7018598: Quickstart Guide: Setting up Active Directory Single Sign-On (SSO) with a GroupWise 2014 R2 SLES11 Linux Post Office

Assumptions:

a. For the example purposes of this document, it is assumed thatthe GroupWise Linux Post Office Server fully qualified hostname is“bperez13.bperez11.gwlab.com” and that the Active DirectoryDomain Server fully qualified hostname is “bperez11.gwlab.com”. Substitute your hostnames as appropriate.

Inthis example the User in Active Directory and the GroupWise UserID is“aduser1” that we will work with. Your SLES11 server is upto date on patches.

b. It is assumed that in your Microsoft Active Directory Server,DNS Manager, that you have a DNS “zone name”, in thisexample, of “bperez11.gwlab.com”, but substitute yourDNS zone name, that way you will not have to make changes to theGroupWise Linux server hostname and POA agent settings hostname onthat server.

c. It is assumed that you have or will have a DNS “A”Record (on your Microsoft Domain Server) of , in this example,bperez13.bperez11.gwlab.com, substitute your GroupWise server fullyqualified hostname as needed. So in this example in theMicrosoft Domain Controller Server, in the DNS application, under”Forward Lookup Zones”, you would have defined a DNS zonecalled “bperez11.gwlab.com” and under this zone you wouldcreate a DNS A record that would have a “Host” name of”bperez13″ and a “Fully qualified domain name (FQDN)of “bperez13.bperez11.gwlab.com” along with the ip addressthat resolves to bperez13.bperez11.gwlab.com. Make the propername substitutions as you need.

d. It is assumed you are working with a Microsoft Windows 2012 R2Server.

e. It is assumed that you have created an Ldap Directory and LdapServer in the GroupWise Web Admin Console under SYSTEM, “LdapServers” by following the steps listed in Section 6.1 , steps 1thru 6 of this URL :

https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b199manl.html

andthis section 6.2.1, steps 1 thru 6 of this URL :

https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b199mao7.html

f. It is assumed that you have imported the Active Directory usersinto GroupWise, that will be using the Single Sign-On (SSO) feature. So these users are associated with the Active Directory serverlisted in the Ldap Servers.

g. Lastly it is assumed on your Active Directory Windows Server 2012 R2box, in “Active Directory Users and Computers”, View, that youhave “checked”, “Advanced Features”.

NOTE:

Sinceyou will be changing the Security setting for the Post Office Agent,consider doing this on a Friday night after hours to minimize userimpact. Or you could certainly test this procedure on aGroupWise Test server, that is not production, until you arecomfortable that it will work as you expect.

NOTE:

Havea full complete backup of the GroupWise System before performingthese steps, in case there are any Issues. However these stepsworked correctly for me on my SLES11 GroupWise Server and Windows 7workstation with the GroupWise 2014 R2 Windows client.

NOTE: For any additional GroupWise servers that you want to haveSingle Sign-On functionality with Active Directory then you wouldjust repeat the steps in this Technical Document for each additionalLinux server where there is a GroupWise Post Office.

Stepsto Follow :

ForLinux Post Office Server you will have to “Join” theWindows Server Domain Controller and make the below changes NOW :

1. You need to know the current fully qualifiedhostname for the Linux GroupWise Post Office Server, let”s sayit is:

a. bperez13.bperez11.gwlab.com

2. You need to know current fully qualified hostnamefor your Active Directory Domain Server, let”s say it is:

a. bperez11.gwlab.com

3. Then the Linux Post Office Server will likelyneed a change to it’s listed “Name Server” in YAST, in thisexample: ( The Windows Domain Controller )

a. I.P address of the Windows Domain Controller

b. To make this “Name Server” change go to Yast,Network Devices, Network Settings,

andin the Hostname/DNS tab, the “Hostname” would have to be”bperez13“, no

quotes,and the “Domain Name” would have to be : “bperez11.gwlab.com”, no quotes. As

appropriatein your situation, change it NOW.

c. AND in this same tab, the “Name Server 1″would have to have ONLY the ip

addressof your Active Directory Domain Controller. Do not have anyvalues for

“NameServer 2” and “Name Server 3” . The “DomainSearch” list box to the

rightwould have to show – “bperez11.gwlab.com”, no quotes. Asappropriate in your situation, change it NOW.

d. The Routing tab, the “Default Gateway”,would of course have to be filled out correctly

foryour network environment. CLICK OK and exist YAST.

e. The result would be that when you go to a terminal as”root” on the Post Office

Server,you should at least be able to PING internal and external ipaddresses or hostnames to make sure you have proper ip connectivity.

