ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Open Source Edition


Appendix B Configuring SPNEGO Single Sign-On > Configure ZCS

Configure ZCS
SPNEGO attributes in Global Config and on each Zimbra server are configured and pre-authentication is set up for the domain. Use the zmprov CLI to modify the Zimbra server.
Note:
1.
 
This is the URL users are redirected to when spnego auth fails. Setting it to /zimbra/?ignoreLoginURL=1 will redirect user to the regular Zimbra login page, where user will be prompted for their zimbra user name and password.
The Kerberos realm in the domain controller This is the domain name in the Active Directory. (COMPANY.COM)
To modify the global config attributes, type:
a.
b.
c.
2.
 
Enter the user logon name set in zimbraSpnegoAuthTargetName and the address set in global config zimbraSpnegoAuthRealm
Type as zimbraSpnegoAuthTargetName@zimbraSpnegoAuthRealm
For example,
HTTP/mail1.example.com@COMPANY.COM
To modify the server global config attributes, type:
a.
zmprov ms mail1.example.com zimbraSpnegoAuthTargetName HTTP/mail1.example.com
b.
3.
a.
Set up Kerberos Realm for the domain. This is the same realm set in the global config attribute zimbraSpnegoAuthRealm . Type zmprov md {domain} zimbraAuthKerberos5Realm {kerberosrealm}
b.
Set up the virtual hosts for the domain. Virtual-hostname-* are the hostnames you can browse to for the Zimbra Web Client UI. Type
zmprov md {domain} +zimbraVirtualHostname {virtual-hostname-1} +zimbraVirtualHostname {virtual-hostname-2} ...
c.
Set the login URL. The login URL is the URL to redirect users to when the Zimbra auth token is expired. Zmprov md {domain} zimbraWebClientLoginURL '../../service/spnego’
Honor only supported platforms and browsers. zimbraWebClientLoginURLAllowedUA is a multi-valued attribute, values are regex. If this is not set, all UAs are allowed. If multiple values are set, an UA is allowed as long as it matches any one of the values. zmprov md {domain} +zimbraWebClientLoginURLAllowedUA {UA-regex-1} +zimbraWebClientLoginURLAllowedUA {UA-regex-2} ...
For example, to honor zimbraWebClientLoginURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.
d.
Set the logout URL. The logout URL is the URL to redirect users to when users click Logout. Zmprov md {domain} zimbraWebClientLogoutURL '../?sso=1’
Honor only supported platforms and browsers. zimbraWebClientLogoutURLAllowedUA is a multi-valued attribute, values are regex. If this is not set, all UAs are allowed. If multiple values are set, an UA is allowed as long as it matches any one of the values. zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA {UA-regex-1} +zimbraWebClientLogoutURLAllowedUA {UA-regex-2} ...
For example, to honor zimbraWebClientLogoutURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.
Copyright © 2012 VMware Inc.