Zarafa WebAccess Single Sign On configuration

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
 
(12 intermediate revisions not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==
-
The article describes how you can setup a Single Sign On Zarafa WebAccess with Active Directory domain controller.
+
The article describes how you can setup a Single Sign On Zarafa WebAccess with Active Directory domain controller.<BR>
-
This article is written for Red Hat Enterprise Linux server, but can also be used as basis for other distributions.
+
This article has been tested on Red Hat Enterprise Linux server 5, but can also be used as basis for other distributions.
== Prerequisites ==
== Prerequisites ==
-
It is assumed the following prerequisites are in place:
+
It is assumed the following prerequisites are in place (document has been tested with RHEL 5):
-
* Red Hat server with Zarafa 6.30 or higher 
 
* Windows Server 2003 R2 or 2008 SP1 which is configured as domain controller
* Windows Server 2003 R2 or 2008 SP1 which is configured as domain controller
* Windows XP or Vista client that has joined the Windows domain
* Windows XP or Vista client that has joined the Windows domain
 +
The webserver is placed in a different domain in this case. This is no requirement, but this makes the document a bit more clear on how to create the Kerberos principal (this can be tricky if you have the servers in different domains).
In this example, the following servers and realms will be referenced:
In this example, the following servers and realms will be referenced:
-
* AD Server      dc.example.com
+
* AD Server      <tt>dc.example.com</tt>
-
* Linux Server    zarafa.example.com
+
* Linux Server    <tt>zarafa.testdomain.com</tt>
-
* Kerberos Realm  EXAMPLE.COM
+
* Kerberos Realm  <tt>EXAMPLE.COM</tt>
-
More sure that both servers are reachable via their FQDN (Fully Qualified Domain Name).<br>
+
Make sure that both servers are reachable via their FQDN (Fully Qualified Domain Name) and the PTR records are ok.<br>
 +
For time synchronization, configure NTP on all machines.
 +
 
 +
A working setup was created by:
 +
* Created a forward lookup zone in ADS for <tt>testdomain.com</tt>
 +
* Added <tt>zarafa.testdomain.com</tt> to the forward lookup zone (including PTR record).
 +
* Setup NTP on the Linux machine (<tt>zarafa.testdomain.com</tt>) to sync it's time with the ADS machine.
== Active Directory configuration ==
== Active Directory configuration ==
-
Add a new user "httpd-linux" to your Active Directory.
+
* Add a new user <tt>httpd-linux</tt> to your Active Directory.
-
Make sure that you enable the option "Password never expires".
+
* Make sure that you enable the option "Password never expires".
 +
* On the account properties for this user enable "Use DES encryption types for this account".
 +
* After setting this account property RESET the password for <tt>httpd-linux</tt>.
-
Install the Windows Support tools which include the ktpass.exe program. See [http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en] for the download of these tools.
+
Install the Windows Support tools which include the <tt>ktpass.exe</tt> program. See [http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en the Microsoft download page] for the download of these tools.
Execute the following command to create a keytab file for the Apache webserver.
Execute the following command to create a keytab file for the Apache webserver.
<code>
<code>
-
   ktpass -princ HTTP/zarafa.example.com@EXAMPLE.COM
+
   ktpass -princ HTTP/zarafa.testdomain.com@EXAMPLE.COM  
-
  -mapuser EXAMPLE\http-linux -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL  
+
  -mapuser EXAMPLE\httpd-linux -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL  
-
  -mapop set +desonly -pass secretpassword -out c:\keytab
+
  -mapop set +desonly -pass secret -out c:\keytab
</code>
</code>
-
Copy the keytab file to the directory /etc/httpd/conf/ on your Linux server.<BR>
+
Copy the keytab file to the directory <tt>/etc/httpd/conf/</tt> on your Linux server.<BR>
-
You can use a scp client for this, like [http://winscp.net/eng/index.php Winscp].
+
You can use a SCP client for this, like [http://winscp.net/eng/index.php WinSCP].
== Apache configuration ==
== Apache configuration ==
-
Install the mod_auth_kerb Apache module.
+
Install the <tt>mod_auth_kerb</tt> Apache module.
-
</code>yum install mod_auth_kerb</code>
+
<code>
 +
yum install mod_auth_kerb
 +
</code>
 +
or
 +
<code>
 +
apt-get install libapache2-mod-auth-kerb
 +
</code>
-
Open the file /etc/httpd/conf.d/auth_kerb.conf.
+
Open the file <tt>/etc/httpd/conf.d/auth_kerb.conf</tt>.
Add the following lines at the end of this file:
Add the following lines at the end of this file:
Line 67: Line 81:
-
Set the permissions of the keytab file to 400 and change the owner to the Apache user:
+
Set the filesystem permissions of the keytab file to 400 (<tt>r--------</tt>) and change the owner to the Apache user:
<code>
<code>
Line 74: Line 88:
</code>
</code>
-
 
+
Open the file <tt>/etc/krb5.conf</tt> and insert the following lines:
-
Open the file /etc/krb5.conf and insert the following lines:
+
<code>
<code>
Line 92: Line 105:
</code>
</code>
-
Replace the kdc and admin_server with the FQDN of the Domain Controller.
+
Replace the <tt>kdc</tt> and <tt>admin_server</tt> with the FQDN of the Domain Controller.
-
 
+
Restart Apache to activate all changes:
-
Restart Apache to activate all changes.
+
<code>service httpd restart</code>
<code>service httpd restart</code>
-
 
-
 
== Zarafa configuration ==
== Zarafa configuration ==
-
To setup a Single Sign On environment with Zarafa Collaboration Platform, you need to make a trust between the Apache webserver and the Zarafa Storage Server.
+
To setup a Single Sign On environment for Zarafa Collaboration Platform, you need to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the Webaccess authentication by the Apache webserver, not by the Zarafa Storage Server anymore.
-
The trust is necessary to handle the WebAccess authentication by the Apache webserver and not anymore by the Zarafa Storage Server.
+
-
Change the following line in the /etc/zarafa/server.cfg file:
+
Change the following line in the <tt>/etc/zarafa/server.cfg</tt> file:
<code>local_admin_users = root apache</code>
<code>local_admin_users = root apache</code>
-
 
+
To configure the Zarafa WebAccess for Single Sign On change the following option in the <tt>config.php</tt> file:
-
To configure the Zarafa WebAccess for Single Sign On change the following option in the config.php file:
+
-
In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.
+
<code>
<code>
define("LOGINNAME_STRIP_DOMAIN", true);
define("LOGINNAME_STRIP_DOMAIN", true);
</code>
</code>
-
 
+
Note: In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.
Restart the Zarafa-server processes to activate this change.
Restart the Zarafa-server processes to activate this change.
Line 124: Line 131:
-
 
+
== Web browser configuration ==
-
== Webbrowser configuration ==
+
Before you can use Single Sign On in your browser, configure the following settings:
Before you can use Single Sign On in your browser, configure the following settings:
'''Firefox'''
'''Firefox'''
-
* Type in the addressbar about:config
+
* Type in the addressbar <tt>about:config</tt>
-
* Filter on auth
+
* Filter on <tt>auth</tt>
-
* Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to .example.com
+
* Change the options: <tt>network.negotiate-auth.trusted-uris</tt> and <tt>network.negotiate-auth.delegation-uris</tt> to <tt>.testdomain.com</tt>
-
 
+
'''Internet Explorer'''
'''Internet Explorer'''
* Go to Tools -> Internet options -> Advanced  
* Go to Tools -> Internet options -> Advanced  
* Make sure the option "Enable integrated Windows authentication" is enabled
* Make sure the option "Enable integrated Windows authentication" is enabled
-
* Add the url of the Zarafa server (http://zarafa.example.com) to your "Local Intranet" sites
+
* Add the url of the Zarafa server (<tt>http://zarafa.testdomain.com</tt>) to your "Local Intranet" sites
 +
 
 +
 
 +
Restart your browser and open the Webaccess via the FQDN (<tt>http://zarafa.testdomain.com/webaccess</tt>). If the configuration is done correctly, the user will be logged in to the Webaccess without typing the username and password.
 +
 
 +
== Apache and Zarafa on different servers ==
 +
When you have Zarafa and Apache on different servers it is NOT possible to connect the webaccess to the unix socket of Zarafa.
-
Restart your browser and open the webaccess via the FQDN (http://zarafa.example.com/webaccess).
+
In this case you'll need to setup SSL to create a trust between Apache and Zarafa. Please check our Administrator manual (the paragraph about SSL Certificates in the Multiserver chapter) how to get this done. You can find our administrator manual on the community page or on the official portal.
-
If the configuration is correctly done, the webaccess will login without typing the username and password.
+

Latest revision as of 12:56, 29 September 2011

Contents

Introduction

The article describes how you can setup a Single Sign On Zarafa WebAccess with Active Directory domain controller.
This article has been tested on Red Hat Enterprise Linux server 5, but can also be used as basis for other distributions.


