Windows AD Authentication of user for different domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
swx
Posts: 3
Joined: Thu Aug 30, 2018 2:13 am

Windows AD Authentication of user for different domain

Postby swx » Thu Aug 30, 2018 2:44 am

Hi,

So I have searched around alot trying to find an answer for this issue and found no solution.

I have an inherited an existing Windows AD (2012) setup using domain intranet.X.X. All works find. We wanted to setup an internal mail system for staff to use and having used Zimbra in the past I thought it would be a great solution. I have set it up initially with this intranet.X.X domain and the primary domain, have it authenticating against Windows AD well and also have the web browser using pass through authentication so no need to enter credentials again when they log onto their workstation.

I then setup our other external domain name onto Zimbra, set it as the email address for sent messages as I've found you cant change the primary email address as for what ever reason it's bound to user, tested and while you do see the email now comes from the correct in the mail client if you look at the source you see that the mail from infact shows coming from the intranet.X.X domain and as such doesn't correctly validate with items like SPF etc.

So I then move to research and see what I can do and start looking at setup of the second domain using AD but also using user level External AD Auth. Set up LDAP auth on the domain wizard and as part of that check the 'test user' account and all good against the intranet.X.X AD domain. However I cannot get authentication to work no matter what I try when trying to authenticate the user with the user@external domain through zimbra web interface. Please note the username in Zimbra is the same in Windows AD. It's just the domain that is different that I thought I could alter as part of the baseDN or filter or user level External AD Auth?

I have tried all of the documented variations of the external LDAP account in the users settings. Tried just setting baseDN for the domain itself etc. Mostly from information found on the pages that seemed to relate to my issue.

I've not been able to find any successfully implemented setups (as documented on the web)

Has anyone done this and if they have are they will to share what they did to overcome these issues. I have found a few pages on forums with people having this issue and had no replies to an answer so I don't know if it was sorted or they gave up on Zimbra?

This is a fresh install so it's on the latest version.


PaperAdvocate
Posts: 20
Joined: Tue Oct 11, 2016 9:28 pm

Re: Windows AD Authentication of user for different domain

Postby PaperAdvocate » Tue Sep 11, 2018 4:22 am

I'm not sure exactly what you're trying to accomplish, if it's just one public email domain with Zimbra being authenticated against a different AD domain, or something else.

I'll tell you what we have setup and you can tell me if that's what you're wanting or if it's something different.

We have a 2012 AD domain with a @subdomain.internaldomain.com structure. Zimbra 8.7 authenticates against this but has no @subdomain.internaldomain.com on the Zimbra system; it has a single @publicdomain.com in the system (which is the primary domain). The hostname of the mail server is mail.internaldomain.com but it has no bearing on authentication.

For the @publicdomain.com domain, in Zimbra it authenticates against "External Active Directory" with a "LDAP bind DN template" of "%u@subdomain.internaldomain.com".

When users login via the web interface they can do so using either ad.logon.name@publicdomain.com or just ad.logon.name.

If this is what you're trying to do let me know and I'll try to help.
swx
Posts: 3
Joined: Thu Aug 30, 2018 2:13 am

Re: Windows AD Authentication of user for different domain

Postby swx » Thu Sep 13, 2018 9:00 am

Hi,

Thanks for your reply.

Yes I have the following structure. Windows 2012 AD with @intranet.domain.com. Servers are named under same local domain. Also currently have the primary domain as the same local domain. All works including single sign-on through web interface.

Now if I add another domain @domain.com as public domain and tried to setup a new user with LDAP bind to auth them against the @intranet.domain.com user authentication just fails either as single sign-on or standard login attempts. I've tried many different LDAP bind combinations (set under the user account in Zimbra) including what you currently have with no change. I'm wondering if its actually due to the fact I have the @intranet.domain.com on the system as the primary and was the domain used as part of initial install and even through authentication is set against the AD domain.

I may try tonight to get back to a primary domain something other than the same domain as Windows AD and see if that has some bearing on things.
swx
Posts: 3
Joined: Thu Aug 30, 2018 2:13 am

Re: Windows AD Authentication of user for different domain

Postby swx » Thu Sep 13, 2018 1:33 pm

ok so tonight I have removed the public domain and aliases etc and renamed the intranet domain (primary domain) to the public domain. Cleaned up various things and now all works for the public domain authenticating against the intranet.domain.com LDAP AD Windows.

Go figure. So I'm up and running including full single sign-on

Thanks

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests