ZCS Administrator's Guide 8.0.3
ZCS Administrator's Guide 8.0.3
Open Source Edition

Appendix B Configuring SPNEGO Single Sign-On > Configure Kerberos Auth with SPNEGO Auth

Configure Kerberos Auth with SPNEGO Auth
Kerberos auth and SPNEGO can co-exists on a domain. Use case is using Kerberos as the mechanism for verifying user principal/password against a KDC, instead of the native Zimbra LDAP, when user cannot get in by SPNEGO.
When SPNEGO auth fails, users are redirected to the Zimbra sign in page if the browser is configured properly. Users can enter their Zimbra username and password on the sign in page to sign in manually. The Domain attribute zimbraAuthMech controls the mechanism for verifying passwords. If zimbraAuthMech is set to "kerberos5", The user name the user enters is used to first identify a valid Zimbra user (users must be provisioned in the Zimbra LDAP), then from Zimbra user is mapped to a Kerberos principal, the Kerberos principal + password is then validated against a KDC. This KDC could be different from, or the same as, the KDC that the Active Directory domain controller (for SPNEGO auth) is running as.
For kerberos auth (zimbraAuthMech="kerberos5"), the mailbox server needs to contact KDC to validate principal+password. For the java kerberos client (i.e. Zimbra mailbox server), the default realm and KDC for the realm is specify in a Kerberos config file. The location of this config file can be specified in JVM argument java.security.krb5.conf. If it is not specified, the default is /etc/krb5.conf. When SPNEGO is enabled in Zimbra, java.security.krb5.conf for the mailbox server is set to /opt/zimbra/jetty/etc/krb5.ini. Therefore, that is the effective file for configuring kerberos auth.
/opt/zimbra/jetty/etc/krb5.ini is rewritten from /opt/zimbra/jetty/etc/krb5.ini.in each time when the mailbox server restarts. To configure, you need to modify the /opt/zimbra/jetty/etc/krb5.ini.in file, not /opt/zimbra/jetty/etc/krb5.ini.
Under [realms] section, kdc and admin_server are not set for SPNEGO auth, but they are required for kerberos auth.
To configure:
Edit /opt/zimbra/jetty/etc/krb5.ini.in
%%zimbraSpnegoAuthRealm%% = {
default_domain = %%zimbraSpnegoAuthRealm%%
%%zimbraSpnegoAuthRealm%% = {
kdc = YOUR-KDC
admin_server = YOUR-ADMIN-SERVER
default_domain = %%zimbraSpnegoAuthRealm%%
The restriction is the realm for SPNEGO and Kerberos auth must be the same. For SPNEGO auth, the Kerberos principal in the Authorization header is mapped to a unique Zimbra account. For Kerberos auth, the Zimbra account is mapped to a unique Kerberos principal. The mapping (by domain attribute zimbraAuthKerberos5Realm) is the same for both.
Copyright © 2013 VMware Inc.