Results 1 to 2 of 2

Thread: Error 401 when using Spnego authentication

  1. #1
    Join Date
    Dec 2012
    Posts
    2
    Rep Power
    2

    Default Error 401 when using Spnego authentication

    Hi,


    i have a problem regarding SSO authentication.
    I downloaded the zimbra appliance version 8.0.0_GA_5434 (2012-09-10) and installed it inside a virtual machine. Then I configured my bind settings, so I can now login into the web client using my Active Directory credentials.

    My next task would be to get single sign on working, so I can enter the webclient without having to enter my password. I found the admin guide and followed appendix B (please scroll down for exact information), but it is not working.
    When I start the webclient using the hostname of my zimbra server (https://zimbratest.mydom.net), I receive an "internal error 500". When I use the IP instead, I come to the normal login screen.

    Using the forum search, I found this thread:
    http://www.zimbra.com/forums/virtual...appliance.html
    I followed the suggestion and set zimbraWebClientLoginURL to '../service/spnego'. Now I get error 401 (unauthorized). Same, when I go to <zimbra server>/service/spnego/snoop.jsp

    So, I guess I did something wrong here. Can someone please help me and guide to the right direction?

    Thanks,
    Markus



    Here is some more information for my setup:
    - Active Directory Domain: srv2012test.net (Windows Server 2012)
    - Zimbra Server Name: zimbratest.mydom.net (different from the AD name)

    And here is what I did exactly when following the guide:
    http://www.zimbra.com/docs/os/latest...n_Process.html

    section "Create Kerberos Keytab File"
    1.
    Create User:
    - Full Name: zimbratest
    - User Logon Name: HTTP/zimbratest.mydom.net
    - User Logon Name (pre Windows2000): zimbratest
    - Password: password123

    2.
    a) setspn.exe -a HTTP/zimbratest.mydom.net zimbratest

    b) setspn.exe -l zimbratest
    Registered ServicePrincipalNames for CN=zimbratest,CN=Users,DC=srv2012test,DC=net
    HTTP/zimbratest.mydom.net

    3. create keytab file:
    ktpass -out C: \Temp\spnego\jetty.keytab -princ HTTP/zimbratest.mydom.net@srv2012test.net -mapUser mail1 -mapOp set -pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

    4. transfered keytab to /opt/zimbra/jetty/etc on zimbratest
    file permissions: 644 (rw-r--r--)
    owner: zimbra
    group: zimbra

    section "Configure ZCS"
    1.
    (as zimbra user)
    zmprov mcf zimbraSpnegoAuthEnabled TRUE
    zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1
    zmprov mcf zimbraSpnegoAuthRealm srv2012test.net

    2.
    zmprov ms zimbratest.portrix.net zimbraSpnegoAuthTargetName HTTP/zimbratest.portrix.net
    zmprov ms zimbratest.portrix.net zimbraSpnegoAuthPrincipal HTTP/zimbratest.mydom.net@srv2012test.net

    3.
    a) zmprov md srv2012test.net zimbraAuthKerberos5Realm srv2012test.net
    b) zmprov md srv2012test.net +zimbraVirtualHostname zimbratest.mydom.net
    c) (skipped - as for my understanding, every client should be allowed by that)
    d) dmprov md srv2012test.net zimbraWebClientLogoutURL '../?sso=1'

    section "Configure Your Browser"
    Firefox about:config ->
    network.negotiate-auth.delegation-uris - http://zimbratest.mydom.net,https://...test.mydom.net
    network.negotiate-auth.trusted-uris - http://zimbratest.mydom.net,https://...test.mydom.net

  2. #2
    Join Date
    Dec 2012
    Posts
    2
    Rep Power
    2

    Default

    I was suspecting, that the error might be related to the fact, that my AD domain is different from my DNS domain. So I installed everything new from scratch using a new domain name that matches the DNS name of my servers.
    Unfortunately with little success:
    - When I browse to the webmail page, I have to login using my AD credentials (using hostname and using IP)
    - https://zimbratest.sparcloud.de/serv...nego/snoop.jsp gives me a 403-error (system failure: no spnego user realm) this time

    Unfortunately I am no expert in kerberos authentification at all and have no idea how to create a spnego user realm...

    any help would be appreciated.
    Thanks
    Markus


    setuo:

    Active Directory Domain: sparcloud.de
    Zimbra Server Name: zimbratest.sparcloud.de

    section "Create Kerberos Keytab File"
    1.
    Create User:
    - Full Name: zimbratest
    - User Logon Name: HTTP/zimbratest.sparcloud.de
    - User Logon Name (pre Windows2000): zimbratest
    - Password: password123

    2.
    a) setspn.exe -a HTTP/zimbratest.sparcloud.de zimbratest

    b) setspn.exe -l zimbratest
    Registered ServicePrincipalNames for CN=zimbratest,CN=Users,DC=sparcloud.de,DC=de
    HTTP/zimbratest.portrix.net

    3. create keytab file:
    ktpass -out C: \Temp\spnego\jetty.keytab -princ HTTP/zimbratest.sparcloud.de@sparcloud.de -mapUser mail1 -mapOp set -pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

    4. transfered keytab to /opt/zimbra/jetty/etc on zimbratest
    file permissions: 644 (rw-r--r--)
    owner: zimbra
    group: zimbra

    section "Configure ZCS"
    1.
    (as zimbra user)
    zmprov mcf zimbraSpnegoAuthEnabled TRUE
    zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1
    zmprov mcf zimbraSpnegoAuthRealm sparcloud.de
    2.
    zmprov ms zimbratest.portrix.net zimbraSpnegoAuthTargetName HTTP/zimbratest.sparcloud.de
    zmprov ms zimbratest.portrix.net zimbraSpnegoAuthPrincipal HTTP/zimbratest.sparcloud.de@sparcloud.de

    3.
    a) zmprov md sparcloud.de zimbraAuthKerberos5Realm sparcloud.de
    b) zmprov md sparcloud.de +zimbraVirtualHostname sparcloud.de
    d) zmprov md sparcloud.de zimbraWebClientLogoutURL '../?sso=1'

    section "Configure Your Browser"

    Firefox about:config ->
    network.negotiate-auth.delegation-uris - http://zimbratest.sparcloud.de,https...t.sparcloud.de
    network.negotiate-auth.trusted-uris - http://zimbratest.sparcloud.de,https...t.sparcloud.de

Similar Threads

  1. spnego sso failure redirect
    By cbl016 in forum Administrators
    Replies: 4
    Last Post: 11-13-2012, 10:44 AM
  2. SPNEGO on the appliance
    By gerdesj in forum Virtualization
    Replies: 2
    Last Post: 11-11-2012, 12:33 AM
  3. spnego error
    By maumar in forum Zimbra Connector for Outlook
    Replies: 0
    Last Post: 09-12-2012, 12:10 AM
  4. Replies: 3
    Last Post: 12-01-2011, 12:41 AM
  5. Replies: 2
    Last Post: 12-01-2011, 12:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •