Configure Chrome For Spengo Mac

The SPNEGO protocol mechanism can be configured on {product-abbrev} for single sign-onauthentication to the Zimbra Web Client and to the Zimbra Connector forOutlook (ZCO). For ZCO configuration seeSetting Up Single Sign-OnOptions for ZCO.

From ZWC, when users log on to their Intranet through Active Directory,they can enter their ZWC mailbox without having to re-authenticate toZimbra.

The {product-abbrev} server is configured to redirect users attempting to log on to ZWCto a URL under SPNEGO protection. The server asks for authentication withKerberos through SPNEGO and users are redirected to their ZWC mailbox. Whenusers log out, they are redirected to a logout URL that displays a Launchbutton. When users click Launch, they are directed to the ZWC entry page.

When users log on to their ZWC accounts from the Internet, the ZWC log inpage displays and they must enter their ZWC password to log on.

You have to configure the white list of sites permitted to exchange SPNEGO. The proper configuration of IE you do not need to additionally configure Chrome. With Kerberos as an authentication mechanism for computers where Mac OS is.

If SPNEGO SSO is enabled on a domain, the browsers must be configuredcorrectly. See Configure YourBrowser. Improperly configured browsers may pop up a user/pass dialog andif a user enters his correct AD domain username/password, he can still loginto the Zimbra mailbox, and some browsers may display a '401 Unauthorized'error.

Configuration Process

  1. Create the Kerberos keytab file.

    • Create an Active Directory service account. This account is used togenerate the Kerberos keytab file.

    • Add the service Principal Names (SPN) directory property for an ActiveDirectory service account.

    • Create the keytab file.

  2. Enable and configure the SPNEGO protocol on the {product-abbrev} server.

  3. Configure browsers

Create the Kerberos Keytab File

An Active Directory service account is created in Domain for each mailstoreserver.

  1. Create an Active Directory service account. This is the account used togenerate the Kerberos keytab file that is added to the Zimbra server.

    1. Go to the Active Directory Start > Programs > Administrative Tools >Active Directory Users and Computers console.

    2. To create the service account, click the AD Domain name and from theexpanded content right-click Users and select New > User. Completethe New Object – User dialog.

      • Full name: Enter the user display name for the AC serviceaccount. Recommend that the full name be the {product-abbrev} mailbox server name.
        Example: mail1

      • User Logon Name: This name is the value that is set for thezimbraSpnegoAuthTargetName server attribute in LDAP. Write it down.
        Example: HTTP/mail1.example.com

      • User Logon Name (pre-Windows2000): This name is used for the–mapUser parameter in the setspn and ktpass commands.
        Example: mail1

      • Click Next.

    3. Enter and confirm the password. This password is used for the–pass {AD-user-password} parameter in the ktpass command,configured below.

    4. Check Password never expires and User cannot change password,and click Next.

    5. Click Finish to create the user. The service account name displaysin the Users directory.

  2. Use the setspn command to map the mailbox server name as theservice Principal Names (SPN) to the user account. The SPN is used inthe process of mutual authentication between the client and the serverhosting particular service.

    1. From the command prompt, type setspn –a {userlogonname} {serviceaccountname}

      Example 1. Map mailbox server name as servie Principal Names to user account
    2. To verify that the SPN is registered, type C:>setspn –l {accountname}
      A list of registered SPNs is displayed.

  3. Create the keytab file used when signing into the Kerberos domain. Usethe ktpass tool from the Windows Server toolkit to create the Kerberoskeytab.

    A Kerberos keytab file contains a list of keys that are analogous to userpasswords. Restrict and monitor permissions on any keytab files you create.

    The command to type follows:

    ktpass -out

    The key is written to this output file.
    Enter the directory location and keytab file name. The keytab file name isjetty.keytab.
    For example, C:Tempspengojetty.keytab

    -princ

    This is the principal name.
    Enter the service Principal Name as used in Step 2 in Setting up theMicrosoft Windows Active Directory Domain Controller section.
    For example, HTTP/mail1.example.com@COMPANY.COM

    -mapUser

    This maps –princ value to this user account.
    Enter the AD service account user name entered in the User Logon Name(pre-Windows2000) set in Step 1.b in Setting up the Microsoft WindowsActive Directory Domain Controller section.

