GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » Automatic Login redirection not working with 8.5
icon9.gif  Automatic Login redirection not working with 8.5 [message #119522] Thu, 19 February 2015 09:49 Go to next message
awpross is currently offline  awpross
Messages: 2
Registered: October 2014
Location: Deutschland
We just updated to version 8.5. Now the redirection to the login page is not working any more.

Before the Update:
1. User opens a website which requires login.
2. User is automatically redirected to login page and due to NTLM he is automatically logged in and redirected to the website.


After the Update to 8.5:
1. User opens a website which requires login.
2. User geht's a Message "Access Denied"
3. User can click on "Anmeldeseite" ("Login") on the bottom of the "Access Denied" Page
4. User is now automatically logged in with NTLM and is redireted to the desired webpage



As you can see, this requires some additional steps to complete thje login process which wasn't required prior to 8.5

Is this a bug?? How to restore the old behaviour??

[Updated on: Thu, 19 February 2015 09:50]

Report message to a moderator

Re: Automatic Login redirection not working with 8.5 [message #119586 is a reply to message #119522] Sun, 22 February 2015 13:19 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
I also got this bug after upgrading to 8.5.
Please Kerio Support, tell us if this is an expected behaviour or a bug (luckily I updated one kerio servicing small office - about 60 - not the main one servicing 400 users...)
Re: Automatic Login redirection not working with 8.5 [message #119589 is a reply to message #119586] Sun, 22 February 2015 21:20 Go to previous messageGo to next message
Dmitry Ignatenko is currently offline  Dmitry Ignatenko
Messages: 2
Registered: February 2015
A similar problem. Users log in through a proxy, does not authentificate аutomatic. Others receive access to the Internet is not authorizing.
Re: Automatic Login redirection not working with 8.5 [message #119601 is a reply to message #119589] Mon, 23 February 2015 16:52 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
Kerio Support, are you there?!?!?
Please tell us if we're missing something or a possible workaround. I've a branch office browsing the net without any control and this is really BAD.

Please do not leave us alone!
Re: Automatic Login redirection not working with 8.5 [message #119619 is a reply to message #119522] Tue, 24 February 2015 05:21 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
Started my dusts covered Active Directory Domain Controller just for this post.

I cannot replicate it, Firefox logged in straight away and the user can be seen in Active Hosts.

./fa/3760/0/

Enabled "User Authentication" in Debug log:
[24/Feb/2015 15:15:30] {auth} user lookup: adboy<_at_>what.ever
[24/Feb/2015 15:15:30] {auth} NTLM successfully authenticated user adboy<_at_>what.ever
[24/Feb/2015 15:15:30] {auth} User adboy<_at_>what.ever authenticated from 10.10.10.10 using NTLM

Any more info can help troubleshooting?

M.
  • Attachment: ad.png
    (Size: 5.80KB, Downloaded 3256 times)


PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Automatic Login redirection not working with 8.5 [message #119625 is a reply to message #119619] Tue, 24 February 2015 11:54 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
This is my configuration:
1) Kerio control joined to an AD2008 Domain (but I think AD version is not important)
2) Traffic rule allowing access from any trusted interface to the internet using FTP and HTTP with default protocol inspection
3) Content filter rules:
1. Rule to allow unauthenticated access to some sites
2. Tule to allow internet access from user belonging to a specific AD Group
3. Deny rule with a warning message ("please call IT Support to get Internet access")
4. the built-in allow rule

Before upgrading to 8.5 users were redirected to the automatic login page and, after login, redirected to the requested page.
Now users are getting the page "Please call IT support to get Internet Access" followed by LOGIN button. If they press LOGIN they are correctly authenticated.

Using Google Chrome as well as IE as browser (no firefox here by policy).
Am I missing something in my config?
Thanks
Re: Automatic Login redirection not working with 8.5 [message #119626 is a reply to message #119625] Tue, 24 February 2015 12:15 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
Some other discovery...
On a working setup, when I go to http://www.some.where, I got redirected to http://my_kerio_server:4080/login/?dest=(some_long_string).

In the not working setup, when I go to http://www.some.where, I got redirected to http://ko_kerio_server:4080/nonauth/deny.php?dest=(some_long_string)
Re: Automatic Login redirection not working with 8.5 [message #119627 is a reply to message #119626] Tue, 24 February 2015 12:36 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
Just to clarify. What is not working is the AUTOMATIC LOGIN using AD credentials.
If I manually click on the LOGIN link in the deny page things works ok.
Re: Automatic Login redirection not working with 8.5 [message #119649 is a reply to message #119627] Wed, 25 February 2015 00:28 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
Tried enabling user authentication in debug log? What's the result?

M.


PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Automatic Login redirection not working with 8.5 [message #119653 is a reply to message #119649] Wed, 25 February 2015 08:57 Go to previous messageGo to next message
Dmitry Ignatenko is currently offline  Dmitry Ignatenko
Messages: 2
Registered: February 2015
Enable debug authentication.