4. Go to the below documentation URL for “ConfiguringSingle Sign-On with Active Directory” (54.2):

a. https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b1f0s9uy.html

b. With the above GroupWise documentation URL, under thesection “Configuring Single Sign-On with Active Directory”(54.2), we will go over the listed first 4 bullet points inorder:

c. For the 1st bullet point, make sure both the POA LinuxServer and the User Windows Workstation are joined to the sameActive Directory Domain:

i. On the Linux box where the Post Office is located,Click Computer, Yast, Network Services, Windows Domain Membership, onMembership “Domain or Workgroup”, type the fully qualifiedhostname NOW for your Active Directory Domain Controller, in thisexample, but substitute yours :

“bperez11.gwlab.com”

ii. Click the Expert Settings button, for the KerberosMethod select “system keytab”, then Click OK.

iii. Click the “NTP Configuration” button, toensure time synchronization between the Linux Post Office Server andthe Active Directory Domain Server, as needed, set the Time server. Click ADD, Click Next, Type in an appropriate local or publicTime Server, Click Test, Click OK after it responds correctly, ClickOK, then OK again. Click the JOIN button in upper right ifpresent, otherwise Click OK. ClickOK again. You should see a dialog that pops up that says “Thishost is not a member of the domain <bperez11>”. Youwill see another dialog that says “Join the domain <bperez11>?”, Click Yes. Inthe resulting dialog put in the Windows domain controller“administrator” username and password and CLICK OK.

iv. Your Linux Server is now Joined to the Active DirectoryServer.

v. To Join the User Workstation, Go to the Windows PC, Itis assumed you are not yet joined. On either Windows 7 orWindows 8.1, or Windows 10:

1. Right click the Network Icon in the Windows Tray,select “Open Network and Sharing Center”, select “ChangeAdapter Settings”, Right Click the appropriate Network Card,Highlight “Internet Protocol Version 4 (TCP/IPv4)” andClick Properties.

2. For the “User the following DNS Serveraddresses:”, for the “Preferred DNS server”, type theIP address of your Active Directory Server. Click OK then CLOSE.

3. Now to actually Join to the Active Directory Server, goto :

a. Windows 7 workstation, Click Start, Right Click”Computer”, Properties, Advanced System Settings, ComputerName tab, to Change to a Domain, click the Change button.

b. For the Member Of : Domain , list box , type the fullyqualified hostname of the Active Directory Server (example,bperez11.gwlab.com). Click OK. Supply the appropriateActive Directory credentials, Click OK, then you should successfullyJoin and get a confirmation on this. Click OK. Click OKagain to RESTART your computer as required by Windows. I assumeyou will Click RESTART NOW.

c. When the Workstation reboots, you will come to aWindows Logon dialog, type for the Username:

i. The name of your Windows Domain ServerA.D. UserName,example, in this case is “BPEREZ11aduser1”

ii. Type the password for this Active Directory User andLOGIN

d. To confirm your credentials that the GroupWise SingleSign-On depends on, to go a DOS Window (cmd) and type “whoami”,it should respond with, in this example:

bperez11aduser1

e. Close the DOS Window.

f. Now for the 2nd bullet point listed in the aboveDocumentation URL:

“Makesure the POA object has the DNS fully qualified domain name insteadof the IP address :

Inthe GroupWise Admin Console > Post Office Agents > select thePOA

>Agent Settings > TCP/IP Address Field.” :

Inthis example, the value should already be: “bperez13.bperez11.gwlab.com”. Make this changeas needed NOW if necessary. Remember no I.P. Address, just thehostname.

g. For the 3rd bullet point of the Documentation URL :”Enable LDAP authentication in the GroupWise Admin Console >Post Offices > select the PO > Security tab. Make sureyour A.D. Ldap Server name is selected here. Refer to aboveAssumptions point “e” for details if needed.

h. For the 4th bullet point of the DocumentationURL: “Select Network authentication (eDirectory or ActiveDirectory) in the Admin Console > Post Office Agents > selectthe POA > Client Options > Security tab. Do this changenow. Remember to Click on SAVE.

