GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » Authentication doesn't work in my Kerio control 8.6.2 build 3847
Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126424] Tue, 15 December 2015 15:41 Go to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
./fa/4141/0/Hi friends


i have encountered an strange problem in Kerio control 8.6.2 build 3847
i have newly installed kerio control software appliance into my hyper-v 2012R2 VM and joined it to my clean windows 2012R2 domain and test domain connection passes successfully.

prior to doing any modifications in kerio control, because of default "internet Access (NAT) rule", everything is ok and i can browse internet from any internal computer without any problem and no authentication occurs.

but i need to modify this behavior so that users be forced to login at kerio login page in order to access internet.

but after doing two modifications in kerio control, now no login page appears and internet access (IE shows the blank "the page can't be displayed":

1- in domain and user login, i checked "Always require users to be authenticated"

2- in default "internet Access (NAT) rule", i removed the "Trusted/Local interfaces" and instead i added any of the following groups but no one works

"Authenticated users" or "Domain users" "MyDomainGroup1"

any help please. thanks in advanced

[Updated on: Tue, 15 December 2015 15:42]

Report message to a moderator

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126427 is a reply to message #126424] Tue, 15 December 2015 15:48 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
Please read http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html for more informations.

If you redirect users to firewall login page, make sure that this is allowed by traffic rules and also that clients can resolve firewall hostname.


Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126435 is a reply to message #126427] Tue, 15 December 2015 19:09 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
Pavel Dobry (Kerio) wrote on Tue, 15 December 2015 15:48
Please read http://kb.kerio.com/product/kerio-control/server-configurati on-kerio-control/authenticating-users-to-kerio-control-1811. html for more informations.

If you redirect users to firewall login page, make sure that this is allowed by traffic rules and also that clients can resolve firewall hostname.



thanks. i reviewed that link and all related links.my settings are correct. clients are able to resolve the hostname & FQDN of kerio control.

here odd behaviour. in default NAT rule, when i add trusted/local interfaces (in addition of authenticated users", now :
when i type a name in address bar (for example www.google.com), the login page is appeared & i had to login (what i wanted)
but when i type in ip address at the address bar (for example http://19.168.1.10 which is a web server located in DMZ), that website is opened without any authentication & without kerio login page appear.


i really got confused.

by the way, what traffic rule is needed about your sentence:

"If you redirect users to firewall login page, make sure that this is allowed by traffic rules"

if i don't mistake, kerio by default has this requirement and it is not required to create any rule for this purpose (redirecting to kerio login web page)

any furtur help please

[Updated on: Tue, 15 December 2015 19:13]

Report message to a moderator

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126453 is a reply to message #126424] Wed, 16 December 2015 13:45 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
i designed the full details about my network topology via Visio and attach it here, waiting for help.

to remind: i have a very simple problem, IE is not redirected to kerio login page

after installing kerio, all clients can browse both internet and DMZ web servers.

Only changes after kerio control installation are:

Created a traffic rule to allow DNS queries from (DC+DNS srv) to internet

In Domains and user login, the "always require users to be authenticated" checkmark has been selected

In default "internet access (NAT)" rule, in Destination, Kerio's DMZ interface (192.168.1.101) added

In advanced options, web interface tab:
force SSL is deselected
Web interface is accessible at: http://control101.mykerio.lab:4080

Control101 record has been created in DNS database and clients can resolve control101.mykerio.lab to ip address of 10.1.1.101

In default "internet access (NAT)" rule, in "source", we remove all existing items and instead we add only "any authenticated user" or "domain users" or "DomainGroup1"
But when clients want to browse to www.google.com or 192.168.1.20, IE is not redirected to kerio login page and instead IE shows the blank page can't be displayed.

any help please !

[Updated on: Wed, 16 December 2015 13:57]

Report message to a moderator

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126454 is a reply to message #126424] Wed, 16 December 2015 14:00 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
and these are my traffic rules configurations:
Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126455 is a reply to message #126454] Wed, 16 December 2015 14:14 Go to previous messageGo to next message
Petr Dobry (Kerio) is currently offline  Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies
Kerio Control redirects automatically only when unauthenticated users are accessing the Internet via HTTP protocol. So you need to enable "always require users to be authenticated" and allow a traffic rule for them (Source: LAN, Destination: Internet interfaces, Service HTTP, Allow, NAT).

