Problem by User login with SSO

Fips · May 12, 2021, 10:19pm

Infos:

Used Zammad version: 4.0.0
Used Zammad installation type: package
Operating system: Ubuntu Linux 20.04 TLS
Browser + version: MS Edge, Mozilla Firefox, Internet Explorer 11

Expected behavior:

Single Sign on for Zammad-Users, Users imported in Zammad by LDAP

Actual behavior:

Click on the SSO button, forwarding to zammad-url / auth / sso

shows login window to enter username and password

Steps to reproduce the behavior:

Hello,
i’m new in zammad. We want you use zammad for our tickets. We would sign on by sso but this doesn’t work. here are our config-files.

apache2 error.log

<

[Thu May 13 00:07:29.187774 2021] [ssl:info] [pid 14497:tid 139924254746368] [client 10.1.5.1:51667] AH01964: Connection to child 18 established (server zammad-server.test.de:443)
[Thu May 13 00:07:29.188089 2021] [ssl:debug] [pid 14497:tid 139924254746368] ssl_engine_kernel.c(2372): [client 10.1.5.1:51667] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.188104 2021] [ssl:debug] [pid 14497:tid 139924254746368] ssl_engine_kernel.c(2372): [client 10.1.5.1:51667] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.188110 2021] [core:debug] [pid 14497:tid 139924254746368] protocol.c(2313): [client 10.1.5.1:51667] AH03155: select protocol from , choices=h2,http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:29.188121 2021] [ssl:info] [pid 14497:tid 139924246353664] [client 10.1.5.1:51666] AH01964: Connection to child 19 established (server zammad-server.test.de:443)
[Thu May 13 00:07:29.188272 2021] [ssl:debug] [pid 14497:tid 139924246353664] ssl_engine_kernel.c(2372): [client 10.1.5.1:51666] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.188285 2021] [ssl:debug] [pid 14497:tid 139924246353664] ssl_engine_kernel.c(2372): [client 10.1.5.1:51666] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.188290 2021] [core:debug] [pid 14497:tid 139924246353664] protocol.c(2313): [client 10.1.5.1:51666] AH03155: select protocol from , choices=h2,http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:29.189057 2021] [socache_shmcb:debug] [pid 14497:tid 139924254746368] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x07 → subcache 7)
[Thu May 13 00:07:29.189070 2021] [socache_shmcb:debug] [pid 14497:tid 139924254746368] mod_socache_shmcb.c(939): AH00852: possible match at idx=0, data=0
[Thu May 13 00:07:29.189075 2021] [socache_shmcb:debug] [pid 14497:tid 139924254746368] mod_socache_shmcb.c(944): AH00853: shmcb_subcache_remove removing matching entry
[Thu May 13 00:07:29.189079 2021] [socache_shmcb:debug] [pid 14497:tid 139924254746368] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Thu May 13 00:07:29.189089 2021] [ssl:info] [pid 14497:tid 139924254746368] [client 10.1.5.1:51667] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:29.189108 2021] [ssl:info] [pid 14497:tid 139924254746368] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:29.189132 2021] [ssl:info] [pid 14497:tid 139924254746368] [client 10.1.5.1:51667] AH01998: Connection closed to child 18 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:29.190674 2021] [ssl:info] [pid 14497:tid 139924246353664] [client 10.1.5.1:51666] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:29.190700 2021] [ssl:info] [pid 14497:tid 139924246353664] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:29.190705 2021] [ssl:info] [pid 14497:tid 139924246353664] [client 10.1.5.1:51666] AH01998: Connection closed to child 19 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:29.192847 2021] [ssl:info] [pid 14497:tid 139925051660032] [client 10.1.5.1:51668] AH01964: Connection to child 4 established (server zammad-server.test.de:443)
[Thu May 13 00:07:29.192944 2021] [ssl:debug] [pid 14497:tid 139925051660032] ssl_engine_kernel.c(2372): [client 10.1.5.1:51668] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.192953 2021] [ssl:debug] [pid 14497:tid 139925051660032] ssl_engine_kernel.c(2372): [client 10.1.5.1:51668] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:29.192956 2021] [core:debug] [pid 14497:tid 139925051660032] protocol.c(2313): [client 10.1.5.1:51668] AH03155: select protocol from , choices=h2,http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:29.194561 2021] [ssl:debug] [pid 14497:tid 139925051660032] ssl_engine_kernel.c(2254): [client 10.1.5.1:51668] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Thu May 13 00:07:29.194618 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xb9 → subcache 25)
[Thu May 13 00:07:29.194638 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32)
[Thu May 13 00:07:29.194642 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/208
[Thu May 13 00:07:29.194645 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully
[Thu May 13 00:07:29.194714 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xff → subcache 31)
[Thu May 13 00:07:29.194731 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32)
[Thu May 13 00:07:29.194734 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/209
[Thu May 13 00:07:29.194737 2021] [socache_shmcb:debug] [pid 14497:tid 139925051660032] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully
[Thu May 13 00:07:29.204546 2021] [ssl:debug] [pid 14497:tid 139925051660032] ssl_engine_kernel.c(415): [client 10.1.5.1:51668] AH02034: Initial (No.1) HTTPS request received for child 4 (server zammad-server.test.de:443), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.204575 2021] [authz_core:debug] [pid 14497:tid 139925051660032] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.204580 2021] [authz_core:debug] [pid 14497:tid 139925051660032] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.204589 2021] [auth_kerb:debug] [pid 14497:tid 139925051660032] src/mod_auth_kerb.c(1963): [client 10.1.5.1:51668] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220045 2021] [ssl:debug] [pid 14497:tid 139924229568256] ssl_engine_kernel.c(415): [client 10.1.5.1:51668] AH02034: Subsequent (No.2) HTTPS request received for child 21 (server zammad-server.test.de:443), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220066 2021] [authz_core:debug] [pid 14497:tid 139924229568256] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220071 2021] [authz_core:debug] [pid 14497:tid 139924229568256] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220077 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1963): [client 10.1.5.1:51668] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220107 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1296): [client 10.1.5.1:51668] Acquiring creds for HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN, referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220670 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1719): [client 10.1.5.1:51668] Verifying client data using KRB5 GSS-API , referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220679 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1735): [client 10.1.5.1:51668] Client didn’t delegate us their credential, referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220683 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1763): [client 10.1.5.1:51668] Warning: received token seems to be NTLM, which isn’t supported by the Kerberos module. Check your IE configuration., referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220688 2021] [auth_kerb:debug] [pid 14497:tid 139924229568256] src/mod_auth_kerb.c(1156): [client 10.1.5.1:51668] GSS-API major_status:00010000, minor_status:00000000, referer: https://zammad-server.test.de/
[Thu May 13 00:07:29.220694 2021] [auth_kerb:error] [pid 14497:tid 139924229568256] [client 10.1.5.1:51668] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.534935 2021] [ssl:debug] [pid 14497:tid 139924221175552] ssl_engine_kernel.c(415): [client 10.1.5.1:51668] AH02034: Subsequent (No.3) HTTPS request received for child 22 (server zammad-server.test.de:443), referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.534986 2021] [authz_core:debug] [pid 14497:tid 139924221175552] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.534992 2021] [authz_core:debug] [pid 14497:tid 139924221175552] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.535002 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(1963): [client 10.1.5.1:51668] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.535105 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(1046): [client 10.1.5.1:51668] Using HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN as server principal for password verification, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.535113 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(752): [client 10.1.5.1:51668] Trying to get TGT for user domuser@TEST.INTERN, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.536044 2021] [ssl:info] [pid 14497:tid 139924212782848] [client 10.1.5.1:51673] AH01964: Connection to child 23 established (server zammad-server.test.de:443)
[Thu May 13 00:07:32.536217 2021] [ssl:debug] [pid 14497:tid 139924212782848] ssl_engine_kernel.c(2372): [client 10.1.5.1:51673] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:32.536227 2021] [ssl:debug] [pid 14497:tid 139924212782848] ssl_engine_kernel.c(2372): [client 10.1.5.1:51673] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:32.536231 2021] [core:debug] [pid 14497:tid 139924212782848] protocol.c(2313): [client 10.1.5.1:51673] AH03155: select protocol from , choices=http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:32.537203 2021] [socache_shmcb:debug] [pid 14497:tid 139924212782848] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0xff → subcache 31)
[Thu May 13 00:07:32.537213 2021] [socache_shmcb:debug] [pid 14497:tid 139924212782848] mod_socache_shmcb.c(939): AH00852: possible match at idx=0, data=0
[Thu May 13 00:07:32.537216 2021] [socache_shmcb:debug] [pid 14497:tid 139924212782848] mod_socache_shmcb.c(944): AH00853: shmcb_subcache_remove removing matching entry
[Thu May 13 00:07:32.537219 2021] [socache_shmcb:debug] [pid 14497:tid 139924212782848] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Thu May 13 00:07:32.537225 2021] [ssl:info] [pid 14497:tid 139924212782848] [client 10.1.5.1:51673] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:32.537237 2021] [ssl:info] [pid 14497:tid 139924212782848] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:32.537242 2021] [ssl:info] [pid 14497:tid 139924212782848] [client 10.1.5.1:51673] AH01998: Connection closed to child 23 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:32.556397 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(662): [client 10.1.5.1:51668] Trying to verify authenticity of KDC using principal HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.562779 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(705): [client 10.1.5.1:51668] krb5_rd_req() failed when verifying KDC, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.562800 2021] [auth_kerb:error] [pid 14497:tid 139924221175552] [client 10.1.5.1:51668] failed to verify krb5 credentials: Decrypt integrity check failed, referer: https://zammad-server.test.de/
