Single Sign On

[Rambo]

How to setup SingleSignOn?

These are the steps I have executed:

1) Added an alias "scalix-default-mail" in scalix.co.in zone with FQDN for target host as "aaa.scalix.co.in"

2) Created a new organizational unit "test" then added a new user as:scalix-ual

3) Executed command: ktpass -princ scalix-ual/aaa.scalix.co.in@SCALIX.CO.IN -mapuser scalix-ual -pass password -out scalix-ual-aaa.keytab kvno 3

4) Copied "scalix-ual-aaa.keytab" to aaa server's /home directory

5) Executed ommergekeys command

How many servers are required for this?

i) Exchange server
ii)Target host server
iii)??????????? Any other server or client machine

Is omldapsync required for the user that is going to be used for SSO?

[jim mullady]

SSO AD INSTRUCTIONS

Step 1. Make sure you have created Forward Lookup Zones for your domains and created Host records for all Scalix Servers in the appropriate Forward Lookup Zone.
Step 2. Under Forward Lookup Zones, select a Scalix Server Single Signâ€

[davidedg]

EDIT: I posted a more detailed article on:
http://www.scalix.com/community/viewtopic.php?p=18604
please read and answer there

Hi,

I have some questions regarding some specific steps:

Step 8:
the AD user is "scalix-ual"(FirstName, DisplayName and User Logon Name).
I run this:

Code: Select all

C:\Program Files\Support Tools>ktpass -princ scalix-ual/sca01.test.int@TEST.INT
-mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3
Targeting domain controller: w2k3std01.test.int
Using legacy password setting method
Successfully mapped scalix-ual/sca01.test.int to scalix-ual.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 69 scalix-ual/sca01.test.int@TEST.INT ptype 0 (KRB5_NT_UNKNOWN) vno 3 et
ype 0x17 (RC4-HMAC) keylength 16 (0x1aa2b5c696504e29baab22f3a2118473)

I think there are some problems: pType is not 1 and etype is RC4-HMAC instead of DES.
In fact, in the docs (Scalix Administration Guide v10.0.1) the output for the ktpass command should be:

Code: Select all

Successfully mapped scalix-ual/scalixserver.acme.net to scalixual.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 68 scalix-ual/scalixserver.acme.net@ACME.NET ptype 1
(KRB5_NT_PRINCIPAL)
vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xe6fb762ad01f8a9b)
Account has been set for DES-only encryption.

I tried to manually force the correct parameters with:

Code: Select all

C:\Program Files\Support Tools>ktpass.exe -princ scalix-ual/sca01.test.int@TEST.
INT -mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3 -crypto
DES-CBC-MD5 -desonly -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: w2k3std01.test.int
Using legacy password setting method
Successfully mapped scalix-ual/sca01.test.int to scalix-ual.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 61 scalix-ual/sca01.test.int@TEST.INT ptype 1 (KRB5_NT_PRINCIPAL) vno 3
etype 0x3 (DES-CBC-MD5) keylength 8 (0xc4eaba894fda2554)

Is it correct?
Note that this is a Windows 2003 Std R2 english domain controller and that the AD domain name ("test.int") is the *same* of the scalix server (test.int)... may these be source of problems?

---

Next, before actually importing the keytab file with ommergekeys/omkrbconf, I tried to authenticate from an outlook client with an AD user.
Users from the AD domain were correctly imported with omldapsync -u AD_SX1 (I can see the accounts with the SAC and with an LDAP Browser).

Scalix server did not ask me for a password! That is, it asked for credentials and I put user1@test.int, but left the password blank... but it authenticated and let me see the mailbox! And this was the same for the SWA.
In Step 14, you say to modify /var/opt/scalix/sys/pam.d/ual.remote to modify the precedence of passwords.

One note: I expected to find this step in the Administration Guide in the "Integrating Scalix with Microsoft Active Directory" chapter and not (only) in the "Kerberos Authentication" one.

I merged the keytab files and modified krb conf:

Code: Select all

# ommergekeys /var/opt/scalix/scalix-ual.keytab
# omkrbconf -r TEST.INT -s scalixdc.test.int


-- scalixdc.test.int is a CNAME for w2k3std01.test.int, but I tried also with the A record... same results.

I modified the 4 files as indicated, but it does not work. That is, users are not allowed to login with a blank password nor with their real AD password.
I also tried with login name = user, user@test.int, user@TEST.INT, User Surname.... none.

What did I do wrong?
Thank you in advance.

Davide DG.[/code]

[its@gallup.unm.edu]

I'm having difficulty getting AD authentication working. This is a new RHEL 4 install of Scalix 11. I think that the problem is with step 12. Here's my question' if the AD login name is "user" on domain ACME.NET, is this the command that should be issued to satisfy step 12?

ommodu –o user -–authid user@ACME.NET

If so, I get this error when I issue this command

ommodu : [OM 8040] The user can't be found, or has been deleted.

Any help would be greatly appreciated.

Thanks,
Jim

[quote="jim mullady"]SSO AD INSTRUCTIONS

Step 1. Make sure you have created Forward Lookup Zones for your domains and created Host records for all Scalix Servers in the appropriate Forward Lookup Zone.
Step 2. Under Forward Lookup Zones, select a Scalix Server Single Signâ€

[mikevl]

Hi

The man page for ommodu states

ommodu {authentication-id|-o name[/mailnode]} etc

ie ommodu -o "mary brown/mailnode" -authid mary@ACME.NET

Try this

Many thanks

Mike

[its@gallup.unm.edu]

Hi

The man page for ommodu states

ommodu {authentication-id|-o name[/mailnode]} etc

ie ommodu -o "mary brown/mailnode" -authid mary@ACME.NET

Try this

Many thanks

Mike

I've read man pages and everything else I can find and still don't know what to replace 'mary brown' & 'mary' with for the AD user that logs on to AD with a username of 'user'.