SSO not working

Infos:

  • Used Zammad version: 6
  • Used Zammad installation type: package
  • Operating system: Debian 12
  • Browser + version: Chrome 115

Expected behavior:

  • One-Click SSO Login

Actual behavior:

  • SSO not working

Hello,

After I tried to setup SSO and worked many hours on it, I need the help of the community.

Some things from the SSO instructions I have done differently:
apt install libapache2-mod-auth-kerb isn’t working on Debian 12, I installed it this way:
wget http://ftp.de.debian.org/debian/pool/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_5.4-3_amd64.deb
dpkg -i libapache2-mod-auth-kerb_5.4-3_amd64.deb

From the description it is not clear where I should put the part <LocationMatch "/auth/sso">, I tried it to put it in zammad.conf and in 000-default.conf, but it’s the same result.

In the Apache log you can see “granted” under “authorization result”, but it’s not working.

Edit: I just stopped Apache and started Nginx to be able to Login to Zammad. In the Dashboard I saw that the Login from me and a colleague worked:
image

I also checked Zammad’s production log and it looks good, but I don’t know if it’s correct that the redirect goes to http and not to https.

INFO -- : Processing by SessionsController#create_sso as HTML
INFO -- : Redirected to http://zammadtest.my-domain.de/#
INFO -- : Completed 302 Found in 23ms (ActiveRecord: 12.7ms | Allocations: 6057)

Apache’s error.log after I called https://zammadtest.my-domain.de/auth/sso:

[proxy:debug] [pid 12202:tid 139720822568704] proxy_util.c(2554): AH00943: ws: has released connection for (127.0.0.1:6042)
[ssl:debug] [pid 12202:tid 139720822568704] ssl_engine_io.c(1147): [client 192.168.101.8:59787] AH02001: Connection closed to child 14 with standard shutdown (server zammad.my-domain.de:443)
[ssl:debug] [pid 12203:tid 139720797390592] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.3) HTTPS request received for child 81 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720797390592] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[ssl:debug] [pid 12203:tid 139720788997888] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.4) HTTPS request received for child 82 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1296): [client 192.168.101.8:59786] Acquiring creds for HTTP/zammadtest.my-domain.de@MY-DOMAIN.DE, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1719): [client 192.168.101.8:59786] Verifying client data using KRB5 GSS-API with our SPNEGO lib, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1735): [client 192.168.101.8:59786] Client didn't delegate us their credential, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1754): [client 192.168.101.8:59786] GSS-API token of length 185 bytes will be sent back, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1901): [client 192.168.101.8:59786] matched previous auth request, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] mod_proxy.c(1506): [client 192.168.101.8:59786] AH01143: Running scheme http handler (attempt 0), referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2538): AH00942: http: has acquired connection for (127.0.0.1:3000)
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2596): [client 192.168.101.8:59786] AH00944: connecting http://127.0.0.1:3000/auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2819): [client 192.168.101.8:59786] AH00947: connected /auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2554): AH00943: http: has released connection for (127.0.0.1:3000)
[ssl:debug] [pid 12203:tid 139720780605184] ssl_engine_io.c(1147): [client 192.168.101.8:59786] AH02001: Connection closed to child 83 with standard shutdown (server zammad.my-domain.de:443)

Screenshot of Chrome:
image

Firefox:

The zammad vhost configuration file is the file of your desire.

FQDN and HTTP-Type are correct in your Zammad configuration? They may not differ.
Also make sure you’re removed the # from the SSO part of the zammad.conf.

It is not enough to add the location match.

Now SSO is running perfectly.

The main reason were those two missing lines in the Apache config file zammad.conf direct before the first ProxyPass entry:

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

Different from the description libapache2-mod-auth-kerb isn’t available for Debian 12 anymore. The alternative is GSSAPI:

apt install libapache2-mod-auth-gssapi

And here is the changed apache configuration:

# /etc/apache2/sites-available/zammad.conf
<LocationMatch "/auth/sso">
  SSLRequireSSL
  AuthType GSSAPI
  AuthName "Your Zammad"
  GssapiBasicAuth On
  GssapiCredStore keytab:/etc/apache2/zammad.keytab
  GssapiLocalName On
  require valid-user

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</LocationMatch>

For the krb5.conf it’s enough to paste those 4 lines and change the name of the domain (uppercase):

[libdefaults]
        default_realm = COMPANY.COM

        default_tkt_enctypes = aes256-cts-hmac-sha1-96
        default_tgs_enctypes = aes256-cts-hmac-sha1-96
        permitted_enctypes = aes256-cts-hmac-sha1-96
2 Likes

I just found out that what I wrote back then isn’t true anymore. I don’t know why it worked back then, but I just set up another test machine and SSO didn’t work until I appended the following lines to the krb5.conf like it’s described in the official SSO documentation:

[realms]
	MY-DOMAIN.COM = {
		kdc = dc.my-domain.com
		admin_server = dc.my-domain.com
		default_domain = my-domain.com
	}
1 Like