[Thu May 13 00:07:32.562806 2021] [auth_kerb:debug] [pid 14497:tid 139924221175552] src/mod_auth_kerb.c(1128): [client 10.1.5.1:51668] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715086 2021] [ssl:debug] [pid 14497:tid 139924120528640] ssl_engine_kernel.c(415): [client 10.1.5.1:51668] AH02034: Subsequent (No.4) HTTPS request received for child 24 (server zammad-server.test.de:443), referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715142 2021] [authz_core:debug] [pid 14497:tid 139924120528640] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715148 2021] [authz_core:debug] [pid 14497:tid 139924120528640] mod_authz_core.c(817): [client 10.1.5.1:51668] AH01626: authorization result of : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715158 2021] [auth_kerb:debug] [pid 14497:tid 139924120528640] src/mod_auth_kerb.c(1963): [client 10.1.5.1:51668] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715293 2021] [auth_kerb:debug] [pid 14497:tid 139924120528640] src/mod_auth_kerb.c(1046): [client 10.1.5.1:51668] Using HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN as server principal for password verification, referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715314 2021] [auth_kerb:debug] [pid 14497:tid 139924120528640] src/mod_auth_kerb.c(752): [client 10.1.5.1:51668] Trying to get TGT for user testdomuser@TEST.INTERN, referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.715744 2021] [ssl:info] [pid 14534:tid 139924154066688] [client 10.1.5.1:51674] AH01964: Connection to child 149 established (server zammad-server.test.de:443)
[Thu May 13 00:07:36.715930 2021] [ssl:debug] [pid 14534:tid 139924154066688] ssl_engine_kernel.c(2372): [client 10.1.5.1:51674] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:36.715940 2021] [ssl:debug] [pid 14534:tid 139924154066688] ssl_engine_kernel.c(2372): [client 10.1.5.1:51674] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:36.715944 2021] [core:debug] [pid 14534:tid 139924154066688] protocol.c(2313): [client 10.1.5.1:51674] AH03155: select protocol from , choices=http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:36.716817 2021] [socache_shmcb:debug] [pid 14534:tid 139924154066688] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0xb9 → subcache 25)
[Thu May 13 00:07:36.716831 2021] [socache_shmcb:debug] [pid 14534:tid 139924154066688] mod_socache_shmcb.c(939): AH00852: possible match at idx=0, data=0
[Thu May 13 00:07:36.716834 2021] [socache_shmcb:debug] [pid 14534:tid 139924154066688] mod_socache_shmcb.c(944): AH00853: shmcb_subcache_remove removing matching entry
[Thu May 13 00:07:36.716838 2021] [socache_shmcb:debug] [pid 14534:tid 139924154066688] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Thu May 13 00:07:36.716844 2021] [ssl:info] [pid 14534:tid 139924154066688] [client 10.1.5.1:51674] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:36.716857 2021] [ssl:info] [pid 14534:tid 139924154066688] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:36.716862 2021] [ssl:info] [pid 14534:tid 139924154066688] [client 10.1.5.1:51674] AH01998: Connection closed to child 149 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:36.721273 2021] [auth_kerb:error] [pid 14497:tid 139924120528640] [client 10.1.5.1:51668] krb5_get_init_creds_password() failed: Client not found in Kerberos database, referer: https://zammad-server.test.de/
[Thu May 13 00:07:36.721286 2021] [auth_kerb:debug] [pid 14497:tid 139924120528640] src/mod_auth_kerb.c(1128): [client 10.1.5.1:51668] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: https://zammad-server.test.de/
[Thu May 13 00:07:41.725255 2021] [ssl:debug] [pid 14497:tid 139924237960960] ssl_engine_io.c(1102): [client 10.1.5.1:51668] AH02001: Connection closed to child 20 with standard shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:46.742108 2021] [ssl:info] [pid 14534:tid 139924145673984] [client 10.1.5.1:51676] AH01964: Connection to child 150 established (server zammad-server.test.de:443)
[Thu May 13 00:07:46.742303 2021] [ssl:debug] [pid 14534:tid 139924145673984] ssl_engine_kernel.c(2372): [client 10.1.5.1:51676] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.742313 2021] [ssl:debug] [pid 14534:tid 139924145673984] ssl_engine_kernel.c(2372): [client 10.1.5.1:51676] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.742317 2021] [core:debug] [pid 14534:tid 139924145673984] protocol.c(2313): [client 10.1.5.1:51676] AH03155: select protocol from , choices=http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:46.743363 2021] [ssl:info] [pid 14534:tid 139924137281280] [client 10.1.5.1:51677] AH01964: Connection to child 151 established (server zammad-server.test.de:443)
