Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Authentication doesn't work in my Kerio control 8.6.2 build 3847
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
./fa/4141/0/Hi friends


i have encountered an strange problem in Kerio control 8.6.2 build 3847
i have newly installed kerio control software appliance into my hyper-v 2012R2 VM and joined it to my clean windows 2012R2 domain and test domain connection passes successfully.

prior to doing any modifications in kerio control, because of default "internet Access (NAT) rule", everything is ok and i can browse internet from any internal computer without any problem and no authentication occurs.

but i need to modify this behavior so that users be forced to login at kerio login page in order to access internet.

but after doing two modifications in kerio control, now no login page appears and internet access (IE shows the blank "the page can't be displayed":

1- in domain and user login, i checked "Always require users to be authenticated"

2- in default "internet Access (NAT) rule", i removed the "Trusted/Local interfaces" and instead i added any of the following groups but no one works

"Authenticated users" or "Domain users" "MyDomainGroup1"

any help please. thanks in advanced

[Updated on: Tue, 15 December 2015 15:42]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Please read http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html for more informations.

If you redirect users to firewall login page, make sure that this is allowed by traffic rules and also that clients can resolve firewall hostname.
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Pavel Dobry (Kerio) wrote on Tue, 15 December 2015 15:48
Please read http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html for more informations.

If you redirect users to firewall login page, make sure that this is allowed by traffic rules and also that clients can resolve firewall hostname.



thanks. i reviewed that link and all related links.my settings are correct. clients are able to resolve the hostname & FQDN of kerio control.

here odd behaviour. in default NAT rule, when i add trusted/local interfaces (in addition of authenticated users", now :
when i type a name in address bar (for example www.google.com), the login page is appeared & i had to login (what i wanted)
but when i type in ip address at the address bar (for example http://19.168.1.10 which is a web server located in DMZ), that website is opened without any authentication & without kerio login page appear.


i really got confused.

by the way, what traffic rule is needed about your sentence:

"If you redirect users to firewall login page, make sure that this is allowed by traffic rules"

if i don't mistake, kerio by default has this requirement and it is not required to create any rule for this purpose (redirecting to kerio login web page)

any furtur help please

[Updated on: Tue, 15 December 2015 19:13]

  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
i designed the full details about my network topology via Visio and attach it here, waiting for help.

to remind: i have a very simple problem, IE is not redirected to kerio login page

after installing kerio, all clients can browse both internet and DMZ web servers.

Only changes after kerio control installation are:

Created a traffic rule to allow DNS queries from (DC+DNS srv) to internet

In Domains and user login, the "always require users to be authenticated" checkmark has been selected

In default "internet access (NAT)" rule, in Destination, Kerio's DMZ interface (192.168.1.101) added

In advanced options, web interface tab:
force SSL is deselected
Web interface is accessible at: http://control101.mykerio.lab:4080

Control101 record has been created in DNS database and clients can resolve control101.mykerio.lab to ip address of 10.1.1.101

In default "internet access (NAT)" rule, in "source", we remove all existing items and instead we add only "any authenticated user" or "domain users" or "DomainGroup1"
But when clients want to browse to www.google.com or 192.168.1.20, IE is not redirected to kerio login page and instead IE shows the blank page can't be displayed.

any help please !

[Updated on: Wed, 16 December 2015 13:57]

  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
and these are my traffic rules configurations:

  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Kerio Control redirects automatically only when unauthenticated users are accessing the Internet via HTTP protocol. So you need to enable "always require users to be authenticated" and allow a traffic rule for them (Source: LAN, Destination: Internet interfaces, Service HTTP, Allow, NAT).

Once users are authenticated, your rule with Source: Authenticated users will apply.

Otherwise, users must authenticate on http://control101.mykerio.lab:4080 manually prior to accessing the Internet.

[Updated on: Wed, 16 December 2015 14:16]


Petr Dobry
Product Development Manager | Kerio
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Petr Dobry (Kerio) wrote on Wed, 16 December 2015 14:14
Kerio Control redirects automatically only when unauthenticated users are accessing the Internet via HTTP protocol. So you need to enable "always require users to be authenticated" and allow a traffic rule for them (Source: LAN, Destination: Internet interfaces, Service HTTP, Allow, NAT).

Once users are authenticated, your rule with Source: Authenticated users will apply.

Otherwise, users must authenticate on http://control101.mykerio.lab:4080 manually prior to accessing the Internet.



Hi thanks.
so i created the rule you mentioned, above my rule
now another odd behavior:
when from DC i browse to DMZ web server (192.168.1.20), redirection page appears
but when from client browse to DMZ web server (192.168.1.20), the DMZ website opens without any authentication ( system shows they accessed via NAT rule you mentioned)

really annoying.i migrated from MS TMG server to Kerio with the hope of eliminating problems, but now new strange problem in kerio control as well.


  • Attachment: Capture.PNG
    (Size: 89.18KB, Downloaded 320 times)
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
When it works from DC it has to work from PC in LAN too. Could it be that users are automatically logged in via NTML ? Check Active Hosts screen to see if the host is authenticated or not.

Petr Dobry
Product Development Manager | Kerio
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
nmm4829, if you need a help with configuring Kerio Control, please contact Kerio partner or reseller where you bought a license. You can also contact our technical support at http://www.kerio.com/support
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Hi again. unfortunately nobody gave me a correct complete help.

i myself accidentally noticed a very important thing which nobody mentioned here.

in one of the kerio documentations i noticed the correct procedure to reach this goal (specially step 2 below):

step 1: my first need was users be redirected to login page when accessing internet or DMZ web servers

so the correct solution which worked is : Smile

above the default NAT rule, creating such rule:

source:trusted local interfaces, destination:internet interfaces and DMZ interface , service= http, action=allow, translation=NAT

step 2 : (nobody guide me this:) my second need was doing a configuration so that only specific users or groups be allowed to browse web servers in internet or DMZ, we must go to content filter\content rules and there we must create a rule at topmost level and in the source, we specify the user or group

now my final problem is, although in content filter\content rules, at the topmost level, I've specified only a specific domain user or a specific domain group in the "source", but firewall accepts all domain users are when they enter their username & password at firewall login page.

content rule: detected content:any source:user1@Mydomain.lab or group1<_at_>mydomain.lab , action=allow

what can be the problem ? Sad

[Updated on: Sat, 19 December 2015 16:34]

  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
and this is my final content rule.

any help please ?

Previous Topic: Dhcp server Kerio Control and tftp
Next Topic: System requirements For concurrent users in Kerio Control
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 00:58:32 CEST 2017

Total time taken to generate the page: 0.00522 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.