Windows SSO kerberos (feedback)

kerberos
windows
sso

#1

Hello

@heidelberger can you explain how can we have a validate certificate (recommended way) for an internal domain. In this post you have a note that this only will work with a valid certificate, right? I’m assuming that only for add the domain to the trust sites don’t override the certificate validation…

Should we use lets encription to overcome that or pass/install in the computers clients the ucs certificate to do that?

Thanks


#2

Hey @codedmind,

the domaincontroller master in your UCS domain automatically generates certificates for all UCS servers joined to the domain by default using it’s own certificate authority.
The easiest way to make clients trust these certificates is to import the root CA of your domain on your clients.
I’ve written a KB article on doing that for Windows clients: How to import UCS root CA on Windows clients

Best regards


#3

Hello @heidelberger after have more servers in the mix and configure sso, i’m having two issues:
Windows 10 client
internet explorer:

  • all the servers have valid certificate (the univention root is in store via gpo), only can’t sso in the master server

chrome:

  • Master server show invalid certificate, but is the same certificate, sso only not work in the master server

Other thing that i notice, if i login and open chrome (run each one of the servers, less the master) and try the sso, it works ok, then if open internet explorer the sso doesn’t work anymore i any of the servers.
After reboot, start with internet explorer, every every sso works, then try in chrome and doesn’t work. Don’t know if is an expected behaviour…

In the Master server apache error log, I get this error when try the sso

[Fri Nov 09 12:58:52.981170 2018] [autoindex:error] [pid 627] [client 192.168.1.94:51846] AH01276: Cannot serve directory /var/www/univention/js/umc/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://MASTERSRV.ccm.local/univention/login/?location=%2Funivention%2Fportal%2F&lang=en-US

SSO never works in main server (main domain controller)

Any suggestion how to troubleshoot this?

Thanks


#4

Update… the second (chrome invalid certificate) issue is now solved, via this post Chrome ssl self-signed invalid but valid in IE

Still can’t have sso work in master server :confused: