Infos:
- Used Zammad version: 2.2.x
- Used Zammad installation source: DEB
- Operating system: Ubuntu 16.04
- Browser + version: Chrome and Firefox latest, IE 11
Expected behavior:
I want to use SSO for our Zammad installation.
Actual behavior:
I’ve found the ticket Single Sign On for Zammad on Github and try to do the same as described on commented from pikachuprof and cohausz without success. I don’t know whats going wrong so i hope of some input
Steps to reproduce the behavior:
I configured mod_auth_kerb with the following configuration:
<VirtualHost *:80>
ServerName zammad.domain.tld
Redirect permanent / https://zammad.domain.tld/
</VirtualHost>
<VirtualHost *:443>
include /etc/apache2/options-ssl-zammad.tld.conf
# replace 'localhost' with your fqdn if you want to use zammad from remote
ServerName zammad.domain.tld
<IfModule !mod_auth_kerb.c>
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
</IfModule>
## don't loose time with IP address lookups
HostnameLookups Off
## needed for named virtual hosts
UseCanonicalName Off
## configures the footer on server-generated documents
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
<Proxy localhost:3000>
Require local
</Proxy>
ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /robots.txt !
ProxyPass /ws ws://localhost:6042/
ProxyPass / http://localhost:3000/
DocumentRoot "/opt/zammad/public"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/opt/zammad/public">
Options FollowSymLinks
Require all granted
</Directory>
LimitRequestFieldSize 32768
RequestHeader merge REMOTE_USER %{REMOTE_USER}s
<Location "/auth/sso">
SSLRequireSSL
AuthType Kerberos
AuthName "zammad.domain.tld"
KrbServiceName HTTP/zammad.domain.tld@DOMAIN.TLD
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials On
require valid-user
Krb5Keytab /etc/kerberos-http.keytab
KrbAuthRealm DOMAIN.TLD
</Location>
#LogLevel trace8
ErrorLog /var/log/apache2/zammad.domain.tld-error.log
CustomLog /var/log/apache2//zammad.domain.tld-access.log combined
</VirtualHost>
Now, if i want to login to zammad (https://zammat.domain.tld/auth/sso) I get the following error:
Unauthorized
This Server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required
I think i have configured the browser the right way, because SSO works without Zammad (see the following lines).
The “strange” thing is. I created a folder called sso in /opt/zammad/public/sso. In the vHost configuration i duplicate the SSO part:
<Directiory "/opt/zammad/public/sso">
SSLRequireSSL
AuthType Kerberos
AuthName "zammad.domain.tld"
KrbServiceName HTTP/zammad.domain.tld@DOMAIN.TLD
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials On
require valid-user
Krb5Keytab /etc/kerberos-http.keytab
KrbAuthRealm DOMAIN.TLD
</Directory>
If I browse to this directory (https://zammad.domain.tld/sso) the SSO works.
Can anyone help me?
Thanks