Single Sign-On (SSO) is enabled and correctly configured but still prompting for a password when attempting to login to the GroupWise Windows client

  • 7021409
  • 14-Sep-2017
  • 09-Jan-2018

Environment

GroupWise 2014 R2 Support Pack 2
SUSE Linux Enterprise Server 11

Situation

I have followed GroupWise documentation to configure Single Sign-On (SSO) with GroupWise and Active Directory, but I am still prompted for a password when attempting to login to the GroupWise Windows client.

 -  I have also followed the "Quickstart Guide : Setting up Active Directory Single Sign-On (SSO) with a GroupWise 2014 R2 SLES11 Linux Post Office :

https://support.microfocus.com/kb/doc.php?id=7018598

 - And I see this error on my GroupWise POA verbose log :

  "Attempting token authentication for user <UserName> (userName)"

  "Error:  An error occurred in the SSPI layer that does not otherwise map to 
    GroupWise error code [D091] in _WpeGssAcquireCredentials (gss_aquire_cred=>(0xd00000,0x0))




Resolution

SLES11 ships with version 1.6.3 of "krb5".  It appears that prior to version 1.10, "krb5" did not correctly handle a call to "gss_acquire_cred" with just a service name.  So if you have the error listed above AND your SLES11 server has a version of "krb5" prior to version 1.10 you may need to obtain a newer version of the "krb5" files and place them in your GroupWise directory :  

    /opt/novell/groupwise/agents/lib/

-  How to check your version of Kerberos "krb5" :
      Go to your GroupWise SLES11 Post Office server as "root" in a terminal window and issue this command :
          rpm -qa | grep krb5

       You should see :  krb5-32bit-<versionNumber> , krb5-client-<versionNumber>, and krb5-<versionNumber>

You can contact Micro Focus GroupWise support and obtain these files from a support engineer, the associated Defect that discusses this issue is Defect # 1015888.  And the files are attached to this Defect.  This is a workaround and will not affect the SLES11 Linux O.S implementation of Kerberos.  This "krb5" version issue will not normally affect a SLES12 server.

Note:  If this is the source of the problem, then copying these updated "krb5" files and restarting the GroupWise POA could resolve this issue.

NOTE: ** Important ** : To avoid issues where the POA does not load after copying the updated "krb5" libraries to the /opt/novell/groupwise/agents/lib/ directory, you need to preserve the symbolic links, embedded in the library files, depending on how you decompress the files you may not preserve the symbolic links, so use this general procedure to "copy" the updated "krb5" library files :

1.  Consider doing this procedure "After Hours" to not affect GroupWise users, as we will have to restart the GroupWise Post Office Agent (POA) when instructed to do so.

2.  On the GroupWise Linux server (joined to the Windows Domain Controller) where the Post Office is located, go to a terminal as the "root" user.

3.  cd /root

4.  mkdir updated-krb5-libraries

5.  cd updated-krb5-libraries

6.  Copy the compressed "gw-krb5-1.12.5.tar.gz" file to /root/updated-krb5-libraries/ directory

7.  Issue this command, which will decompress the files and by default preserve the symbolic links :
       tar -zxvf gw-krb5-1.12.5.tar.gz

8.  You now have the decompressed updated krb5 libraries in /root/updated-krb5-libraries/ directory, that also has preserved symbolic links.

9.  Delete the compressed "gw-krb5-1.12.5.tar.gz" file from this directory, we don't need it anymore, with
     rm gw-krb5-1.12.5.tar.gz

10.  Remember you are currently at "/root/updated-krb5-libraries/" directory, but as a precaution it would be good
to make a backup copy of your /opt/novell/groupwise/agents/lib/ directory before making changes, just as a precaution, in case you need to go back to the prestine ../lib/ directory files. 

Issue this command to both create a new "lib.backup" directory AND copy ALL files and directories recursively, while also preserving symbolic links that are important to not lose : 

sorry command is a long 1 line command, but it works and and also creates the "lib.backup" directory :  ( consider copy and paste )
 
    mkdir /opt/novell/groupwise/agents/lib.backup; rsync -rl /opt/novell/groupwise/agents/lib/* /opt/novell/groupwise/agents/lib.backup

11.  Now to properly copy the updated "krb5" library files (and preserve existing symbolic links) from the current directory to the proper GroupWise directory issue this command :  remember you are currently at "/root/updated-krb5-libraries/" directory , or should be :  Issue the command :
     
      cp -av *.* /opt/novell/groupwise/agents/lib

12.  You now have the updated krb5 libraries in the /opt/novell/groupwise/agents/lib/ directory

13.  Restart the poa, with either "rcgrpwise restart" (no quotes, easy) or if you only want to restart the POA then :
       a.  rcgrpwise status

       b.  You will see a line that says "<PostOfficeName>.<DomainName>".  Take the values from the Post Office name and the Domain Name and issue the command "rcgrpwise restart <PostOfficeName>.<DomainName>"  , no angle brackets or quotes.  Substitute the proper values.

14.  The POA will now have in memory the updated "krb5" libraries that should contribute to a successful Active Directory Single Sign-on experience from your Windows workstation

Cause

Bug in older version of Kerberos "krb5" files.

Additional Information

Note:  
This applies only on a SLES11 server.  The updated Kerberos library files can be obtained from this Defect, comment # 3 and 4.