Prerequisites

It is assumed the following prerequisites are in place (document has been tested with RHEL 5):

  • Windows Server 2003 R2 or 2008 SP1 which is configured as domain controller
  • Windows XP or Vista client that has joined the Windows domain

The webserver is placed in a different domain in this case. This is no requirement, but this makes the document a bit more clear on how to create the Kerberos principal (this can be tricky if you have the servers in different domains).

In this example, the following servers and realms will be referenced:

  • AD Server dc.example.com
  • Linux Server zarafa.testdomain.com
  • Kerberos Realm EXAMPLE.COM

Make sure that both servers are reachable via their FQDN (Fully Qualified Domain Name) and the PTR records are ok.
For time synchronization, configure NTP on all machines.

A working setup was created by:

  • Created a forward lookup zone in ADS for testdomain.com
  • Added zarafa.testdomain.com to the forward lookup zone (including PTR record).
  • Setup NTP on the Linux machine (zarafa.testdomain.com) to sync it's time with the ADS machine.


Active Directory configuration

  • Add a new user httpd-linux to your Active Directory.
  • Make sure that you enable the option "Password never expires".
  • On the account properties for this user enable "Use DES encryption types for this account".
  • After setting this account property RESET the password for httpd-linux.

Install the Windows Support tools which include the ktpass.exe program. See the Microsoft download page for the download of these tools.

Execute the following command to create a keytab file for the Apache webserver.

 ktpass -princ HTTP/zarafa.testdomain.com@EXAMPLE.COM 
 -mapuser EXAMPLE\httpd-linux -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL 
 -mapop set +desonly -pass secret  -out c:\keytab

Copy the keytab file to the directory /etc/httpd/conf/ on your Linux server.
You can use a SCP client for this, like WinSCP.


Apache configuration

Install the mod_auth_kerb Apache module.

yum install mod_auth_kerb

or

apt-get install libapache2-mod-auth-kerb

Open the file /etc/httpd/conf.d/auth_kerb.conf. Add the following lines at the end of this file:

Alias /webaccess /usr/share/zarafa-webaccess
#
<Directory /usr/share/zarafa-webaccess>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Directory>


Set the filesystem permissions of the keytab file to 400 (r--------) and change the owner to the Apache user:

 chmod 400 /etc/httpd/conf/keytab 
 chown apache.apache /etc/httpd/conf/keytab  

Open the file /etc/krb5.conf and insert the following lines:

[libdefaults]
       default_realm = EXAMPLE.COM
# 
[realms]
       ZARAFA.LOCAL = {
               kdc = dc.example.com
               admin_server = dc.example.com
       }
#
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Replace the kdc and admin_server with the FQDN of the Domain Controller.

Restart Apache to activate all changes:

service httpd restart

Zarafa configuration

To setup a Single Sign On environment for Zarafa Collaboration Platform, you need to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the Webaccess authentication by the Apache webserver, not by the Zarafa Storage Server anymore.

Change the following line in the /etc/zarafa/server.cfg file:

local_admin_users = root apache

To configure the Zarafa WebAccess for Single Sign On change the following option in the config.php file:

define("LOGINNAME_STRIP_DOMAIN", true); Note: In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.

Restart the Zarafa-server processes to activate this change.

service zarafa-server restart


Web browser configuration

Before you can use Single Sign On in your browser, configure the following settings:

Firefox

  • Type in the addressbar about:config
  • Filter on auth
  • Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to .testdomain.com

Internet Explorer

  • Go to Tools -> Internet options -> Advanced
  • Make sure the option "Enable integrated Windows authentication" is enabled
  • Add the url of the Zarafa server (http://zarafa.testdomain.com) to your "Local Intranet" sites


Restart your browser and open the Webaccess via the FQDN (http://zarafa.testdomain.com/webaccess). If the configuration is done correctly, the user will be logged in to the Webaccess without typing the username and password.


Apache and Zarafa on different servers

When you have Zarafa and Apache on different servers it is NOT possible to connect the webaccess to the unix socket of Zarafa.

In this case you'll need to setup SSL to create a trust between Apache and Zarafa. Please check our Administrator manual (the paragraph about SSL Certificates in the Multiserver chapter) how to get this done. You can find our administrator manual on the community page or on the official portal.

Personal tools