Browser user/pass popup when accessing K1000 box
We recently updated our K1000 machine, and afterwards errors appeared when logging in with the browser. When using user or admin interface it failes and prompts with the following security question (in edge, chrome and firefox).
The url has sso/index.php in it. When cancelling this box, the default kace login prompt is asked and when entering credentials we can login.
When testing the ldap settings, it is ok.
When checking the logs i see in the server error logs:
[auth_vas4:error] [pid 97206:tid 34382624000] [client *******5:57486] initialize_user: Failed to initialize user for user@upn: No error message available
and in the user authenticated log:
[2020-05-04 12:03:31 +0200] AUTH [info] user - ******* - adminui - Default - LDAP - success
[2020-05-04 12:03:31 +0200] AUTH [info] user - ******* - adminui - Default - systemui Local Authentication - failed
I do not know if these messages has anything to do with it, but it shows the ldap authentication is working.
When i enter credentials in the popup of the browser, the page is not shown (This page can’t be displayed), when refreshing the page, the login page of the appliance is shown and we can login with ldap credentials.
Can you help to troubleshoot.
Thanks in advance.
Answers (4)
It appears that you may have SSO enabled in Settings › Control Panel › Security Settings.
Have you verified the SSO settings or disabled SSO to see if the issue goes away?
Comments:
-
Thanks, but when i disable the settings here, i need to use local accounts. I do want to use Active directory accounts, so shouldn't i keep the single sign on enabled here? - bleeuwen 4 years ago
-
SSO is now disabled and the errors is not there anymore. Only issue is that we do need to login now (better then a login popup or error) - bleeuwen 4 years ago
We are trying to unjoin/join the domain again. But we are running into issues. The unjoin does not work and gives the following error: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm. Reason: unable to reach any KDC in realm ****
Network settings have been setup right and the server should be able to connect to the DC's (otherwise we can't use LDAP i guess). I can't find the machine in the domain. Is this because the machine unjoined but isn't aware of it?
KRB5_KDC_UNREACH May be a DNS issue.
You may want to verify that you are using the correct DNS server in your network setting in the appliance and that it is reachable from the SMA.
Comments:
-
They should be reachable, but how can i check this within the K1000? LDAP authorizations and other functions are working fine, therefore i recon the network should not be a problem. - bleeuwen 4 years ago
Top Answer
With the help of support we figured it out. We ended up in rejoining the machine into the AD, and adding a second serverprincipalname to the supportdesk-http account. After that the SSO was working.
Thanks for your help!