Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect Multi-Server » imap authentication on frontend
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
hello,
When I configure an imap account with the frontend as server, I can't authenticate.
I find this message in the logs: (xxx.xxx.xxx.xxx is the backend's IP)
May 8 16:04:53 kerio-frontend proxy: 2015/05/08 16:04:53 [error] 1909#0: *82 auth http server xxx.xxx.xxx.xxx:80 did not send server or port
while in http auth state, client: yyy.yyy.yyy.yyy, server: 0.0.0.0:143, login: "ron@mydomain"

There is this line in the auth_http.conf file:
auth_http xxx.xxx.xxx.xxx:80/auth;

But I obtain a 403 error when I tried http :// xxx.xxx.xxx.xxx:80/auth.
How the frondend can authenticate if the backend's auth url doesn't exist?

Thanks

[Updated on: Fri, 08 May 2015 17:51]

  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
Hi,

The information returned by backend on "/auth" url cannot be displayed in a web browser as there are some special HTTP headers introduced by frontend when doing auth stuff on that url.

You can look what happens inside the backend when resolving "/auth" url and which makes frontend unhappy:

Go to a http://xxx.xxx.xxx.xxx/admin. In Administration, go to Logs, Debug, and enable HTTP Server logs. Now try to make an IMAP connection to the frontend and let's see what happens on the backend on "/auth" url.

You should find an entry starting with "Search request for users home server" string in the HTTP Server log that should reveal what is the issue.

Will be interested in your findings.

Jakub
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
Hi,

Thank you for your response.

The result obtained in the test on the back-end server:

[11/May/2015 10:54:04] {https} Task 291 handler BEGIN
[11/May/2015 10:54:04] {https} Task 291 handler starting
[11/May/2015 10:54:04] {https} HTTP connection from yyyy.yyyy.yyyy.yyyy:34894 started
[11/May/2015 10:54:04] {https} GET request for URI /auth
[11/May/2015 10:54:04] {https} User-Agent header:
[11/May/2015 10:54:04] {https} Search request for user home server is not allowed from the client ip address.
[11/May/2015 10:54:04] {https} Response: HTTP/1.1 403 Forbidden
[11/May/2015 10:54:04] {https} Request finished in 0.00 s, received 172 bytes, sent 255 bytes
[11/May/2015 10:54:04] {https} Task 291 handler END

The result is weird because in aministration console any addresses are allowed in the back-end Server.

IP Font-end Server : yyy.yyy.yyy.yyyy

Thanks
  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
For frontend-to-backend connections, there is a special IP group defined on backend. Only members of this group are allowed to get response for "/auth" url request.

Having mailserver process stopped, you should check Http table in mailserver.cfg, where "FrontendNetwork" variable is of interest. The value of this variable is the name of group of IP addresses, for which the request on "/auth" will be fulfilled by the backend.

E.g.

<table name="Http">
...
<variable name="FrontendNetwork">Front-end nodes</variable>
</table>

<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.255.255.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>

Content of the Http and IpAccessList tables have to be the same on all backends.

[Updated on: Mon, 11 May 2015 13:41]

  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
That's the problem

My front-end IP is in the range "Front-end nodes"

<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>

<table name="Http">
....
<variable name="FrontendNetwork">Front-end nodes</variable>
</table>

But server continu with log :
Search request for user home server is not allowed from the client ip address.


Do you know where is file "auth" on the backend server ?
I would see rules or something to understand error :/
  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
You have two members in a single "Front-end nodes" group. Both members have GroupGuid = a74ee767-03cc-4001-a885-aa4b19d5d1ea.
That is correct.

But both members of the group have the same Guid, meaning that these individuals are identical, ie. only a single one of them is required to be used.
This is not what you want, I guess.

Change Guid in one of the members to make it look like, e.g.:

<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">db0ba000-f7e0-11e4-a322-1697f925ec7b</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
From Webadmin I deleted IP Range and recreate it

<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">f090491d-4246-4728-acb9-16cddf2262ac</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.255.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">da1b8aae-978d-45ad-b483-9eb881731a7c</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>

Now they don't have the same Guid... but I keep the same error log Confused
(Yes I reboot server to "validate" conf).

