SSO with UCS & Kopano

bitboy0 · May 17, 2018, 2:54pm

I have installed the AD compatible domain controller. My computer could become a member of the domain.

But if I start the DeskApp and activate the logon with the Windows logon data there (use system logon data) I get an error.

“Single Sign On is not supported by the webserver. Please enter your username and password.”

I’ve been searching the web for hours now. I find a lot of basic information about LDAP, but no indication as to whether or how I can activate it in UCS.

Translated with www.DeepL.com/Translator

fbartels · May 18, 2018, 5:51am

hi @bitboy0,

your webserver would need to have been configured to support login via Kerberos. This is explained in https://documentation.kopano.io/kopanocore_administrator_manual/special_kc_configurations.html#apache-configuration-for-sso-with-webapp (and the chapters leading to it).

bitboy0 · May 18, 2018, 8:11am

I installed libapache2-mod-auth-kerb

then I enter

chmod 400 /etc/httpd/keytab.apache
chown apache:apache /etc/httpd/keytab.apache

but there is no file like /etc/httpd/keytab.apache
and there is no user like “apache” … so I failed

Is there anything to do before that steps?
I’m not really Linux expert … I use the vmware-virtual machine as provided by UCS. So it is DEBIAN

fbartels · May 18, 2018, 9:52am

The manual is not really meant as a copy & paste howto, so you’d still need to adapt paths (and if you scroll up in the documents it tells you how to generate the keytab.apache file).

bitboy0 · May 18, 2018, 10:13am

Just to understand: Do I have to create the keytab.apache on a Windows machine? I don’t have a Windows server anymore. Otherwise I can only use a Windows10 client.

fbartels · May 18, 2018, 11:01am

No, this is generally also possible on a Linux machine (for example directly in the Univention host). see https://wiki.samba.org/index.php/Generating_Keytabs

fbartels · June 11, 2020, 10:20am

as I just got a “popular link” notification on the link in my first reply. Meanwhile there is also the possibility to use OpenID Connect for SSO with Kopano WebApp, which does not rely on setting up Kerberos first.

Script for automated setup is located at https://github.com/Kopano-dev/ucs-oidc-webapp

An important notice is though, that OIDC login is not supported by Kopano DeskApp however.