Page 1 of 1

SPNEGO on the appliance

Posted: Thu Sep 20, 2012 5:24 am
by gerdesj
I have installed the appliance (zca-8.0.0.1147) for a proof of concept and it works fine so far on vSphere 5u1 and I setup a single domain with LDAP auth against AD with no problems.
I attempted to follow the instructions in the admin guide to enable SPNEGO authentication - we use Kerberos a lot on Windows/Linux workstations. However I now get an Internal Server Error ERROR 500 in the browser when logging in.
I then tried to enable the debugging options suggested in the guide. The details are a bit vague in the docs but it seems I should put this in /opt/zimbra/conf/localconfig.xml




"-DDEBUG=true -Dsun.security.spnego.debug=all"




and add a line to /opt/zimbra/conf/log4j.properties.in (the docs say without the .in but that file is generated at the service start up and overwritten)
The localconfig change causes the Zimbra system to fail to start up. The extra logging seems to cause this:


2012-09-20 10:48:57.061:WARN:oejs.ServletHandler:/

java.lang.IllegalArgumentException

at org.eclipse.jetty.server.Response.sendRedirect(Response.java:450)

at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)

at org.eclipse.jetty.http.gzip.GzipResponseWrapper.sendRedirect(GzipResponseWrapper.java:306)

at org.apache.taglibs.standard.tag.common.core.RedirectSupport.doEndTag(RedirectSupport.java:148)

at org.apache.jsp.public_.login_jsp._jspx_meth_c_redirect_7(login_jsp.java:3212)

at org.apache.jsp.public_.login_jsp._jspx_meth_c_if_19(login_jsp.java:3171)


I have double checked the settings using zmprov and they all look correct against the doc examples.
I'd be grateful for some directions on getting this working.
Cheers

Jon

SPNEGO on the appliance

Posted: Thu Oct 25, 2012 2:04 pm
by StephaneP
Hi Jon,
Just got the same problem here.

First, make sure your SSO configuration is correct by pointing your browser to /service/spnego/snoop.jsp. If successful, this will give you all the information about the authentication.

Then, try the follolwing URL: /service/spnego/ This should let you enter your Zimbra account.
Finally, the right URL for the zimbraWebClientLoginURL is '../service/spnego' (not '../../service/spnego').
Last but not least, when enabling the DEBUG traces, the documentation states you need to *ADD* '-DDEBUG=true -Dsun.security.spnego.debug=all' and other stuff to the existing setting, not replace.

By replacing it, you remove the configuration settings for Kerberos and this creates other problems :)
Stephane

SPNEGO on the appliance

Posted: Sun Nov 11, 2012 2:33 am
by mackoftrack
any resolution? i can't get SSO/spnego working either. Followed the Appendix in the Admin Manual word for word, but no luck.