Do you think the problem may come from the url yyy.yyy.yyy.yyyy/auth or front-end when it send information to backend ?
  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
Backend simply does not trust the frontend's IP address.

In Webadmin, try to remove all "Front-end nodes" IP ranges, create the group "Front-end nodes" and insert only a single IP address which is IP address of the frontend.

Enable Logs -> Debug -> Local Services -> Distributed domain (near the bottom of the list). Try to connect with IMAP client to frontend and observe logs again.


  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
As you asked, I deleted all range IP in group "Front-end nodes" and add IP only (front-end server).

<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">xxx.xxx.xxx.xxx</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">304f8114-8833-49c7-8f55-db6984fe0b71</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>

After enable logs Distributed Domain Service I see nothing. There is no line which appears with log IMAP or Distributed Domain Service.

On the frontend nginx log I can see :
(yyy : backend IP
zzz : client IP
xxx : frontend IP)

2015/05/11 18:08:54 [error] 1916#0: *229 auth http server yyy.yyy.yyy.yyy:80 did not send server or port while in http auth state, client: zzz.zzz.zzz.zzz, server: 0.0.0.0:993, login: "ron"

On the backend log, I can see log only for HTTP (nothing for IMAP or Domain Distributed Service) :

[11/May/2015 18:08:54] {https} Task 39 handler BEGIN
[11/May/2015 18:08:54] {https} Task 39 handler starting
[11/May/2015 18:08:54] {https} HTTP connection from xxx.xxx.xxx.xxx:47906 started
[11/May/2015 18:08:54] {https} GET request for URI /auth
[11/May/2015 18:08:54] {https} User-Agent header:
[11/May/2015 18:08:54] {https} Search request for user home server is not allowed from the client ip address.
[11/May/2015 18:08:54] {https} Response: HTTP/1.1 403 Forbidden
[11/May/2015 18:08:54] {https} Request finished in 0.00 s, received 172 bytes, sent 255 bytes
[11/May/2015 18:08:54] {https} Task 39 handler END


Any other idea ?

Thanks for your help
  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
Do you have more than one backend deployed? Single backend provides no advantage over single-server setup and it is not supported in multi-server.
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
No, actually we have :
- 1 back-end
- 1 front-end
- 1 Directory
- 1 Puppetmaster
  •  
Jakub Schwarzmeier, Kerio

Messages: 67
Karma: 1
Send a private message to this user
After you deploy the second backend, this issue will be resolved. Only after that, the deployment will be switched into Multi-Server mode.

You can deploy additional backend anytime. Even now.
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
I'm deploying a second backend.
I try to keep you informed tomorrow. Wink


Thank for you help.
  •  
InfoLP

Messages: 8
Karma: 0
Send a private message to this user
Hello,

After deploy a second backend :

[12/May/2015 12:16:56] {https} Task 2320 handler BEGIN
[12/May/2015 12:16:56] {https} Task 2320 handler starting
[12/May/2015 12:16:56] {https} HTTP connection from xxx.xxx.xxx.xxx:50922 started (from frontend network)
[12/May/2015 12:16:56] {https} GET request for URI /auth
[12/May/2015 12:16:56] {https} User-Agent header:
[12/May/2015 12:16:56] {https} Search request for users home server: used primary domain "lepoint.fr" for user "dmalfoy", original IP: "zzz.zzz.zzz.zzz"
[12/May/2015 12:16:56] {https} Search request for user home server: imap target server (zzz.zzz.zzz.zzz:143)
[12/May/2015 12:16:56] {https} Response: HTTP/1.1 200 OK
[12/May/2015 12:16:56] {https} Request finished in 0.00 s, received 176 bytes, sent 236 bytes
[12/May/2015 12:16:56] {https} Task 2320 handler END

So it is essential to have two backend for via proxy authentication works.


Thank you for your help
Previous Topic: Load balancing and fail over
Next Topic: Still a technology Preview?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Mar 26 11:12:42 CEST 2017

Total time taken to generate the page: 0.01309 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.