Zarafa WebAccess Single Sign On configuration

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
Line 18: Line 18:
Linux Server
Linux Server
Kerberos Realm  EXAMPLE.COM
Kerberos Realm  EXAMPLE.COM
Line 37: Line 35:
Copy the keytab file to the directory /etc/httpd/conf/ on your Linux server.
Copy the keytab file to the directory /etc/httpd/conf/ on your Linux server.<BR>
YOu can use a scp client for this, like Winscp.
You can use a scp client for this, like [ Winscp].
== Apache configuration ==
== Apache configuration ==

Revision as of 11:09, 30 January 2010



The article describes how you can setup a Single Sign On Zarafa WebAccess with Active Directory domain controller. This article is written for Red Hat Enterprise Linux server, but can also be used as basis for other distributions.


It is assumed the following prerequisites are in place:

  • Red Hat server with Zarafa 6.30 or higher
  • Windows Server 2003 R2 or 2008 SP1 which is configured as domain controller
  • Windows XP or Vista client that has joined the Windows domain

In this example, the following servers and realms will be referenced:

AD Server Linux Server Kerberos Realm EXAMPLE.COM

Active Directory configuration

Add a new user "httpd-linux" to your Active Directory. Make sure that you enable the option "Password never expires".

Install the Windows Support tools which include the ktpass.exe program. See [1] for the download of these tools.

Execute the following command to create a keytab file for the Apache webserver.

 ktpass -princ HTTP/[email protected]
  -mapuser EXAMPLE\http-linux -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL 
  -mapop set +desonly -pass secretpassword  -out c:\keytab

Copy the keytab file to the directory /etc/httpd/conf/ on your Linux server.
You can use a scp client for this, like Winscp.

Apache configuration

Install the mod_auth_kerb Apache module.

</code>yum install mod_auth_kerb</code>

Open the file /etc/httpd/conf.d/auth_kerb.conf. Add the following lines at the end of this file:

Alias /webaccess /usr/share/zarafa-webaccess
<Directory /usr/share/zarafa-webaccess>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user

Set the permissions of the keytab file to 400 and change the owner to the Apache user:

 chmod 400 /etc/httpd/conf/keytab 
 chown apache.apache /etc/httpd/conf/keytab  

Open the file /etc/krb5.conf and insert the following lines:

       default_realm = EXAMPLE.COM
       ZARAFA.LOCAL = {
               kdc =
               admin_server =
[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

Replace the kdc and admin_server with the FQDN of the Domain Controller.

Restart Apache to activate all changes.

service httpd restart

Zarafa configuration

To setup a Single Sign On environment with Zarafa Collaboration Platform, you need to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the WebAccess authentication by the Apache webserver and not anymore by the Zarafa Storage Server.

Change the following line in the /etc/zarafa/server.cfg file:

local_admin_users = root apache

To configure the Zarafa WebAccess for Single Sign On change the following option in the config.php file: In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.


Restart the Zarafa-server processes to activate this change.

service zarafa-server restart

Webbrowser configuration

Before you can use Single Sign On in your browser, configure the following settings:


  • Type in the addressbar about:config
  • Filter on auth
  • Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to

Internet Explorer

  • Go to Tools -> Internet options -> Advanced
  • Make sure the option "Enable integrated Windows authentication" is enabled
  • Add the url of the Zarafa server ( to your "Local Intranet" sites

Restart your browser and open the webaccess via the FQDN ( If the configuration is correctly done, the webaccess will login without typing the username and password.

Personal tools