    -mapOp

    This sets the mapping. The value for this parameter is set

    -pass

    This is the password to use.

    Enter the password entered in the User Logon Name (pre-Windows2000) setin Step 1.c in Setting up the Microsoft Windows Active Directory DomainController section.

    -crypto

    This is the cryptosystem to use.
    Enter RC4-HMAC-NT

    -pType

    Enter KRB5_NT_PRINCIPAL
    To avoid warning messages from the toolkit enter this value.

    Example 2. Using ktpass to create a jetty.keytab file

    The command is confirmed with something similar to the example below.

  4. Transfer the keytab file (jetty.keytab) to the Zimbra server. Copythe file created in step 3 to the following Zimbra server location:/opt/zimbra/data/mailboxd/spnego/jetty.keytab.

Do not rename the jetty.keytab file. This file name is referenced fromvarious configuration files.

Repeat steps 1 to 4 to create an create the keytab file (jetty.keytab)for each Zimbra mailstore server.

Configure {product-abbrev}

SPNEGO attributes in Global Config and on each Zimbra server are configuredand pre-authentication is set up for the domain. Use the zmprov commands tomodify the Zimbra server.

Only one Kerberos REALM is supported per {product-abbrev} installation.
  1. Modify the following global config attributes, with the zmprov mcfcommand.

    zimbraSpnegoAuthEnabledSet to TRUE.

    zimbraSpnegoAuthErrorURL

    This is the URL users are redirected to when spnego auth fails. Setting itto /zimbra/?ignoreLoginURL=1 will redirect user to the regular Zimbralogin page, where user will be prompted for their zimbra user name andpassword.

    zimbraSpnegoAuthRealm

    The Kerberos realm in the domain controller.

    This is the domain name in the Active Directory. (COMPANY.COM)

    1. zmprov mcf zimbraSpnegoAuthEnabled TRUE

    2. zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1'

    3. zmprov mcf zimbraSpnegoAuthRealm <COMPANY.COM>

  2. On each Zimbra server, modify the following global config attributes withthe zmprov ms command.

    zimbraSpnegoAuthTargetName

    This is the user logon name from Step 1 B, User Logon Name.

    zimbraSpnegoAuthPrincipal

    Enter the user logon name set in zimbraSpnegoAuthTargetName and theaddress set in global config zimbraSpnegoAuthRealm

    Type as zimbraSpnegoAuthTargetName@zimbraSpnegoAuthRealm

    For example, HTTP/mail1.example.com@COMPANY.COM

    To modify the server global config attributes, type:

    1. zmprov ms mail1.example.com zimbraSpnegoAuthTargetName HTTP/mail1.example.com

    2. zmprov ms mail1.example.com zimbraSpnegoAuthPrincipal HTTP/mail1.example.com@COMPANY.COM

  3. The following is set up on the domain.

    • Kerberos Realm

    • Virtual host

    • Web client login URL and UAs

    • Web client logout URL and UAs

      1. Set up Kerberos Realm for the domain. This is the same realm set in theglobal config attribute zimbraSpnegoAuthRealm. Type zmprov md {domain}zimbraAuthKerberos5Realm {kerberosrealm}

      2. Set up the virtual hosts for the domain. Virtual-hostname-* arethe hostnames you can browse to for the Zimbra Web Client UI. Type:

      3. Setup the web client log in URL and UAs allowed for the login URL on the domain.

        • Set the login URL. The login URL is the URL to redirect users to when theZimbra auth token is expired. zmprov md {domain} zimbraWebClientLoginURL'./service/spnego'

        • Honor only supported platforms and browsers.

          zimbraWebClientLoginURLAllowedUA is a multi-valued attribute,valuesare regex. If this is not set, all UAs are allowed. If multiple valuesare set, an UA is allowed as long as it matches any one of the values.

