Hello,
Maybe samone can help with SPNEGO authentication, im stuck here for a week or more and cant find the answer. Im fallowing this documentation https://wiki.zimbra.com/wiki/Configurin ... le_Sign-On And when im trying to access to http://mail.server.com or http://mail.server.com/service/spnego, http://mail.server.com/service/spnego/spoon.jsp i'm getting this error in /opt/zimbra/log/mailbox.log :
2024-07-03 09:53:52,261 INFO [qtp2011482127-355270:https://mail.server.com/service/spnego] [oip=10.2.20.219;port=58306;ua=Mozilla/5.0 (Windows NT 10.0;; Win64;; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0;] account - spnego auth failed: authentication failed for [], no principal
In web browser getting HTTP Error 403 authentification failed for []
/opt/zimbra/log/zmmailboxd.out:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /opt/zimbra/data/mailboxd/spnego/jetty.keytab refreshKrb5Config is false principal is HTTP/mail.server.com@dog.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/mail.server.com@dog.com
Will use keytab
Commit Succeeded
STEPS I DID:
I Create user on AD (Domain name ex.: dog.com ) zimbraspnego:
User logon name - HTTP/mail.server.com@dog.com
User logon name Pre win 2000 - DOG\zimbraspnego
setspn -l zimbraspnego - Registered ServicePrincipalNames for CN=zimbraspnego,CN=Users,DC=dog,DC=com:
HTTP/mail.server.com
ktpass.exe -out c:\Temp\spengo\jetty.keytab -princ HTTP/mail.server.com@DOG.COM-mapUser zimbraspnego -mapOp set -pass Password.123-crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Moved jetty.keytab to Ubuntu mail server - /opt/zimbra/data/mailboxd/spnego/jetty.keytab (File permissions -rwxr-xr-x 1 zimbra zimbra 76 Jul 2 09:18 jetty.keytab)
CURRENT CONFIG OF MAIL SERVER:
zmprov gcf zimbraSpnegoAuthEnabled - zimbraSpnegoAuthEnabled: TRUE
zmprov gcf zimbraSpnegoAuthRealm - zimbraSpnegoAuthRealm: DOG.COM
zmprov gs mail.server.com | grep zimbraSpnegoAuthTargetName - zimbraSpnegoAuthTargetName: HTTP/mail.server.com
zmprov gs mail.server.com | grep zimbraSpnegoAuthPrincipal - zimbraSpnegoAuthPrincipal: HTTP/mail.server.com@DOG.COM
NOW ON mail.server.con there is couple domains on of them dog.com
zmprov gd dog.com | grep zimbraAuthKerberos5Realm - zimbraAuthKerberos5Realm: DOG.COM
zmprov gd dog.com | grep zimbraVirtualHostname - zimbraVirtualHostname: mail.server.com
zmprov gd dog.com | grep zimbraWebClientLoginURL - zimbraWebClientLoginURL: /service/spnego
Zimbra version - Release 8.8.15.GA.3869.UBUNTU16.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P40.
Maybe samone can help with SPNEGO authentication, im stuck here for a week or more and cant find the answer. Im fallowing this documentation https://wiki.zimbra.com/wiki/Configurin ... le_Sign-On And when im trying to access to http://mail.server.com or http://mail.server.com/service/spnego, http://mail.server.com/service/spnego/spoon.jsp i'm getting this error in /opt/zimbra/log/mailbox.log :
2024-07-03 09:53:52,261 INFO [qtp2011482127-355270:https://mail.server.com/service/spnego] [oip=10.2.20.219;port=58306;ua=Mozilla/5.0 (Windows NT 10.0;; Win64;; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0;] account - spnego auth failed: authentication failed for [], no principal
In web browser getting HTTP Error 403 authentification failed for []
/opt/zimbra/log/zmmailboxd.out:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /opt/zimbra/data/mailboxd/spnego/jetty.keytab refreshKrb5Config is false principal is HTTP/mail.server.com@dog.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/mail.server.com@dog.com
Will use keytab
Commit Succeeded
STEPS I DID:
I Create user on AD (Domain name ex.: dog.com ) zimbraspnego:
User logon name - HTTP/mail.server.com@dog.com
User logon name Pre win 2000 - DOG\zimbraspnego
setspn -l zimbraspnego - Registered ServicePrincipalNames for CN=zimbraspnego,CN=Users,DC=dog,DC=com:
HTTP/mail.server.com
ktpass.exe -out c:\Temp\spengo\jetty.keytab -princ HTTP/mail.server.com@DOG.COM-mapUser zimbraspnego -mapOp set -pass Password.123-crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Moved jetty.keytab to Ubuntu mail server - /opt/zimbra/data/mailboxd/spnego/jetty.keytab (File permissions -rwxr-xr-x 1 zimbra zimbra 76 Jul 2 09:18 jetty.keytab)
CURRENT CONFIG OF MAIL SERVER:
zmprov gcf zimbraSpnegoAuthEnabled - zimbraSpnegoAuthEnabled: TRUE
zmprov gcf zimbraSpnegoAuthRealm - zimbraSpnegoAuthRealm: DOG.COM
zmprov gs mail.server.com | grep zimbraSpnegoAuthTargetName - zimbraSpnegoAuthTargetName: HTTP/mail.server.com
zmprov gs mail.server.com | grep zimbraSpnegoAuthPrincipal - zimbraSpnegoAuthPrincipal: HTTP/mail.server.com@DOG.COM
NOW ON mail.server.con there is couple domains on of them dog.com
zmprov gd dog.com | grep zimbraAuthKerberos5Realm - zimbraAuthKerberos5Realm: DOG.COM
zmprov gd dog.com | grep zimbraVirtualHostname - zimbraVirtualHostname: mail.server.com
zmprov gd dog.com | grep zimbraWebClientLoginURL - zimbraWebClientLoginURL: /service/spnego
Zimbra version - Release 8.8.15.GA.3869.UBUNTU16.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P40.
Statistics: Posted by regimantas — Wed Jul 03, 2024 7:48 am