Nowit”s time to move on in the Documentation to Section 54.2.2,”Linux POA”, there are 7 bullet points :

5. For the 1st of 7 bullet points, “Make sure thatall krb5 rpms are installed on the server”. This meansthat you should check in YAST, Software Management, search, type”krb5″, no quotes and click the SEARCH button.

a. Youshould have “checked” “krb5”, “krb-32bit”,AND “krb5-client”, if you don’t have all of these check offthe missing one and CLICK the ACCEPT button in the lower right of thedialog. Exit YAST.

b. Youcan also check what krb5 libraries you have installed by going to thelinux terminal as “root” and issuing the command:

a. rpm-qa | grep krb5

b. youshould see: krb5-client-<versionNumber>,krb5-<versionNumber>, and krb5-32bit-<versionNumber>

6. 2nd bullet point, “Make sure that the Linux serverpoints to the AD Server as it”s DNS Server” :

Wealready did this. Next step.

7. 3rd bullet point, “Join the Linux POA server tothe Windows Domain by”.” :

Wealready did this. Next step.

8. 4th bullet point, refer to this example file instead tocheck and verify what is configured in the file, modify NOW asappropriate for your environment, note the lines that are offset,they are “tabbed” not spaces, note the case of letters :

vi/etc/krb5.conf :

[libdefaults]

default_realm= BPEREZ11.GWLAB.COM

clockskew= 300

[realms]

BPEREZ11.GWLAB.COM= {

kdc= bperez11.gwlab.com

default_domain= bperez11.gwlab.com

admin_server= bperez11.gwlab.com

}

[logging]

kdc= FILE:/var/log/krb5/krb5kdc.log

admin_server= FILE:/var/log/krb5/kadmind.log

default= SYSLOG:NOTICE:DAEMON

[domain_realm]

.bperez11.gwlab.com= BPEREZ11.GWLAB.COM

bperez11.gwlab.com= BPEREZ11.GWLAB.COM

9. 5th bullet point, at a terminal on the Linux PostOffice Server, as “root”, issue this command NOW : NOTthe command in the documentation, unless it is the same :

a. net -Uadministrator@<activeDirectoryFullyQualifiedHostName> adskeytab add groupwise

b. Type the password for Active Directory “administrator”user

c. At the terminal on the GroupWise Linux server, cd to/etc, then issue the command “klist -k”, no quotes, youshould see among other content, as in this example, yours will bedifferent : 5 or so lines that show :

i. <a number>groupwise/bperez13.bperez11.gwlab.com@bperez11.gwlab.com

ii. You MUST see this fully qualified domain name, yourswill be different, that is to the left of the “@”character, “bperez13.bperez11.gwlab.com”

10. 6th bullet point, Make sure that the /etc/krb5.keytab file isreadable by the user that is running the GroupWise POA on the server.

Soif you run the GroupWise agents as “root”, or another

user,then that user must have ownership of this file.

Sowhen you go to the /etc/ directory on the Post Office Linux Serverand issue the command, as “root”, “ls -lkrb5.keytab” , no quotes.

Youwill see the owner of the file, root is the owner here :

a. -rw- – – – – – – 1 root root 2027 Jan 2215:16 krb5.keytab

b. And to compare who is running the POA process, issuethe command at the

terminal: “ps -eaf | grep gwpoa”, no quotes, the owner is in thefirst left most column.

Ifit says “root” then there is a match and the ownership ofthis file is good. If there is not a match, then you MUSTchange the ownership of the krb5.keytab file NOW with this command ,to match the user who is running the POA agent, at the /etc/directory :

“chown<userNameWhoRunsPOA>:users ./krb5.keytab”, no quotes.

c. I assume that If this is the “root” user,then “root” is part of the “root” group. Ifthe user is not the “root” user then, let”s say theuser is called “gwuser”, I assume that “gwuser”is part of the Linux group called “users”.

Thenyou must assign the appropriate user and group file permissions. Asappropriate do this NOW : either :

i. cdto the /etc/ directory, and issue the below commands NOW :

ii. chmod ug=rwx ./krb5.keytab

11. ( Optional ) 7th and final bullet point, “Create aGroupWise Name Server in DNS”. If you do not do this,users need to know the IP address and port number to connect to thePOA.

a. It is recommended you follow this technical document toaccomplish this by creating a Microsoft Service Connection Point(SCP), which has similar functionality to ngwnameserver :

https://support.microfocus.com/kb/doc.php?id=7023422

12. Note: In this example situation, when you start the GroupWiseWindows Client the first time after enabling Single Sign-On, youshould see the “Micro Focus GroupWise Startup” dialog, andin this dialog you “should” see “Connecting to Post Officeat : bperez13.bperez11.gwlab.com: 1677″. Substitute yourhostname for GroupWise. If you do not see the correct hostnameor you see an ip address, then just click CANCEL and correct the”Address” list box to show your GroupWise hostname, fillout the rest of the information needed in this dialog and CLICK OK. Now when you successfully login, it will remember your credentialsand the next time you attempt to login to GroupWise you should not beprompted for your password.

