How to use a Windows Active Directory Group Policy Object (GPO) to logon and logout users automatically from Kerio Control
Kerio Control can use NTLMNT LAN Manager - Security protocols that provide authentication for Windows networks. authentication to allow users to automatically log onto the firewall when they are logged onto a Windows Active DirectoryA directory service for Windows domain networks.. It is possible to create a Group Policy object containing scripts to logon and logout users from Kerio Control.
NOTE
This article was based on Active Directory running on Microsoft Windows Server 2008 Domain ControllerA server ensures authentication process in Microsoft Active Directory..
Details
- Connect to your domain controller. Go to Start > Administrative Tools > Group Policy Management.
- Select the domain. After that, select Action > Create a GPOGroup Policy Object - A collection of settings that define what a system will look like and how it will behave for a defined group of users. in this domain, and Link it here....
- Give an appropriated name to this object.
- After creating the object, select Action > Edit....
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone.
- Select Logon options with a double-click, enable it and change the option to Automatic logon with current username and password. Apply these changes.
- Select User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
- Select Logon with a double-click and click Add....
- Click Browse....
- Create two files: logon.vbs and logon.bat. Use the sample code in the table below for reference, changing the logon script path:
| File | Code |
|---|---|
| logon.vbs |
Dim oIE Set oIE = CreateObject("InternetExplorer.Application") oIE.Visible = False oIE.Fullscreen = False oIE.Toolbar = True oIE.Statusbar = True oIE.Navigate("http://www.google.com/") WScript.Sleep(30000) oIE.quit |
| logon.bat |
cscript //nologo \\domain\sysvol\..\logon.vbs |
- Select logon.bat with a double-click and click OK.
- Select Logoff with a double-click and click Add....
- Click Browse....
- Create two files: logoff.vbs and logoff.bat. Use the sample code in the table below for reference, changing the logoff script path:
| File | Code |
|---|---|
| logoff.vbs |
Dim oIE Set oIE = CreateObject("InternetExplorer.Application") oIE.Visible = False oIE.Fullscreen = False oIE.Toolbar = True oIE.Statusbar = True oIE.Navigate("http://<Kerio Control Server IP addressAn identifier assigned to devices connected to a TCP/IP network.>:4081/internal/logout") WScript.Sleep(30000) oIE.quit |
| logoff.bat |
cscript //nologo \\domain\sysvol\..\logout.vbs |
- Select logoff.bat with a double-click and click OK.
- Double-check GPO settings and close Group Policy Management.
- Open Kerio Control Web Administration Interface. Go to Advanced Options and disable Force SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. secured connection (recommended). Apply this change.
IMPORTANT DISCLAIMER:
Disabling this option will ignore the browser message: website's security certificate contains invalid information and it will allows Kerio Control authentication using NTLM authentication even the SSL certificateSSL certificates are used to authenticate an identity on a server. is not trusted on local machine (eg. in case of self signed SSL certificate). At the same time, this can be a security risk because users send their credentials to Kerio Control server using a plain-text format over unencrypted channel.
For correct encrypted communication it is required to have trusted signed SSL certificate for the URL of the Kerio Control web interface.
- Go to Users and Groups > Domains and User Login and enable Always require users to be authenticated when accessing web pages and Enable user authentication performed automatically by web browsers. Apply these changes.
