GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » VPN Kereberos authentication fail for some users
VPN Kereberos authentication fail for some users [message #139306] Tue, 10 April 2018 01:26 Go to next message
koxman is currently offline  koxman
Messages: 4
Registered: January 2016
Location: CZ
KerioControl 9.2.5 patch 3

AD connected - users authentication against Active Directory/Kerberos.
Working for more than 6 years...

Since last week customer experienced weird behaviour.

Some - not all - VPN users are not able to connect to kerio VPN.
There is no connection between that malfunctioning VPN accounts.
Some of them are like 2 months old while others are 5 years old.
Same time - some account more than 6 years old are connecting w/o any problem.


1) tried to change the password of particular users - no go
2) created brand new user and placed to dedicated group with VPN dial rights - working
3) created new dedicated group - no change
4) verified that both DC and Kerio has same time
5) Kerio removed from domain, reboot, reinsterted back to domain - no go

Seucrity log:
Authentication: VPN Client: Client: xx.xx.xx.xx: Invalid password for NT/Kerberos user hujer

Debug log:
[10/Apr/2018 01:16:08] {vpn} vpnHandler: xx.xx.xx.xx:49673 -> xy.xy.xy.xy:4090, interface: "WAN - eth0"
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: new incoming connection
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: SSL connection established, TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[10/Apr/2018 01:16:08] {vpn} Peer[xx.xx.xx.xx:49673]: remote peer is a client
[10/Apr/2018 01:16:08] {vpnippool} VpnIpPool reference count incremented, count = 3
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673](15): service thread registered
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673]: client successfully added into list, assigned id = 15
[10/Apr/2018 01:16:08] {vpnclient} Client[xx.xx.xx.xx:49673](15): local TCP address = xy.xy.xy.xy:4090
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received VERSION message, version = 4
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending VERSION message, version = 4
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): received USER message, user = hujer
[10/Apr/2018 01:16:09] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending OK message
[10/Apr/2018 01:16:10] {vpnclient} Client[xx.xx.xx.xx:49673](15): received complete command
[10/Apr/2018 01:16:10] {vpnclient} Client[xx.xx.xx.xx:49673](15): received PASSWD message
[10/Apr/2018 01:16:10] {auth} Krb5: entering auth (user: hujer<_at_>domain.COM)
[10/Apr/2018 01:16:16] {IPsec} TunnelsList|thread: Going to sleep for 60s.
[10/Apr/2018 01:16:19] {vpn} VPN Interface Primary IP address handler: no change (UP 172.26.99.1/255.255.255.0)
[10/Apr/2018 01:17:06] {auth} kpamauth process is not responding.
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): unable to authenticate user 'hujer' - authentication failed.
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): sending ERR message, error code = 0
[10/Apr/2018 01:17:06] {vpnippool} VpnIpPool reference count decremented, count = 2
[10/Apr/2018 01:17:06] {vpnclient} Client[xx.xx.xx.xx:49673](15): client erased
[10/Apr/2018 01:17:06] {vpnclient} client removed from maps, 0/0 remaining

Any help would be greatly appreciated
Re: VPN Kereberos authentication fail for some users [message #139386 is a reply to message #139306] Sun, 15 April 2018 20:51 Go to previous messageGo to next message
Rome
Messages: 14
Registered: March 2018
Location: Cairo, Egypt
Try to update to the latest patch 4, and see if that helps, if not revert back to the previous version
Re: VPN Kereberos authentication fail for some users [message #140058 is a reply to message #139386] Fri, 01 June 2018 19:36 Go to previous messageGo to next message
billbrigg is currently offline  billbrigg
Messages: 40
Registered: February 2013
We are seeing similar behavior with Kerio Control version 9.2.6 build 2720 and Windows Active Directory. Sounds like this might be a bug, should we downgrade to a previous version?
Thanks in advance.
Re: VPN Kereberos authentication fail for some users [message #144434 is a reply to message #140058] Wed, 14 November 2018 16:31 Go to previous message
satzinger is currently offline  satzinger
Messages: 12
Registered: December 2005
I have the same problem

I have used the VPN for years, no I changed my password and I always get "Authentication Failed"! Mad

[Updated on: Wed, 14 November 2018 16:32]

Report message to a moderator

Previous Topic: Control Registration failed via key
Next Topic: Error Join Domain
Goto Forum:
  


Current Time: Thu Aug 06 00:18:58 CEST 2020

Total time taken to generate the page: 0.03244 seconds