          For example, to honor zimbraWebClientLoginURL only for Firefox, InternetExplorer, Chrome, and Safari on computers running Windows, and Safari onApple Mac computers, type the following commands.

      4. Setup the web client logout URL and UAs allowed for the logout URLon the domain.

        • Set the logout URL. The logout URL is the URL to redirect users towhen users click Logout.

        • Honor only supported platforms and browsers.zimbraWebClientLogoutURLAllowedUA is a multi-valued attribute, values areregex. If this is not set, all UAs are allowed. If multiple values are set,an UA is allowed as long as it matches any one of the values.

          For example, to honor zimbraWebClientLogoutURL only for Firefox,Internet Explorer, Chrome, and Safari on computers running Windows, andSafari on Apple Mac computers, type the following commands.

Configure Your Browser

When the SPNEGO SSO feature is enabled on your domain, user’s browsers mustbe configured properly. Improperly configured browsers will behavedifferently depending on the browser.

  • For computers running Windows: Internet Explorer 10.0 or later, Edge, Firefox52 or later, Chrome, Safari

  • Apple Mac computer: Safari

    1. Firefox browser for computers running Windows

      1. In Firefox browse to about:config. In the Firefox browser addressfield, type about:config. The warning — This might void your warranty, isnow displayed.

      2. Click I’ll be careful, I promise!

      3. Search in Filters, type network.n. Enter a comma-delimited list oftrusted domains or URLs.

        Double-click network.negotiate-auth.delegation-uris. Enterhttp://,https://

        Double-click network.negotiate-auth.trusted-uris. Enterhttp://,https://

        Double-click network.negotiate-auth.delegation-uris. Enter the domainaddresses. For example, http://mail1.example.com,https://mail2.example.com

        Double-click network.negotiate-auth.trusted-uris. Enter the domainaddresses. For example, http://mail1.example.com,https://mail2.example.com

    2. Internet Explorer, Chrome, and Safari for computers running Windows

      1. In these browsers, go to Tools > Internet Options > Security > LocalIntranet >Sites. On the Sites dialog make sure all items are checked.

      2. Select Advanced. Add the domain server (hostname) URL, bothhttp:// and https://

      3. Click OK to close the file.

      4. Go to Tools > Options > Advanced > Security. Locate and checkEnable Integrated Windows Authentication.

      5. Click OK and close the browser.

    3. Safari for Apple Mac computers. No configuration is necessary.

Test your setup

  1. On a Windows computer or an Apple Mac computer, log in to thecomputer as a domain user.

    Your ticket as a domain user will be saved on the computer. The token willbe picked up by the spnego-aware browser and sent in the Authorizationheader to the Zimbra server.

  2. Browse to the Zimbra Web Client log on page. You should be redirected toyour ZWC inbox without being prompted for user name and password.

    If spnego auth fails, the user is redirected to an error URL.

Troubleshooting setup

  • The browser is in the Intranet zone.

  • The user is accessing the server using a Hostname rather than IPaddress.

    Is holdem manager for mac. If you're running windows through bootcamp, you don't have resource allocation issues. I have 1gb for my mac partition and 1gb for my pc. I was thinking about how to solve this problem, and has anyone run holdem manager via VMware or Parallels?I think that would be a lot easier bc the computer could dedicate the entire 2gb to the holdem manager which wouldn't allow it to crash.Let me know if you guys have done so. Thanks!This post confuses me.

  • Integrated Windows authentication in Internet Explorer is enabled,and the host is trusted in Firefox.

  • The server is not local to the browser.

  • The client’s Kerberos system is authenticated to a domain controller.

  • If the browser display the '401 Unauthorized', it’s most likely that thebrowser either did not send another request with Authorization in responseto the 401, or had sent an Authorization which is not using theGSS-API/SPNEGO scheme.

    Check your browser settings, and make sure it is one of the supportedbrowsers/platforms

  • If you are redirected to the error URL specified inzimbraSpnegoAuthErrorURL, that means The SPNEGO authentication sequencedoes not work.

    Take a network trace, make sure the browser sends Authorization header inresponse to the 401. Make sure the Negotiate is using GSS-API/ SPNEGO, notNTLM (use a network packet decoder like Wireshark) .

