Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Automatic Login for accounts in Active Directory
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
I have through the years (been using Control since it was WinRoute) always had more or less trouble with the Automatic Login for accounts in Active Directory. As you see in the attached picture my account has clearly logged on three different devices automatically. But in the picture it also shows as if I have nothing that can login automatically.

I also often find users in the logs (like Authentication in Debug) that have long since been deleted in AD but that still use the automatic login by MAC or IP address.

It was a minor problem back in the day when I could get to and edit the winroute.cfg file. Is that still a possibility now that I use virtual appliance? Can I import and export the configuration file somehow? That would be terrific.

Has anyone else had this problem? Is there a way to force the synchronization and perhaps deleting of expired Active Directory user accounts?
Is there a trustworthy way to see or extract which users have Automatic Login?

./fa/4130/0/

  •  
Kerio Blue

Messages: 62
Karma: 5
Send a private message to this user
I see a similar issue when I use the 'Web usage' portal. User accounts are not being synchronized. There are quite a few people listed which are no longer in our organization.
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Also...
Every ten minutes I see this in the Debug log (Messages / User authentication). I see it for these exact same four users every time, at exactly every ten minutes;
[10/Dec/2015 14:58:59] {auth} user 'user#1<_at_>mydomain.local' not found
[10/Dec/2015 14:58:59] {auth} user 'user#2<_at_>mydomain.local' not found
[10/Dec/2015 14:58:59] {auth} user 'user#3<_at_>mydomain.local' not found
[10/Dec/2015 14:58:59] {auth} user 'user#4<_at_>mydomain.local' not found

Dumb thing is that these users are actually logged into the firewall. They have clearly been found in the AD. Which means that the log is wrong.

Can anyone from Kerio please comment? Is there some way to "strengthen" the bond between KControl and AD?
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Damn and blasted! Looked for an error and since the MAC was listed for the user I didn't consider that this bug was in play. But the AutoLogon didn't work although the user clearly had the mobiles MAC in his account.
./fa/4160/0/

Please Kerio, can you reply to this thread and say what you think.
1. Is it I that's doing something wrong or is it a bug? (I'm not doing anything wrong)
2. Has this bug been in KC since always? (yes it has been there for many years now)
3. Are you tracking it and what kind of logs can I provide you with to help you out? I really really want to help Kerio in any way I can to fix the bug.

Either fixing it or I'd like to get a repair tool, or button, or something that resets AutoLogon. That lists what's really set on all the users.

  •  
Brian Carmichael (Kerio)

Messages: 681
Karma: 69
Send a private message to this user
Hi Perbauer,

In your first post you asked how to edit the configuration file directly with the virtual appliance. This is possible, the steps are described here http://kb.kerio.com/1745

You might also refer to this KB article for guidance on user authentication http://kb.kerio.com/1811
A point that may not be mentioned in the documentation, is that within the users dialog, you can enable viewing of additional columns. There you can enable viewing of the "Automatic login" column to see which users have it configured.

Regarding your error/bug, I suggest reaching out to our technical support. They can review your configuration and logs and help you to track down the issue.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Hi Brian. (Remember me? You and Jeffrey Wadlow where the first ones I came in contact with all those years ago when I started with Winroute)

Anyway, I'll check out the link on SSH you provided. The other link, on user authentication was nothing new to me.

I also wanted to point out to you the pictures in the very first post in this thread. There you can see that I already show the column you wrote about. One of the problems is exactly that, that what you describe is not working! I cannot see who has Auto Logon set because the column is mostly blank. As you see in the "01 Status" picture clip, the user is logged on by Automatic. Although the user has nothing in the column, it's blank, but still he gets logged on automatically!

The column is not blank for all users though. My last post talks about the opposite. The users mobiles MAC address is written and also shown in Auto Logon column but still the mobile does not get logged on automatically.

Then there is the problem about the debug log that states that four users are not found but still those users get logged in automatically.

