SSO with Active directory

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

mikevl
Scalix Star
Scalix Star
Posts: 596
Joined: Mon Feb 02, 2004 8:32 pm
Location: New Zealand

SSO with Active directory

Postby mikevl » Sun Dec 31, 2006 9:45 pm

Hi

Just a few queries about SSO I have SSO sort of working but.
Enviornment Scalix 11GA, RHEL4. Outlook 2003

During creation of Outlook profiles I am stiil requested for username & PW. Once I enter these in as per the windows login and PW then all is well. But I should not get this prompt?

SWA works fine with same login credintials OK.

How can I force the creation of AD users produce an authid in scalix which is the same as the prewindows 2000 login?
In order for single sign-on to operate, the authentication ID for a Scalix server mailbox
must match the domain identity (the ID in Active Directory) for the user. For
example, if jsmith@acme.net is the User Logon ID for a user in Active Directory,
enter the following on the Scalix Server:
ommodu –o jsmith -–authid jsmith@ACME.NET


But a loging of jsmith@acme.net would be an uncommon login. It is more likly to be just jsmith. Modofying authid by hand for each users and new users may be tedious what is the solution here?

Thanks

Mike

carlPjohnson
Posts: 77
Joined: Sun Oct 29, 2006 4:55 pm

.. dns entries?

Postby carlPjohnson » Mon Jan 01, 2007 12:02 am

Did you add the scalix-default-mail entry that points to your scalix box, this is essential for SSO in Outlook to work (as long as the machine that is running outlook is on the windows domain of course!). Also, you will want to go and check your /var/opt/scalix/XX/X/logs/audit_log when you create the next profile if something is still wrong, post the log so we can see what it is complaining about.

mikevl
Scalix Star
Scalix Star
Posts: 596
Joined: Mon Feb 02, 2004 8:32 pm
Location: New Zealand

Postby mikevl » Mon Jan 01, 2007 12:23 am

Hi Carl thanks for helping

Yes a CNAME record has been set up and resolves properly

In a new client profile the default mail server seems to be the FQDN of the scalix server instead of scalix-default-mail
user-signon
time 1167625123 Mon Jan 1 17:18:43 2007 +780
user-agent-id
client-type 0 unlicensed
client-ip 192.168.10.226
user 146 Jody Krasden/rhel4/CN=Jody Krasden 60538 60538
signon-status 655


is the result of the audit log

Thanks
Mike

carlPjohnson
Posts: 77
Joined: Sun Oct 29, 2006 4:55 pm

.. must be a "standard user"

Postby carlPjohnson » Mon Jan 01, 2007 1:52 pm

This seems like an easy one per the logs. I am guessing the user you are logged in as is a "standard" user and not a "premium" user. To use Outlook, you must be a "premium" user.

carlPjohnson
Posts: 77
Joined: Sun Oct 29, 2006 4:55 pm

.. auth id

Postby carlPjohnson » Mon Jan 01, 2007 1:57 pm

Also, onto the authid's. Those are sucked in from A/D and I am not sure why you would want to alter these, other than for astetics. For an nicer SWA username you can always have the user login with their email address instead.

mikevl
Scalix Star
Scalix Star
Posts: 596
Joined: Mon Feb 02, 2004 8:32 pm
Location: New Zealand

Postby mikevl » Mon Jan 01, 2007 2:50 pm

Hi

The logs surprised me as well but here is the info user is FULL
[root@rhel4 ~]# omshowu -n "Jody Krasden/rhel4"
Authentication ID: jk
Globally Unique ID: w6/eW8PyxUKflj08DVy2cw==
User Name : Jody Krasden /CN=Jody Krasden
MailNode : rhel4
Internet Address : "Jody Krasden" <Jody.Krasden@dounsix.co.nz>
System Login : 60538
Password : unset
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : C
Mail Account: Unlocked
Last Signon : 01.01.07 14:29:35
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
Recovery Folder visible : NO
User Class : Full
SIS URL : sxidx://rhel4.scalixplay.local/0c800000 ... 01.861.291


AuthID: Even under Outlook my system would not work untill I put name@REALM as the username and AD password in the authenticale. As it mentioned in the manual that the sign in name needed to be the same as the authid I assumed that no one would want to sign in as name@REALM. So that was easily fixed by changing the authid to be the same as the login name.

thanks

Mike

carlPjohnson
Posts: 77
Joined: Sun Oct 29, 2006 4:55 pm

.. kerberos will not work without the username@REALM format

Postby carlPjohnson » Mon Jan 01, 2007 6:02 pm

To my knowledge you must have the authid set as username@REALM to work with kerberos authd users, otherwise kerberos has no idea what server to use to try and auth with.

mikevl
Scalix Star
Scalix Star
Posts: 596
Joined: Mon Feb 02, 2004 8:32 pm
Location: New Zealand

Postby mikevl » Mon Jan 01, 2007 6:31 pm

Hi

I can change this back, changing the authid has not changed the result of not being able to provide SSO. The authid was origionally loginname@REALM it was just something I tried to change the authid to loginname. Back to square one here.

OK this was a red herring then

I am stumped as to why SSO does not work.


Many thanks

Mike

florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:

Postby florian » Tue Jan 02, 2007 6:15 am

you definitely need the AuthID to be username@REALM (also note lowercase for the username and uppercase for the REALM).

SSO must work during profile creation, otherwise it won't work at all; the profile is actually created as a SSO or non-SSO profile. For a SSO profile, no prompts for username should appear.

believe if you go through all the forums here, you'll find plenty of information for possible troubleshooting steps.

Florian.
Florian von Kurnatowski, Die Harder!

mikevl
Scalix Star
Scalix Star
Posts: 596
Joined: Mon Feb 02, 2004 8:32 pm
Location: New Zealand

Postby mikevl » Tue Jan 02, 2007 6:52 am

Hi Florian

Thanks for your reply. I have been scouring trhe forums without success. I have probably missed something small I am not sure what it is at the moment. I had returned the authid back to loginname@REALM the other was just an experiment in frustration.

Still without success.

Many thanks

Mike

florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:

Postby florian » Tue Jan 02, 2007 7:09 am

well, there are tons of things to check - clock syncrhonisation, proper domain membership of the cient system in the AD domain, DNS issues, keytab creation and transfer, host OS (SLES/9 does not work for SSO), debugging using the kerbtray tool on the windows side and/or klist/init/gssapic on the server side, etc. i'm pretty sure all of that is covered somewhere here, so repeating the whole excercise is not really an opiton. you might want to look in the Scalix Connect board, this will have more information than the server i believe (or use global search).

If you really need this to work quickly, i suggest that your purchase and open an incident with Scalix Support and they'll lead you through.

Cheers, sorry,
Florian.
Florian von Kurnatowski, Die Harder!

Karottenzuechter
Posts: 11
Joined: Thu Dec 14, 2006 3:10 pm

Postby Karottenzuechter » Thu Jan 04, 2007 10:27 am

You can also check you Outlook configuration and set security only to NTLM encryption, on exchange proxy configuration it works well.


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 15 guests