Zimbra Collaboration Suite 7.0
Zimbra Collaboration Suite 7.0
Administrator's Guide
Open Source Edition

Appendix B Configuring SPNEGO Single Sign-On for ZCS

Appendix B Configuring SPNEGO Single Sign-On
for ZCS
The SPNEGO protocol mechanism can be configured on ZCS for single sign-on authentication to the Zimbra Web Client. When users log on to their Intranet through Active Directory, they can enter their ZWC mailbox without having to re-authenticate to Zimbra.
The ZCS server is configured to redirect users attempting to log on to ZWC to a URL under SPNEGO protection. The server asks for authentication with Kerberos though SPNEGO and if the preauth is verified, users are redirected to their ZWC mailbox. When users log out, they are redirected to a logout URL that displays a Launch button. When users click Launch, they are directed to the ZWC entry page.
When users log on to their ZWC accounts from the Internet, the ZWC log in page displays and they must enter their ZWC password to log on.
Important: If SPNEGO SSO is enabled on a domain, the browsers must be configured correctly. See Configure Your Browser. Improperly configured browsers may pop up a user/pass dialog and if a user enters his correct AD domain username/password, he can still log into the Zimbra mailbox, and some browsers may display a “401 Unauthorized” error.