SSO not working

R2D2 · August 21, 2023, 9:11am

Infos:

Used Zammad version: 6
Used Zammad installation type: package
Operating system: Debian 12
Browser + version: Chrome 115

Expected behavior:

One-Click SSO Login

Actual behavior:

SSO not working

Hello,

After I tried to setup SSO and worked many hours on it, I need the help of the community.

Some things from the SSO instructions I have done differently:
apt install libapache2-mod-auth-kerb isn’t working on Debian 12, I installed it this way:
wget http://ftp.de.debian.org/debian/pool/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_5.4-3_amd64.deb dpkg -i libapache2-mod-auth-kerb_5.4-3_amd64.deb

From the description it is not clear where I should put the part <LocationMatch "/auth/sso">, I tried it to put it in zammad.conf and in 000-default.conf, but it’s the same result.

In the Apache log you can see “granted” under “authorization result”, but it’s not working.

Edit: I just stopped Apache and started Nginx to be able to Login to Zammad. In the Dashboard I saw that the Login from me and a colleague worked:

I also checked Zammad’s production log and it looks good, but I don’t know if it’s correct that the redirect goes to http and not to https.

INFO -- : Processing by SessionsController#create_sso as HTML
INFO -- : Redirected to http://zammadtest.my-domain.de/#
INFO -- : Completed 302 Found in 23ms (ActiveRecord: 12.7ms | Allocations: 6057)

Apache’s error.log after I called https://zammadtest.my-domain.de/auth/sso:

[proxy:debug] [pid 12202:tid 139720822568704] proxy_util.c(2554): AH00943: ws: has released connection for (127.0.0.1:6042)
[ssl:debug] [pid 12202:tid 139720822568704] ssl_engine_io.c(1147): [client 192.168.101.8:59787] AH02001: Connection closed to child 14 with standard shutdown (server zammad.my-domain.de:443)
[ssl:debug] [pid 12203:tid 139720797390592] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.3) HTTPS request received for child 81 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720797390592] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[ssl:debug] [pid 12203:tid 139720788997888] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.4) HTTPS request received for child 82 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1296): [client 192.168.101.8:59786] Acquiring creds for HTTP/zammadtest.my-domain.de@MY-DOMAIN.DE, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1719): [client 192.168.101.8:59786] Verifying client data using KRB5 GSS-API with our SPNEGO lib, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1735): [client 192.168.101.8:59786] Client didn't delegate us their credential, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1754): [client 192.168.101.8:59786] GSS-API token of length 185 bytes will be sent back, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1901): [client 192.168.101.8:59786] matched previous auth request, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] mod_proxy.c(1506): [client 192.168.101.8:59786] AH01143: Running scheme http handler (attempt 0), referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2538): AH00942: http: has acquired connection for (127.0.0.1:3000)
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2596): [client 192.168.101.8:59786] AH00944: connecting http://127.0.0.1:3000/auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2819): [client 192.168.101.8:59786] AH00947: connected /auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2554): AH00943: http: has released connection for (127.0.0.1:3000)
[ssl:debug] [pid 12203:tid 139720780605184] ssl_engine_io.c(1147): [client 192.168.101.8:59786] AH02001: Connection closed to child 83 with standard shutdown (server zammad.my-domain.de:443)

Screenshot of Chrome:

Firefox:

MrGeneration · September 19, 2023, 12:51pm

The zammad vhost configuration file is the file of your desire.

FQDN and HTTP-Type are correct in your Zammad configuration? They may not differ.
Also make sure you’re removed the # from the SSO part of the zammad.conf.

It is not enough to add the location match.

R2D2 · November 7, 2023, 4:58pm

Now SSO is running perfectly.

The main reason were those two missing lines in the Apache config file zammad.conf direct before the first ProxyPass entry:

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

Different from the description libapache2-mod-auth-kerb isn’t available for Debian 12 anymore. The alternative is GSSAPI:

apt install libapache2-mod-auth-gssapi

And here is the changed apache configuration:

# /etc/apache2/sites-available/zammad.conf
<LocationMatch "/auth/sso">
  SSLRequireSSL
  AuthType GSSAPI
  AuthName "Your Zammad"
  GssapiBasicAuth On
  GssapiCredStore keytab:/etc/apache2/zammad.keytab
  GssapiLocalName On
  require valid-user

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</LocationMatch>

For the krb5.conf it’s enough to paste those 4 lines and change the name of the domain (uppercase):

[libdefaults]
        default_realm = COMPANY.COM

        default_tkt_enctypes = aes256-cts-hmac-sha1-96
        default_tgs_enctypes = aes256-cts-hmac-sha1-96
        permitted_enctypes = aes256-cts-hmac-sha1-96

R2D2 · March 14, 2024, 2:18pm

I just found out that what I wrote back then isn’t true anymore. I don’t know why it worked back then, but I just set up another test machine and SSO didn’t work until I appended the following lines to the krb5.conf like it’s described in the official SSO documentation:

[realms]
	MY-DOMAIN.COM = {
		kdc = dc.my-domain.com
		admin_server = dc.my-domain.com
		default_domain = my-domain.com
	}

system · March 9, 2025, 2:19pm

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.