ClosingComment:

Ifyou follow this Document and if you have a problem where you arestill prompted for a password when attempting to login to theGroupWise Windows client and if you are on SLES11, it could be thatyou may have an older version of the linux Kerberos “krb5″files, you can review this TID on how to check on and correctthis issue :

https://support.microfocus.com/kb/doc.php?id=7021409

Otherthings to check if you still are prompted for a password:

1. Besure to verify that the “root” user owns the “/etc/krb5.keytab”file on the GroupWise Linux Post Office Server and has RWXpermissions, and also the group “root”. One command thatwill set this as described is :

a. Chmodug=rwx ./krb5.keytab

2. Verifyon the Windows Domain Controller server (Windows Sever 2012 R2), inthe application “Active Directory Users and Computers”, under theActive Directory Organization called “Computers” has an objectcalled the name of your GroupWise Linux Post Office Server name. Under this object, go under Properties, Attribute editor tab, youshould have an attribute called “servicePrincipalName”. Ifyou edit this attribute, you should see among other things,“groupwise/bperez13.bperez11.gwlab.com” . No quotes, andsubstitute your GroupWise Post Office Server hostname.

3. Fromthe perspective of the user, in Windows, in the GroupWise Windows14.2.2 client, click on Tools, Options, Security, Password tab, atthe bottom you should have a checkmark in the checkbox “No passwordrequired with eDirectory”. If you do not, Single Sign-On willnot work. If it is not “checked”, just type in yourpassword in the “Old password” listbox, then the checkbox willnot be greyed out, so you can check it. Then click APPLY andOK. Then exit the GroupWise Windows client and re-login.

4. Alsoon the user Windows workstation, go to the Dos Window ( cmd ) , andcd to : c:windowssystem32 , then type the command “klist” noquotes, you should see among other things a reference to theGroupWise Kerberos ticket, for me is shows :

Client: aduser1 @ bperez11.gwlab.com

Server: groupwise/bperez13.bperez11.gwlab.com @ bperez11.gwlab.com

KerbTicketEncryption Type: RSADSI RC4-HMAC(NT)

TicketFlags 0x40a10000 -> forwardable pre_authent name_canonicalize

StartTime: 1/9/2018 8:01:23 (local)

EndTime: 1/9/2018 16:31:30 (local)

RenewTime: 1/16/2018 6:31:30 (local)

SessionKey Type: RSADSI RC4-HMAC(NT)

5. If Single Sign-On is till not working, (you are being prompted for apassword, then do the below, after hours, so not to potentiallyaffect Post Office users, you will be toggling some settings underthe Post Office and POA objects :

a. In the GroupWise Web Admin Console, under the Post Office object,Security tab, it is assumedyou have “LDAP Authentication” turned on and that the “SelectedLDAP Servers” has a list of at least 1 Ldapserver. Do this NOW, highlight the LDAP server that is used withthis Post Office’s Single Sign-On process and CLICK the right arrowto move it to the “Available LDAP Servers” list. CLICK SAVE. Then CLOSE. Now go back to this same setting and put the LDAP serverback in the “Selected LDAP Servers” list and CLICK OK.

b. In this same area CLICK the the “Client Options” button tat thetop, Security tab, and it is assumed you currently have the checkboxchecked “Network authentication (eDirectory or Active Directory). Remove the checkmark on this setting. Click OK. Now go back to thissame setting and CLICK the checkbox “Network authentication(eDirectory or Active Directory)” AND LOCK IT, by clicking on theLOCK to the right. CLICK OK. Click SAVE at the bottom left, thenCLOSE.

c. Restart the affected POA at the GroupWise linux server terminal as“root”, issue : rcgrpwise status, you will see among otherthings : Assume your Post Office is called “provo” and yourdomain is called “utah” :

Checkingstatus [provo.utah] running”

Soissue the command : “rcgrpwise restart provo.utah”, no quotes.

Hopefullynow Single Sign-On is now working at your Windows 7, 8 or 10workstation that is configured as described in this document.

Related:

Leave a Reply