If connect through a proxy:

[25/Feb/2015 10:14:37] {auth} NTLM successfully authenticated user d.ignatenko<_at_>vrgaz.ru
[25/Feb/2015 10:14:37] {auth} User D.Ignatenko<_at_>vrgaz.ru authenticated from 10.4.136.31 using NTLM
[25/Feb/2015 10:14:58] {auth} Krb5: entering auth (user: D.Ignatenko<_at_>VRGAZ.RU)
[25/Feb/2015 10:14:59] {auth} Krb5: user D.Ignatenko<_at_>VRGAZ.RU authenticated.
[25/Feb/2015 10:14:59] {auth} Krb5: user D.Ignatenko authenticated.

If connect through a NAT:
Log empty, but im access to the Internet
Re: Automatic Login redirection not working with 8.5 [message #119660 is a reply to message #119649] Wed, 25 February 2015 18:17 Go to previous messageGo to next message
luca.civinini@ctt is currently offline  luca.civinini@ctt
Messages: 14
Registered: September 2009
Location: System Administrator
Hello,
attached some info about my rules.
Please note that NTLM in itself works. What is missing is the AUTOMATIC REDIRECTION to the login page (the page which says "Redirecting to login page, please wait a few seconds... If you are not redirected, click on this link")

Here is the authentication debug part:

[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] connect to www.symantec.com
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] connection established
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] response: HTTP/1.1 301 Moved Permanently
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] User not found for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] DENY content rule '[auth] Deny access with warning' GET http://www.symantec.com/
[25/Feb/2015 18:07:44] {http_handler} [ 141952 ] redirecting to /nonauth/deny.php




Then this is the part when I click the "login button"
[25/Feb/2015 18:08:06] {auth} empty NT domain name, user found in my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} user lookup: my_user<_at_>my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} NTLM successfully authenticated user my_user<_at_>my_domain.fqdn
[25/Feb/2015 18:08:06] {auth} User my_user<_at_>my_domain.fqdn authenticated from 192.168.xxx.yyyy using NTLM
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] New request 192.168.xxx.yyyy:2947 -> 23.223.67.127:80
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in request_read_header()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL rules need content check.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] request /
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] connect to www.symantec.com
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] connection established
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] response: HTTP/1.1 301 Moved Permanently
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] ALLOW content rule '[auth] Authenticated Internet access' GET http://www.symantec.com/
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] persisting connection; server count: 1, client count: 1
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in request_read_header()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] Found user my_user<_at_>my_domain.fqdn for IP 192.168.xxx.yyyy in url_check()
[25/Feb/2015 18:08:06] {http_handler} [ 141953 ] URL not categorized, webfilter is not activated or guest traffic.
Re: Automatic Login redirection not working with 8.5 [message #119759 is a reply to message #119522] Tue, 03 March 2015 20:17 Go to previous messageGo to next message
rjokl is currently offline  rjokl
Messages: 62
Registered: August 2005
This is confirmed a bug and will be fixed in 8.5.1, release is scheduled next week. As a workaround you can change the certificate used for web interface to e.g. one generated by Control.
Re: Automatic Login redirection not working with 8.5 [message #119890 is a reply to message #119759] Tue, 10 March 2015 09:37 Go to previous messageGo to next message
tomislav.parcina is currently offline  tomislav.parcina
Messages: 39
Registered: February 2014
Location: HR - 21000 Split
rjokl wrote on Tue, 03 March 2015 20:17
This is confirmed a bug and will be fixed in 8.5.1, release is scheduled next week. As a workaround you can change the certificate used for web interface to e.g. one generated by Control.


Hi rjokl,

thank you for your mail.

Can anybody from Kerio confirm this? Is there publicly available bug tracker where we can see the details about the bug?

Best regards.


--
Tomislav Parčina
Re: Automatic Login redirection not working with 8.5 [message #119899 is a reply to message #119890] Tue, 10 March 2015 15:29 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
We don't publish open bugs. However, we do note bug fixes in the release notes. 8.5.1 was released today, and the fix for this issue is included in the release notes http://www.kerio.com/support/kerio-control/release-history

Brian Carmichael
Instructional Content Architect
Re: Automatic Login redirection not working with 8.5 [message #119926 is a reply to message #119899] Wed, 11 March 2015 13:49 Go to previous messageGo to previous message
tomislav.parcina is currently offline  tomislav.parcina
Messages: 39
Registered: February 2014
Location: HR - 21000 Split
I have upgraded to 8.5.1 but I'm still experiencing the problem.

My setup:
- Windows 7 computers.
- Windows 2008 R2 domain
- Kerio Control 8.5.1

When user opens a web page that is allowed with this rule:
Source: Authenticated users
Destination: Internet interfaces
Service: HTTP and HTTPS
Action: Allow
And if user isn't authenticated with the Kerio Control (KC), KC wont' allow the user to open the requested web page, and won't redirect him to the login page.

Can someone else confirm that the update didn't solve this issue?

Best regards.


--
Tomislav Parčina
Previous Topic: Find Control Box 3120 MAC addresses
Next Topic: Login redirection for non-standard port
Goto Forum:
  


Current Time: Fri Feb 03 14:18:08 CET 2023

Total time taken to generate the page: 0.02254 seconds