Home » Kerio User Forums » Kerio Control » VPN Kereberos authentication fail for some users

Messages: 4
Karma: 0
Send a private message to this user
KerioControl 9.2.5 patch 3

AD connected - users authentication against Active Directory/Kerberos.
Working for more than 6 years...

Since last week customer experienced weird behaviour.

Some - not all - VPN users are not able to connect to kerio VPN.
There is no connection between that malfunctioning VPN accounts.
Some of them are like 2 months old while others are 5 years old.
Same time - some account more than 6 years old are connecting w/o any problem.

1) tried to change the password of particular users - no go
2) created brand new user and placed to dedicated group with VPN dial rights - working
3) created new dedicated group - no change
4) verified that both DC and Kerio has same time
5) Kerio removed from domain, reboot, reinsterted back to domain - no go

Seucrity log:
Authentication: VPN Client: Client: xx.xx.xx.xx: Invalid password for NT/Kerberos user hujer

Debug log:
[10/Apr/2018 01:16:08] {vpn} vpnHandler: xx.xx.xx.xx:49673 -> xy.xy.xy.xy:4090, interface: "WAN - eth0"
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: new incoming connection
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: SSL connection established, TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: remote peer is a client
[10/Apr/2018 01:16:08] {vpnippool} VpnIpPool reference count incremented, count = 3
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673](15): service thread registered
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673]: client successfully added into list, assigned id = 15
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673](15): local TCP address = xy.xy.xy.xy:4090
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received VERSION message, version = 4
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending VERSION message, version = 4
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received USER message, user = hujer
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending OK message
[10/Apr/2018 01:16:10] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:10] {vpnclient} Client[xx.xx.xx.xx:49673](15): received PASSWD message
[10/Apr/2018 01:16:10] {auth} Krb5: entering auth (user: hujer<_at_>domain.COM)
[10/Apr/2018 01:16:16] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[10/Apr/2018 01:16:19] {vpn} VPN Interface Primary IP address handler: no change (UP
[10/Apr/2018 01:17:06] {auth} kpamauth process is not responding.
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): unable to authenticate user 'hujer' - authentication failed.
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending ERR message, error code = 0
[10/Apr/2018 01:17:06] {vpnippool} VpnIpPool reference count decremented, count = 2
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): client erased
[10/Apr/2018 01:17:06] {vpnclient} client removed from maps, 0/0 remaining

Any help would be greatly appreciated

Messages: 14
Karma: -3
Send a private message to this user
Try to update to the latest patch 4, and see if that helps, if not revert back to the previous version

Messages: 40
Karma: 1
Send a private message to this user
We are seeing similar behavior with Kerio Control version 9.2.6 build 2720 and Windows Active Directory. Sounds like this might be a bug, should we downgrade to a previous version?
Thanks in advance.

Messages: 12
Karma: 0
Send a private message to this user
I have the same problem

I have used the VPN for years, no I changed my password and I always get "Authentication Failed"! Mad

[Updated on: Wed, 14 November 2018 16:32]

Previous Topic: Control Registration failed via key
Next Topic: Error Join Domain
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Dec 11 03:05:16 CET 2018

Total time taken to generate the page: 0.77072 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.