Once users are authenticated, your rule with Source: Authenticated users will apply.

Otherwise, users must authenticate on http://control101.mykerio.lab:4080 manually prior to accessing the Internet.


Petr Dobry
Product Development Manager | Kerio

[Updated on: Wed, 16 December 2015 14:16]

Report message to a moderator

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126491 is a reply to message #126455] Wed, 16 December 2015 23:34 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
Petr Dobry (Kerio) wrote on Wed, 16 December 2015 14:14
Kerio Control redirects automatically only when unauthenticated users are accessing the Internet via HTTP protocol. So you need to enable "always require users to be authenticated" and allow a traffic rule for them (Source: LAN, Destination: Internet interfaces, Service HTTP, Allow, NAT).

Once users are authenticated, your rule with Source: Authenticated users will apply.

Otherwise, users must authenticate on http://control101.mykerio.lab:4080 manually prior to accessing the Internet.



Hi thanks.
so i created the rule you mentioned, above my rule
now another odd behavior:
when from DC i browse to DMZ web server (192.168.1.20), redirection page appears
but when from client browse to DMZ web server (192.168.1.20), the DMZ website opens without any authentication ( system shows they accessed via NAT rule you mentioned)

really annoying.i migrated from MS TMG server to Kerio with the hope of eliminating problems, but now new strange problem in kerio control as well.


  • Attachment: Capture.PNG
    (Size: 89.18KB, Downloaded 602 times)
Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126492 is a reply to message #126491] Wed, 16 December 2015 23:49 Go to previous messageGo to next message
Petr Dobry (Kerio) is currently offline  Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies
When it works from DC it has to work from PC in LAN too. Could it be that users are automatically logged in via NTML ? Check Active Hosts screen to see if the host is authenticated or not.

Petr Dobry
Product Development Manager | Kerio
Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126493 is a reply to message #126492] Thu, 17 December 2015 00:16 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
nmm4829, if you need a help with configuring Kerio Control, please contact Kerio partner or reseller where you bought a license. You can also contact our technical support at http://www.kerio.com/support

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126574 is a reply to message #126424] Sat, 19 December 2015 16:19 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
Hi again. unfortunately nobody gave me a correct complete help.

i myself accidentally noticed a very important thing which nobody mentioned here.

in one of the kerio documentations i noticed the correct procedure to reach this goal (specially step 2 below):

step 1: my first need was users be redirected to login page when accessing internet or DMZ web servers

so the correct solution which worked is : Smile

above the default NAT rule, creating such rule:

source:trusted local interfaces, destination:internet interfaces and DMZ interface , service= http, action=allow, translation=NAT

step 2 : (nobody guide me this:) my second need was doing a configuration so that only specific users or groups be allowed to browse web servers in internet or DMZ, we must go to content filter\content rules and there we must create a rule at topmost level and in the source, we specify the user or group

now my final problem is, although in content filter\content rules, at the topmost level, I've specified only a specific domain user or a specific domain group in the "source", but firewall accepts all domain users are when they enter their username & password at firewall login page.

content rule: detected content:any source:user1@Mydomain.lab or group1<_at_>mydomain.lab , action=allow

what can be the problem ? Sad

[Updated on: Sat, 19 December 2015 16:34]

Report message to a moderator

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #126575 is a reply to message #126424] Sat, 19 December 2015 16:36 Go to previous messageGo to next message
nmm4829 is currently offline  nmm4829
Messages: 32
Registered: November 2015
and this is my final content rule.

any help please ?

Re: Authentication doesn't work in my Kerio control 8.6.2 build 3847 [message #144898 is a reply to message #126424] Sun, 27 January 2019 07:10 Go to previous message
girl0xinh is currently offline  girl0xinh
Messages: 1
Registered: September 2011
Are you buy license??
Previous Topic: Internet speed slow down after server reset
Next Topic: Permited content still being blocked
Goto Forum:
  


Current Time: Wed Nov 20 05:13:16 CET 2019

Total time taken to generate the page: 0.04514 seconds