Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Automatic Login redirection not working with 8.5
  •  
awpross

Messages: 2
Karma: 0
Send a private message to this user
We just updated to version 8.5. Now the redirection to the login page is not working any more.

Before the Update:
1. User opens a website which requires login.
2. User is automatically redirected to login page and due to NTLM he is automatically logged in and redirected to the website.


After the Update to 8.5:
1. User opens a website which requires login.
2. User geht's a Message "Access Denied"
3. User can click on "Anmeldeseite" ("Login") on the bottom of the "Access Denied" Page
4. User is now automatically logged in with NTLM and is redireted to the desired webpage



As you can see, this requires some additional steps to complete thje login process which wasn't required prior to 8.5

Is this a bug?? How to restore the old behaviour??

[Updated on: Thu, 19 February 2015 09:50]

  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
I also got this bug after upgrading to 8.5.
Please Kerio Support, tell us if this is an expected behaviour or a bug (luckily I updated one kerio servicing small office - about 60 - not the main one servicing 400 users...)
  •  
Dmitry Ignatenko

Messages: 2
Karma: 0
Send a private message to this user
A similar problem. Users log in through a proxy, does not authentificate аutomatic. Others receive access to the Internet is not authorizing.
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Kerio Support, are you there?!?!?
Please tell us if we're missing something or a possible workaround. I've a branch office browsing the net without any control and this is really BAD.

Please do not leave us alone!
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Started my dusts covered Active Directory Domain Controller just for this post.

I cannot replicate it, Firefox logged in straight away and the user can be seen in Active Hosts.

./fa/3760/0/

Enabled "User Authentication" in Debug log:
[24/Feb/2015 15:15:30] {auth} user lookup: adboy<_at_>what.ever
[24/Feb/2015 15:15:30] {auth} NTLM successfully authenticated user adboy<_at_>what.ever
[24/Feb/2015 15:15:30] {auth} User adboy<_at_>what.ever authenticated from 10.10.10.10 using NTLM

Any more info can help troubleshooting?

M.

  • Attachment: ad.png
    (Size: 5.80KB, Downloaded 1658 times)

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
This is my configuration:
1) Kerio control joined to an AD2008 Domain (but I think AD version is not important)
2) Traffic rule allowing access from any trusted interface to the internet using FTP and HTTP with default protocol inspection
3) Content filter rules:
1. Rule to allow unauthenticated access to some sites
2. Tule to allow internet access from user belonging to a specific AD Group
3. Deny rule with a warning message ("please call IT Support to get Internet access")
4. the built-in allow rule

Before upgrading to 8.5 users were redirected to the automatic login page and, after login, redirected to the requested page.
Now users are getting the page "Please call IT support to get Internet Access" followed by LOGIN button. If they press LOGIN they are correctly authenticated.

Using Google Chrome as well as IE as browser (no firefox here by policy).
Am I missing something in my config?
Thanks
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Some other discovery...
On a working setup, when I go to http://www.some.where, I got redirected to http://my_kerio_server:4080/login/?dest=(some_long_string).

In the not working setup, when I go to http://www.some.where, I got redirected to http://ko_kerio_server:4080/nonauth/deny.php?dest=(some_long_string)
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Just to clarify. What is not working is the AUTOMATIC LOGIN using AD credentials.
If I manually click on the LOGIN link in the deny page things works ok.
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Tried enabling user authentication in debug log? What's the result?

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
Dmitry Ignatenko

Messages: 2
Karma: 0
Send a private message to this user
Enable debug authentication.

If connect through a proxy:

[25/Feb/2015 10:14:37] {auth} NTLM successfully authenticated user d.ignatenko<_at_>vrgaz.ru
[25/Feb/2015 10:14:37] {auth} User D.Ignatenko<_at_>vrgaz.ru authenticated from 10.4.136.31 using NTLM
[25/Feb/2015 10:14:58] {auth} Krb5: entering auth (user: D.Ignatenko<_at_>VRGAZ.RU)
[25/Feb/2015 10:14:59] {auth} Krb5: user D.Ignatenko<_at_>VRGAZ.RU authenticated.
[25/Feb/2015 10:14:59] {auth} Krb5: user D.Ignatenko authenticated.

If connect through a NAT:
Log empty, but im access to the Internet
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Hello,
attached some info about my rules.
Please note that NTLM in itself works. What is missing is the AUTOMATIC REDIRECTION to the login page (the page which says "Redirecting to login page, please wait a few seconds... If you are not redirected, click on this link")

Here is the authentication debug part:

[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] connect to www.symantec.com
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] connection established
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] response: HTTP/1.1 301 Moved Permanently
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] User not found for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] DENY content rule '[auth] Deny access with warning' GET http://www.symantec.com/
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] redirecting to /nonauth/deny.php




Then this is the part when I click the "login button"
[25/Feb/2015 18:08:06] {auth} empty NT domain name, user found in my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} user lookup: my_user<_at_>my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} NTLM successfully authenticated user my_user<_at_>my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} User my_user<_at_>my_domain.fqdn authenticated from 192.168.xxx.yyyy using NTLM
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] New request 192.168.xxx.yyyy:2947 -> 23.223.67.127:80
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in request_read_header()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL rules need content check.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] request /
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] connect to www.symantec.com
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] connection established
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] response: HTTP/1.1 301 Moved Permanently
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] ALLOW content rule '[auth] Authenticated Internet access' GET http://www.symantec.com/
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] persisting connection; server count: 1, client count: 1
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in request_read_header()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.

  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
This is confirmed a bug and will be fixed in 8.5.1, release is scheduled next week. As a workaround you can change the certificate used for web interface to e.g. one generated by Control.
  •  
tomislav.parcina

Messages: 39
Karma: -2
Send a private message to this user
rjokl wrote on Tue, 03 March 2015 20:17
This is confirmed a bug and will be fixed in 8.5.1, release is scheduled next week. As a workaround you can change the certificate used for web interface to e.g. one generated by Control.


Hi rjokl,

thank you for your mail.

Can anybody from Kerio confirm this? Is there publicly available bug tracker where we can see the details about the bug?

Best regards.

--
Tomislav Parčina
  •  
Brian Carmichael (Kerio)

Messages: 579
Karma: 57
Send a private message to this user
We don't publish open bugs. However, we do note bug fixes in the release notes. 8.5.1 was released today, and the fix for this issue is included in the release notes http://www.kerio.com/support/kerio-control/release-history

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
tomislav.parcina

Messages: 39
Karma: -2
Send a private message to this user
I have upgraded to 8.5.1 but I'm still experiencing the problem.

My setup:
- Windows 7 computers.
- Windows 2008 R2 domain
- Kerio Control 8.5.1

When user opens a web page that is allowed with this rule:
Source: Authenticated users
Destination: Internet interfaces
Service: HTTP and HTTPS
Action: Allow
And if user isn't authenticated with the Kerio Control (KC), KC wont' allow the user to open the requested web page, and won't redirect him to the login page.

Can someone else confirm that the update didn't solve this issue?

Best regards.

--
Tomislav Parčina
Previous Topic: Find Control Box 3120 MAC addresses
Next Topic: Login redirection for non-standard port
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Jan 18 23:16:24 CET 2017

Total time taken to generate the page: 0.02541 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.