Thanks!
Edit: I should mention that the passwords we are changing to do comply with the complexity policy.
Best Answer
What privileges does the account Kerio is using have? And is the user who can't change their password in one of the groups that is protected by the AdminSDHolder process?
If the Kerio account was given explicit permissions on the accounts to change their passwords and the problem account is protected by AdminSDHolder, the security ACLs on that account might be getting reset and preventing the Kerio account from doing what it's allowed to do on the rest of the accounts.