Configuring SSO (Single Sign-on)
Posted by Ondrej Vanek, Last modified by Ondrej Vanek on 11 December 2015 08:34 AM

The following must be done on both the domain controller and IceWarp Server: 

  • create type A record in your DNS for the URL of webmail (i.e. mail.xmigrator.com)

  • create a “link” user in ActiveDirectory (AD) - it must be located under Users container and it must not have password expiration as well as change password on first logon set, for instance we create user: http_sso@xmigrator.com (userPrincipalName value before mapping)
  • on the domain controller (AD), open command line interface (CLI) and execute the following command:
    ktpass out c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM -princ HTTP/mail.xmigrator.com@XMIGRATOR.COM -mapUser ssoiwwebmail@xmigrator.com mapOp set pass * -ptype KRB5_NT_PRINCIPAL
    pay attention to syntax as it is case sensitive - to keep the correct upper / lower case is essential; AD domain should be written with capitals
  • move file c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM to IceWarp Server (the most suitable location is install_path/config/_keytabs, but it is not so important at this point); for the purpose of generating keytab file any file name can be used, however name that would be expected by IceWarp Server (explained later) is used in this example

  • on IceWarp Server go to domain properties (domain mail.xmigrator.com in our example case) - tab Directory Service and enable SSO
  • Kerberos service name must be filled in according to following pattern: <principal>/<icewarp_domain>@<AD_DOMAIN> (for our example it would be: HTTP/mail.xmigrator.com@XMIGRATOR.COM - notice how service name and keytab file name match (slash is not allowed in file name so it is replaced with hash sign)
  • Remote account matching should be left at default value - “Match with username" - as that usually works but the method depends on your directory service configuration
  • Manage keytabs.. button opens content of keytab folder which is install_path/config/_keytabs; the keytab file generated on domain controller earlier should be copied here. Also, the file must have its name set accordingly at this point, for our example it is HTTP#mail.xmigrator.com@XMIGRATOR.COM

 

 

The following must be done on the client side: 

  • add webmail URL to trusted sites, for instance in our case mail.xmigrator.com
    • in Firefox, visit about:config / search for network.negotiate-auth.trusted-uris and add the site there



    • in MSIE open the Internet Options dialog / Security tab / Trusted sites (do not require https:// if not necessary). Additionally Integrated Windows Authentication feature must be allowed (default, will allow Kerberos)


 

Now you can try to browse SSO dedicated URL of webmail (i.e. http://mail.xmigrator.com/webmail/sso) - if all went good, webmail of the same user as the one logged on to OS Windows will open. If not, Kerberos logs will become very usefull; turn them on in server Administration console: System / Logging / Debug tab / Kerberos

 known issues:

if source LDIF attribute value used for local username source contains dash, you have to enable checkbox: "add AD login to alias" and set "remote account matching" on: "match with alias".

 

© a.rusek, o.vanek

 

(15 vote(s))
Helpful
Not helpful

Comments (0)