Configuring SSO (Single Sign-on)

The following must be done on both the domain controller and IceWarp Server: 

• create type A record in your DNS for the URL of webmail (i.e. mail.xmigrator.com)

• create a “link” user in ActiveDirectory (AD) - it must be located under Users container and it must not have password expiration as well as change password on first logon set, for instance we create user: http_sso@xmigrator.com (userPrincipalName value before mapping)
• on the domain controller (AD), open command line interface (CLI) and execute the following command:
  ktpass out c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM -princ HTTP/mail.xmigrator.com@XMIGRATOR.COM -mapUser ssoiwwebmail@xmigrator.com mapOp set pass * -ptype KRB5_NT_PRINCIPAL
  pay attention to syntax as it is case sensitive - to keep the correct upper / lower case is essential; AD domain should be written with capitals
• move file c:\HTTP#mail.xmigrator.com@XMIGRATOR.COM to IceWarp Server (the most suitable location is install_path/config/_keytabs, but it is not so important at this point); for the purpose of generating keytab file any file name can be used, however name that would be expected by IceWarp Server (explained later) is used in this example
  

• on IceWarp Server go to domain properties (domain mail.xmigrator.com in our example case) - tab Directory Service and enable SSO
• Kerberos service name must be filled in according to following pattern: <principal>/<icewarp_domain>@<AD_DOMAIN> (for our example it would be: HTTP/mail.xmigrator.com@XMIGRATOR.COM - notice how service name and keytab file name match (slash is not allowed in file name so it is replaced with hash sign)
• Remote account matching should be left at default value - “Match with username" - as that usually works but the method depends on your directory service configuration
  
• Manage keytabs.. button opens content of keytab folder which is install_path/config/_keytabs; the keytab file generated on domain controller earlier should be copied here. Also, the file must have its name set accordingly at this point, for our example it is HTTP#mail.xmigrator.com@XMIGRATOR.COM

The following must be done on the client side: 

• add webmail URL to trusted sites, for instance in our case mail.xmigrator.com
• in Firefox, visit about:config / search for network.negotiate-auth.trusted-uris and add the site there
  
  
  
  
• in MSIE open the Internet Options dialog / Security tab / Trusted sites (do not require https:// if not necessary). Additionally Integrated Windows Authentication feature must be allowed (default, will allow Kerberos)
  
  
  

Now you can try to browse SSO dedicated URL of webmail (i.e. http://mail.xmigrator.com/webmail/sso) - if all went good, webmail of the same user as the one logged on to OS Windows will open. If not, Kerberos logs will become very usefull; turn them on in server Administration console: System / Logging / Debug tab / Kerberos. 

 known issues:

if source LDIF attribute value used for local username source contains dash, you have to enable checkbox: "add AD login to alias" and set "remote account matching" on: "match with alias".

© a.rusek, o.vanek