[Thu May 13 00:07:46.743450 2021] [ssl:debug] [pid 14534:tid 139924137281280] ssl_engine_kernel.c(2372): [client 10.1.5.1:51677] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.743478 2021] [ssl:debug] [pid 14534:tid 139924137281280] ssl_engine_kernel.c(2372): [client 10.1.5.1:51677] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.743481 2021] [core:debug] [pid 14534:tid 139924137281280] protocol.c(2313): [client 10.1.5.1:51677] AH03155: select protocol from , choices=http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:46.744552 2021] [ssl:info] [pid 14534:tid 139924145673984] [client 10.1.5.1:51676] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:46.744575 2021] [ssl:info] [pid 14534:tid 139924145673984] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:46.744581 2021] [ssl:info] [pid 14534:tid 139924145673984] [client 10.1.5.1:51676] AH01998: Connection closed to child 150 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:46.745134 2021] [ssl:info] [pid 14534:tid 139924137281280] [client 10.1.5.1:51677] AH02008: SSL library error 1 in handshake (server zammad-server.test.de:443)
[Thu May 13 00:07:46.745146 2021] [ssl:info] [pid 14534:tid 139924137281280] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Thu May 13 00:07:46.745150 2021] [ssl:info] [pid 14534:tid 139924137281280] [client 10.1.5.1:51677] AH01998: Connection closed to child 151 with abortive shutdown (server zammad-server.test.de:443)
[Thu May 13 00:07:46.746928 2021] [ssl:info] [pid 14534:tid 139924128888576] [client 10.1.5.1:51678] AH01964: Connection to child 152 established (server zammad-server.test.de:443)
[Thu May 13 00:07:46.747026 2021] [ssl:debug] [pid 14534:tid 139924128888576] ssl_engine_kernel.c(2372): [client 10.1.5.1:51678] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.747035 2021] [ssl:debug] [pid 14534:tid 139924128888576] ssl_engine_kernel.c(2372): [client 10.1.5.1:51678] AH02043: SSL virtual host for servername zammad-server.test.de found
[Thu May 13 00:07:46.747038 2021] [core:debug] [pid 14534:tid 139924128888576] protocol.c(2313): [client 10.1.5.1:51678] AH03155: select protocol from , choices=http/1.1 for server zammad-server.test.de
[Thu May 13 00:07:46.748633 2021] [ssl:debug] [pid 14534:tid 139924128888576] ssl_engine_kernel.c(2254): [client 10.1.5.1:51678] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Thu May 13 00:07:46.748697 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xa2 → subcache 2)
[Thu May 13 00:07:46.748708 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(730): AH00842: expiring 1 and reclaiming 0 removed socache entries
[Thu May 13 00:07:46.748712 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries
[Thu May 13 00:07:46.748715 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32)
[Thu May 13 00:07:46.748717 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/209
[Thu May 13 00:07:46.748720 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully
[Thu May 13 00:07:46.748786 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x95 → subcache 21)
[Thu May 13 00:07:46.748793 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(730): AH00842: expiring 1 and reclaiming 0 removed socache entries
[Thu May 13 00:07:46.748796 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries
[Thu May 13 00:07:46.748805 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32)
[Thu May 13 00:07:46.748808 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/209
[Thu May 13 00:07:46.748810 2021] [socache_shmcb:debug] [pid 14534:tid 139924128888576] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully
[Thu May 13 00:07:46.765906 2021] [ssl:debug] [pid 14534:tid 139924128888576] ssl_engine_kernel.c(415): [client 10.1.5.1:51678] AH02034: Initial (No.1) HTTPS request received for child 152 (server zammad-server.test.de:443), referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.765936 2021] [authz_core:debug] [pid 14534:tid 139924128888576] mod_authz_core.c(817): [client 10.1.5.1:51678] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.765941 2021] [authz_core:debug] [pid 14534:tid 139924128888576] mod_authz_core.c(817): [client 10.1.5.1:51678] AH01626: authorization result of : denied (no authenticated user yet), referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.765951 2021] [auth_kerb:debug] [pid 14534:tid 139924128888576] src/mod_auth_kerb.c(1963): [client 10.1.5.1:51678] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.766178 2021] [auth_kerb:debug] [pid 14534:tid 139924128888576] src/mod_auth_kerb.c(1046): [client 10.1.5.1:51678] Using HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN as server principal for password verification, referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.766187 2021] [auth_kerb:debug] [pid 14534:tid 139924128888576] src/mod_auth_kerb.c(752): [client 10.1.5.1:51678] Trying to get TGT for user test.interndomuser@TEST.INTERN, referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.772420 2021] [auth_kerb:error] [pid 14534:tid 139924128888576] [client 10.1.5.1:51678] krb5_get_init_creds_password() failed: Client not found in Kerberos database, referer: https://zammad-server.test.de/
[Thu May 13 00:07:46.772433 2021] [auth_kerb:debug] [pid 14534:tid 139924128888576] src/mod_auth_kerb.c(1128): [client 10.1.5.1:51678] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL), referer: https://zammad-server.test.de/
[Thu May 13 00:07:51.776726 2021] [ssl:debug] [pid 14534:tid 139925195859712] ssl_engine_io.c(1102): [client 10.1.5.1:51678] AH02001: Connection closed to child 128 with standard shutdown (server zammad-server.test.de:443)

