[8.910][BUG] HTML5 VPN Domain Users

VPN connections don't come up when I have an Active Directory user group selected as authorized users in the HTML5 VPN portal.

I have a terminal services connection that is valid for all domain users. When they log in, there is no option to connect to the terminal server. If I log in as admin, it is there.

I have verified that the users are in the group, and the group is in the allowed users fields.

Parents

0 kbr over 13 years ago

Hi Rx7TyreBurna,

had a chat with the developers today. There have been a few general fixes in the HTML5 VPN Portal regarding the authentication against backend servers. I don't have a Mantis ID for this, but the developers are pretty sure that it will be fixed with the upcoming beta 8.920, so can you please retest it with the next release and report back whether it works or not?

Cheers,
Kai
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 NathanCole over 13 years ago in reply to kbr

Yup, in 8.920, it works perfectly. [:)]

Thank you!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cziel over 13 years ago in reply to NathanCole

Hi Rx7TyreBurna,

that's great news to hear. Thank you for re-testing and getting back to us.
I'll mark this thread as ANSWERED.

Cheers,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 cziel over 13 years ago in reply to NathanCole

Hi Rx7TyreBurna,

that's great news to hear. Thank you for re-testing and getting back to us.
I'll mark this thread as ANSWERED.

Cheers,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 sliss_01 over 13 years ago in reply to cziel

Hi there,

it is working with active directory users & local users, but not with users synced from AD.

In AD I added a group for HTML5 VPN users and added my user sliss. After syncing it onto the UTM i am able to log into user portal with the user but html vpn 5 window is closing after a few seconds.

Logging says:
2012:03:30-10:18:57 utmv9-1 screenmgr[4734]: Client 6: authenticated: user='sliss'
2012:03:30-10:18:57 utmv9-1 screenmgr[4734]: Client 6: 403: Forbidden: user "REF_AaaUseSliss" may not access service ID "REF_CliConVaddc"

Stefan
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cziel over 13 years ago in reply to sliss_01
Hi sliss,

does the issue still persist? If so, could you please do the following:

Open an SSH connection to your UTM
Go to /var/mdw/scripts/
Edit the file screenmgr at line 43 -> add the argument " -g" at the end of the line, so that it reads: startproc /usr/sbin/screenmgr.plx -g
Restart the screenmgr service via /var/mdw/scripts/screenmgr restart

After those steps there'll be much more connection and debugging information in /var/log/clientlessvpn.log, /var/log/confd.log and /var/log/confd-debug.log. Please post the log output.

Thanks,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 13 years ago in reply to cziel

I added the -g option, but the logs don't show any more info:

2012:04:04-23:24:26 firewall screenmgr[24602]: Client 0: authenticated: user='franc'
2012:04:04-23:24:27 firewall screenmgr[24602]: user 'REF_AaaUseFranc' uses backend authentication
2012:04:04-23:24:27 firewall screenmgr[24602]: Client 0: 403: Forbidden: user "REF_AaaUseFranc" may not access service ID "REF_CliConTest"
2012:04:04-23:24:38 firewall screenmgr[24602]: Client 0: disconnected: Broken pipe

2012:04:04-23:24:26 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="update_traceable_system"
2012:04:04-23:24:26 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="trace_system"
2012:04:04-23:24:27 firewall confd[24601]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="screenmgr" lock="none" method="get"
2012:04:04-23:24:27 firewall confd[24601]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="screenmgr" lock="none" method="get_object"
2012:04:04-23:24:27 firewall confd[24601]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="screenmgr" lock="none" method="get_object"
2012:04:04-23:24:27 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"
2012:04:04-23:24:27 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"
2012:04:04-23:24:28 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="update_traceable_system"
2012:04:04-23:24:28 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="trace_system"
2012:04:04-23:24:28 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"
2012:04:04-23:24:28 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"
2012:04:04-23:24:29 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="update_traceable_system"
2012:04:04-23:24:29 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="trace_system"
2012:04:04-23:24:29 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"
2012:04:04-23:24:29 firewall confd[23325]: D sys::AUTOLOAD:298() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="192.168.1.50" facility="webadmin" client="index.plx" lock="none" method="list_sessions"

p.s. the startproc line is at line 37 in 8.920

Franc
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FrancWest over 13 years ago in reply to FrancWest

I changed the user to a locally authenticated user and then I get the error shown in the screenshot.

The logfile shows:

2012:04:04-23:37:40 firewall screenmgr[24602]: Client 2: 400: Bad Request: argument format error

Franc.
- Capture.JPG
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 quasar3c279 over 13 years ago in reply to FrancWest

Hi,

same Problem here:


2012:04:05-09:53:11 fw-1 screenmgr[17696]: Client 1: authenticated: user='mtechel'

2012:04:05-09:53:12 fw-1 screenmgr[17696]: Client 1: 403: Forbidden: user "REF_fkOcnOxZBa" may not access service ID "REF_CliConTkanlage"

2012:04:05-09:53:14 fw-1 screenmgr[17696]: Client 1: disconnected: Broken pipe

User is authenticated via AD, it worked with 8.910.