The following must be done on both the domain controller and IceWarp Server:
- create type A record in your DNS for the URL of webmail (i.e. mail.xmigrator.com)

- create a “link” user in ActiveDirectory (AD) - it must be located under Users container and it must not have password expiration as well as change password on first logon set, for instance we create user: http_sso@xmigrator.com (userPrincipalName value before mapping)
- on the domain controller (AD), open command line interface (CLI) and execute the following command:
ktpass out c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM -princ HTTP/mail.xmigrator.com@XMIGRATOR.COM -mapUser ssoiwwebmail@xmigrator.com mapOp set pass * -ptype KRB5_NT_PRINCIPAL pay attention to syntax as it is case sensitive - to keep the correct upper / lower case is essential; AD domain should be written with capitals
- move file c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM to IceWarp Server (the most suitable location is install_path/config/_keytabs, but it is not so important at this point); for the purpose of generating keytab file any file name can be used, however name that would be expected by IceWarp Server (explained later) is used in this example

- on IceWarp Server go to domain properties (domain mail.xmigrator.com in our example case) - tab Directory Service and enable SSO
- Kerberos service name must be filled in according to following pattern: <principal>/<icewarp_domain>@<AD_DOMAIN> (for our example it would be: HTTP/mail.xmigrator.com@XMIGRATOR.COM - notice how service name and keytab file name match (slash is not allowed in file name so it is replaced with hash sign)
- Remote account matching should be left at default value - “Match with username" - as that usually works but the method depends on your directory service configuration
- Manage keytabs.. button opens content of keytab folder which is install_path/config/_keytabs; the keytab file generated on domain controller earlier should be copied here. Also, the file must have its name set accordingly at this point, for our example it is HTTP#mail.xmigrator.com@XMIGRATOR.COM

The following must be done on the client side:
- add webmail URL to trusted sites, for instance in our case mail.xmigrator.com
- in Firefox, visit about:config / search for network.negotiate-auth.trusted-uris and add the site there

- in MSIE open the Internet Options dialog / Security tab / Trusted sites (do not require https:// if not necessary). Additionally Integrated Windows Authentication feature must be allowed (default, will allow Kerberos)

Now you can try to browse SSO dedicated URL of webmail (i.e. http://mail.xmigrator.com/webmail/sso) - if all went good, webmail of the same user as the one logged on to OS Windows will open. If not, Kerberos logs will become very usefull; turn them on in server Administration console: System / Logging / Debug tab / Kerberos.
known issues:
if source LDIF attribute value used for local username source contains dash, you have to enable checkbox: "add AD login to alias" and set "remote account matching" on: "match with alias".
© a.rusek, o.vanek
|
Comments
0 comments
Please sign in to leave a comment.