apache2 site config zammad.conf

Blockquote

<VirtualHost *:443>
LogLevel debug
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

SSLCertificateFile /etc/ssl/certs/zammad-server.pem
SSLCertificateKeyFile /etc/ssl/private/zammad-server.key
SSLCertificateChainFile /etc/ssl/certs/root.cert.cer
SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem

# replace 'localhost' with your fqdn if you want to use zammad from remote
ServerName zammad-server.test.de

## don't loose time with IP address lookups
HostnameLookups Off

## needed for named virtual hosts
UseCanonicalName Off

## configures the footer on server-generated documents
ServerSignature Off

ProxyRequests Off
ProxyPreserveHost On

<Proxy 127.0.0.1:3000>
  Require local
</Proxy>
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /apple-touch-icon.png !
ProxyPass /robots.txt !
ProxyPass /ws ws://127.0.0.1:6042/
ProxyPass / http://127.0.0.1:3000/

# change this line in an SSO setup
RequestHeader unset X-Forwarded-User

# Use settings below if proxying does not work and you receive HTTP-Errror 404
# if you use the settings below, make sure to comment out the above two options
# This may not apply to all systems, applies to openSuse
#ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
#ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"

DocumentRoot "/opt/zammad/public"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/opt/zammad/public">
    Options FollowSymLinks
      Require all granted
</Directory>

<LocationMatch “/auth/sso”>
SSLRequireSSL
AuthType Kerberos
AuthName “Your Zammad”
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms TEST.INTERN
KrbLocalUserMapping on # strips @REALM suffix from REMOTE_USER variable
KrbServiceName HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN
Krb5KeyTab /etc/apache2/zammad2.keytab
require valid-user

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User “%{RU}e” env=RU

zammad2.keytab
Keytab name: FILE:/etc/apache2/zammad2.keytab
KVNO Timestamp Principal

2 05/12/21 23:10:51 HTTP/ZAMMAD-SERVER.TEST.INTERN@TEST.INTERN (aes256-cts-hmac-sha1-96)

krb5.conf:

[libdefaults]
default_realm = TEST.INTERN

The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

The following encryption type specification will be used by MIT Kerberos
if uncommented. In general, the defaults in the MIT Kerberos code are
correct and overriding these specifications only serves to disable new
encryption types as they are added, creating interoperability problems.