    After verifying that the browser is sending the correct Negotiate, if itstill does not work, turn on the following debug and check Zimbra logs:

    • ADD “-DDEBUG=true -Dsun.security.spnego.debug=all” (note, not replace)to localconfig key spnego_java_options

    • Add log4j.logger.org.mortbay.log=DEBUG in log4j

    Browse to the debug snoop page:http://{server}:{port}/spnego/snoop.jsp. See if you can access thesnoop.jsp

    Check zmmailboxd.out and mailox.log for debug output.

    • One of the errors at this stage could be because of clock skew onthejetty server. If this is the case, it should be shown inzmmailboxd.out. Fix the clock skew and try again.

Configure Kerberos Auth with SPNEGO Auth

Kerberos auth and SPNEGO can co-exists on a domain. Use case is usingKerberos as the mechanism for verifying user principal/password against aKDC, instead of the native Zimbra LDAP, when user cannot get in by SPNEGO.

When SPNEGO auth fails, users are redirected to the Zimbra sign in page ifthe browser is configured properly. Users can enter their Zimbra usernameand password on the sign in page to sign in manually. The Domain attributezimbraAuthMech controls the mechanism for verifying passwords. IfzimbraAuthMech is set to 'kerberos5', The user name the user enters isusedto first identify a valid Zimbra user (users must be provisioned in theZimbra LDAP), then from Zimbra user is mapped to a Kerberos principal, theKerberos principal + password is then validated against a KDC. This KDCcould be different from, or the same as, the KDC that the Active Directorydomain controller (for SPNEGO auth) is running as.

Every Microsoft Active Directory domain controller acts as KerberosKDC. For SPNEGO auth, KDC is not contacted from the mailbox server. TheKerberos token sent from the Authorization http header along with jetty’skeytab file can identify/authenticate the user.

For kerberos auth (zimbraAuthMech*='kerberos5'), the mailbox serverneeds to contact KDC to validate principal+password. For the javakerberos client (i.e. Zimbra mailbox server), the default realm and KDCfor the realm is specify in a Kerberos config file. The location of thisconfig file can be specified in JVM argument java.security.krb5.conf.If it is not specified, the default is /etc/krb5.conf. When SPNEGO isenabled in Zimbra, java.security.krb5.conf for the mailbox server isset to /opt/zimbra/jetty/etc/krb5.ini. Therefore, that is theeffective file for configuring kerberos auth.

/opt/zimbra/jetty/etc/krb5.ini is rewritten from/opt/zimbra/jetty/etc/krb5.ini.in each time when the mailbox serverrestarts. To configure, you need to modify the/opt/zimbra/jetty/etc/krb5.ini.in file, not/opt/zimbra/jetty/etc/krb5.ini.

Under [realms] section, kdc and admin_server are not set for SPNEGO auth,but they are required for kerberos auth.

  1. Edit /opt/zimbra/jetty/etc/krb5.ini.in

  2. Change:

to

  1. Replace YOUR-KDC and YOUR-ADMIN-SERVER to the hostname on which thekdc/admin_server for kerberos auth is running.

  2. Save the file and restart mailbox server.

The restriction is the realm for SPNEGO and Kerberos auth must be thesame. For SPNEGO auth, the Kerberos principal in the Authorization headeris mapped to a unique Zimbra account. For Kerberos auth, the Zimbra accountis mapped to a unique Kerberos principal. The mapping (by domain attributezimbraAuthKerberos5Realm) is the same for both.

Setting Up Single Sign-On Options for ZCO

To use SSO, SPNEGO must be configured on the {product-abbrev} server to use this option.

The single sign-on option works with a specific server. The server nameused in the ZCO profile must match that in the SPNEGO configuration. Makesure that the server name is incorporated into the .msi file prior toinstallation.

To set up the single sign-on option in the .msi customization script:

  1. Set the server name to be the server name configured for SPNEGO, enter-sn <spnegoserver.example.com>.

  2. Set the password rule, enter -pw 0