Hi,


i have a problem regarding SSO authentication.
I downloaded the zimbra appliance version 8.0.0_GA_5434 (2012-09-10) and installed it inside a virtual machine. Then I configured my bind settings, so I can now login into the web client using my Active Directory credentials.

My next task would be to get single sign on working, so I can enter the webclient without having to enter my password. I found the admin guide and followed appendix B (please scroll down for exact information), but it is not working.
When I start the webclient using the hostname of my zimbra server (https://zimbratest.mydom.net), I receive an "internal error 500". When I use the IP instead, I come to the normal login screen.

Using the forum search, I found this thread:
http://www.zimbra.com/forums/virtual...appliance.html
I followed the suggestion and set zimbraWebClientLoginURL to '../service/spnego'. Now I get error 401 (unauthorized). Same, when I go to <zimbra server>/service/spnego/snoop.jsp

So, I guess I did something wrong here. Can someone please help me and guide to the right direction?

Thanks,
Markus



Here is some more information for my setup:
- Active Directory Domain: srv2012test.net (Windows Server 2012)
- Zimbra Server Name: zimbratest.mydom.net (different from the AD name)

And here is what I did exactly when following the guide:
http://www.zimbra.com/docs/os/latest...n_Process.html

section "Create Kerberos Keytab File"
1.
Create User:
- Full Name: zimbratest
- User Logon Name: HTTP/zimbratest.mydom.net
- User Logon Name (pre Windows2000): zimbratest
- Password: password123

2.
a) setspn.exe -a HTTP/zimbratest.mydom.net zimbratest

b) setspn.exe -l zimbratest
Registered ServicePrincipalNames for CN=zimbratest,CN=Users,DC=srv2012test,DC=net
HTTP/zimbratest.mydom.net

3. create keytab file:
ktpass -out C: \Temp\spnego\jetty.keytab -princ HTTP/zimbratest.mydom.net@srv2012test.net -mapUser mail1 -mapOp set -pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

4. transfered keytab to /opt/zimbra/jetty/etc on zimbratest
file permissions: 644 (rw-r--r--)
owner: zimbra
group: zimbra

section "Configure ZCS"
1.
(as zimbra user)
zmprov mcf zimbraSpnegoAuthEnabled TRUE
zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1
zmprov mcf zimbraSpnegoAuthRealm srv2012test.net

2.
zmprov ms zimbratest.portrix.net zimbraSpnegoAuthTargetName HTTP/zimbratest.portrix.net
zmprov ms zimbratest.portrix.net zimbraSpnegoAuthPrincipal HTTP/zimbratest.mydom.net@srv2012test.net

3.
a) zmprov md srv2012test.net zimbraAuthKerberos5Realm srv2012test.net
b) zmprov md srv2012test.net +zimbraVirtualHostname zimbratest.mydom.net
c) (skipped - as for my understanding, every client should be allowed by that)
d) dmprov md srv2012test.net zimbraWebClientLogoutURL '../?sso=1'

section "Configure Your Browser"
Firefox about:config ->
network.negotiate-auth.delegation-uris - http://zimbratest.mydom.net,https://...test.mydom.net
network.negotiate-auth.trusted-uris - http://zimbratest.mydom.net,https://...test.mydom.net