The only time when you might need to uncomment these lines and change
the enctypes is if you have local software that will break on ticket
caches containing ticket encryption types it doesn’t know about (such as
old versions of Sun Java).

default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96

The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true

[realms]
TEST.INTERN = {
kdc = dc1.test.intern
kdc = dc2.test.intern
admin_server = TEST.INTERN
default_domain = TEST.INTERN
}

ATHENA.MIT.EDU = {
	kdc = kerberos.mit.edu
	kdc = kerberos-1.mit.edu
	kdc = kerberos-2.mit.edu:88
	admin_server = kerberos.mit.edu
	default_domain = mit.edu
}
ZONE.MIT.EDU = {
	kdc = casio.mit.edu
	kdc = seiko.mit.edu
	admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
	admin_server = kerberos.csail.mit.edu
	default_domain = csail.mit.edu
}
IHTFP.ORG = {
	kdc = kerberos.ihtfp.org
	admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
	kdc = kerberos.1ts.org
	admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
	admin_server = kerberos.andrew.cmu.edu
	default_domain = andrew.cmu.edu
}
    CS.CMU.EDU = {
            kdc = kerberos-1.srv.cs.cmu.edu
            kdc = kerberos-2.srv.cs.cmu.edu
            kdc = kerberos-3.srv.cs.cmu.edu
            admin_server = kerberos.cs.cmu.edu
    }
DEMENTIA.ORG = {
	kdc = kerberos.dementix.org
	kdc = kerberos2.dementix.org
	admin_server = kerberos.dementix.org
}
stanford.edu = {
	kdc = krb5auth1.stanford.edu
	kdc = krb5auth2.stanford.edu
	kdc = krb5auth3.stanford.edu
	master_kdc = krb5auth1.stanford.edu
	admin_server = krb5-admin.stanford.edu
	default_domain = stanford.edu
}
    UTORONTO.CA = {
            kdc = kerberos1.utoronto.ca
            kdc = kerberos2.utoronto.ca
            kdc = kerberos3.utoronto.ca
            admin_server = kerberos1.utoronto.ca
            default_domain = utoronto.ca
}

[domain_realm]
.test.intern = TEST.INTERN
test.intern = TEST.INTERN
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
…

spn on DC

setspn -L TEST\LDAP-USER-ZAMMAD

    HTTP/ZAMMAD-SERVER.TEST.INTERN
    HTTP/ZAMMAD-SERVER

Hopefully someone can help me, thanks

Fips · June 9, 2021, 12:22pm

command on DC

ktpass -princ HTTP/zammad.domain@DOMAIN -mapuser SUPPORT@DOMAIN -pass Password -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\Datei\kerberos.keytab

copy keytab-file on zammad-host and change the permissions

befor you must configure

ldap.conf, krb5.conf, zammad.conf, apache.conf

ANleitung aus dem Internet

https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html

sudo apt-get install krb5-user

[libdefaults]
default_realm = TEST.AD

…

[realms]
TEST.AD = {
# kdc and admin_server are DNS entries pointing to your primary domain controller
kdc = dc1.test.ad
admin_server = dc1.test.ad
}
[domain_realm]

Please note the leading dot and the upper-case

.test.ad = TEST.AD
test.ad = TEST.AD

am DC

ktpass -princ HTTP/webserver.test.ad@TEST.AD -mapuser ${KERBEROS_USERNAME}@TEST.AD -pass ${KERBEROS_PASSWORD} -crypto ${ENCRYPTION_TYPE} -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab

kinit -p Administrator@TEST.AD

# ...
ServerName webserver.test.ad      
<Location />
	AuthType Kerberos
	AuthName "Kerberos authenticated intranet"
	KrbAuthRealms TEST.AD
	KrbServiceName HTTP/webserver.test.ad
	Krb5Keytab /etc/kerberos.keytab
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	require valid-user
</Location>

Apache
With

LogLevel trace8
in your Apache configuration you enable a high log level to debug the Kerberos authentication process.

Client credentials
You can use

Linux

kdestroy -A

Windows

klist purge
to reset any Kerberos token on your local machine.

MrGeneration · June 9, 2021, 12:32pm

Just as a side note - we do have documentation on that:
https://docs.zammad.org/en/latest/appendix/single-sign-on.html

It does contains tons of hints and troubleshooting help.
It also covers your specific issue.

system · October 7, 2021, 12:33pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.