[Updated on: Tue, 22 December 2015 19:40]

  •  
Brian Carmichael (Kerio)

Messages: 681
Karma: 69
Send a private message to this user
Hi, yes I recognize your name from many years ago. I see you did include a screenshot of the users dialog with the automatic login column and it is empty. Perhaps the user is logged in automatically via NTLM http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html#sect-userauth

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Sorry, but that can't be. Since your software clearly shows how a user was logged in.
./fa/4161/0/

  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
There are some cases which might seem "mysterious" even though they are perfectly OK.

- authentication based on MAC address might not work when wireless devices are behind access point which is not in bridge mode, but in NAT mode (and therefore Contol can't see the devices MAC address)
- authentication works automatically even when not defined for the user when you use RADIUS to login wireless clients

Not sure if that could be your case. I'm afraid we will need to see config files and full debug log with User database and User authenication messages enabled.

[Updated on: Wed, 23 December 2015 10:35]


Petr Dobry
Product Development Manager | Kerio
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Sorry no, the devices authenticate fine over wireless. Your second suggestion idoes not apply to us either, we do not use Radius for authentication.

I think we should exclude my last thread post and focus on the first one. Where the problem was that users are being authenticated although the MAC address that I once entered in on the users is no longer visible in users properties. That should be the first problem to solve I think.

I've activated the Debug log, I'll let it run now and send it to you later when it has gathered some data. I've had the User Authentication activated for a long time so there is much data on that.
I will send you the latest backup file.

I submitted a Tech Support ticket (ID: RDN-383179). I've sent you the first file through there.
  •  
Brian Carmichael (Kerio)

Messages: 681
Karma: 69
Send a private message to this user
Looking back at your original post, the authenticated user is perb<_at_>hptronic.local however the screenshot from your users shows a different user per.Bauer.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
Ahaa! Yes, you're absolutely right. There must be where the problem lies.
I've joined, un-joined and re-joined to the domain a couple times I think. Have had a bit trouble to get a steady connection and I've also changed the AD-reading-admin account at least ones. So the mapping has been restarted a couple times.
Below is how the config files look today for two accounts. For the user j1.s2 the MAC he uses is indeed showing in the UIs column Automatic logins under Users. But for my account name >Per.Bauer< it's not visible in the UI since Kerio no longer finds that name in the config winroute.cfg file, since it there is called >perb<_at_>hptronic.local<.

Questions is though, why does KC compare the
winroute.cfg <variable name="Username"> with userDB.cfg <variable name="Name">?
Why not use instead the variable UUID? Since that is not changing between mappings of domain accounts. If KC already use the UUID to compare then this puzzle is not yet solved.


from file winroute.cfg
<list name="AutoLogins">
<listitem>
<variable name="Username">j1.s2<_at_>hptronic.local</variable>
<variable name="UUID">7f3431e1-9e1c-406a-ad94-bb851c1e7f01</variable >
<variable name="IpAddr">0.0.0.0</variable>
<variable name="IpGroup"></variable>
<variable name="MacAddr">0CE7258C1BE0</variable>
<variable name="IpType">macAddress</variable>
</listitem>

<listitem>
<variable name="Username">perb<_at_>hptronic.local</variable>
<variable name="UUID">6080f412-8a8d-4bfb-8b42-3aae0eb2c534</variable >
<variable name="IpAddr">0.0.0.0</variable>
<variable name="IpGroup"></variable>
<variable name="MacAddr">D4F46F7E32C9</variable>
<variable name="IpType">macAddress</variable>
</listitem>

from file userDB.cfg
<list name="UsersData">
<listitem>
<variable name="UUID">7f3431e1-9e1c-406a-ad94-bb851c1e7f01</variable >
<variable name="Name">j1.s2</variable>

<listitem>
<variable name="UUID">6080f412-8a8d-4bfb-8b42-3aae0eb2c534</variable >
<variable name="Name">Per.Bauer</variable>
Previous Topic: Servers not accessible after hardware switch and software update
Next Topic: Kerio Control VPN Server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jun 26 14:04:07 CEST 2017

Total time taken to generate the page: 0.00492 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.