After upgrade from 8.8.12 to 8.8.15 SSO ceased

[Unix7]

The upgrade from 8.8.12 to 8.8.15 was successful, but it stopped working SSO.

Log:
2019-08-28 08:28:59,395 INFO [qtp1010670443-3216:https://mail.example.com/service/spnego] [oip=10.3.1.156;ua=Mozilla/5.0 (Windows NT 10.0;; Win64;; x64;; rv:68.0) Gecko/20100101 Firefox/68.0;] account - spnego auth failed: system failure: no spnego user realm
2019-08-28 08:28:59,395 INFO [qtp1010670443-3216:https://mail.example.com/service/spnego] [oip=10.3.1.156;ua=Mozilla/5.0 (Windows NT 10.0;; Win64;; x64;; rv:68.0) Gecko/20100101 Firefox/68.0;] account - spnego auth failed: authentication failed for [], no principal

Settings

Code: Select all

$ zmprov gacf | grep Spnego
zimbraSpnegoAuthEnabled: TRUE
zimbraSpnegoAuthErrorURL: /?ignoreLoginURL=1
zimbraSpnegoAuthRealm: EXAMPLE.LOCAL
$ zmprov gs `zmhostname` | grep Spnego
zimbraSpnegoAuthPrincipal: HTTP/mail.example.com@EXAMPLE.LOCAL
zimbraSpnegoAuthTargetName: HTTP/mail.example.com
zmprov gd ft.by | grep Auth
zimbraAdminConsoleLDAPAuthEnabled: FALSE
zimbraAuthFallbackToLocal: TRUE
zimbraAuthKerberos5Realm: example.local
zimbraAuthLdapBindDn: %u@example.local
zimbraAuthLdapSearchBindDn: ldap@example.local
zimbraAuthLdapSearchBindPassword: ***************
zimbraAuthLdapURL: ldap://dc1.example.local:389 ldap://dc3.example.local:389
zimbraAuthMech: ad
zimbraAuthMechAdmin: ad
zimbraBasicAuthRealm: Zimbra
zimbraReverseProxyExternalRouteIncludeOriginalAuthusername: FALSE
$ ls -al /opt/zimbra/data/mailboxd/spnego/jetty.keytab
-rwxr-xr-x 1 zimbra zimbra 67 Jul 22  2016 /opt/zimbra/data/mailboxd/spnego/jetty.keytab

Where to look for a problem? The jetty.keytab file is working.

[johnnyBolt]

I have the same situation after upgrading from version 8.8.11.
Service https://mail.server./service/spnego/snoop.jsp responds with "HTTP ERROR 403"

Problem accessing /service/spnego/snoop.jsp. Reason:

system failure: no spnego user realm

[rjeth0]

We've had exactly the same problem as well: SPNEGO used to work just fine in 8.8.11, and on updating to 8.8.15, it stopped. It also doesn't seem to work in 8.8.15p1.

I tried the troubleshooting steps in https://wiki.zimbra.com/wiki/Configurin ... le_Sign-On , but the mailbox.log only shows

[qtp1231156911-203:https://my.server.com//service/spnego/] [ip=A.B.C.D;port=45784;ua=Mozilla/5.0 (Windows NT 10.0;; Win64;; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/76.0.3809.132 Safari/537.36;] account - spnego auth failed: system failure: no spnego user realm

Any ideas?

[marekc]

Hi,
I've the same situation. Has anyone solved this problem.
Has anyone tried to downgrade zimbra from 8.8.15 to 8.8.12

Marek

[Macroendrix]

Same problem here, even after applying patch 1 and upgrading Ubuntu to 18.04 LTS. Everything working fine, except SSO.

Regards

[jhurley]

When calling the below URL that is giving error 'no spnego user realm'.

https://host/service/spnego/snoop.jsp

SpnegoLoginService object isn’t created during Server start and SpnegoFilter.getSpnegoUserRealm() returns null as it is not able to locate ServletContextHandler class.

Adding below lines in jetty.xml.in for serverClasses and systemClasses should resolve the issue.
<Item>org.eclipse.jetty.servlet.</Item>
      <Item>org.eclipse.jetty.servlets.</Item>

  <Item>-org.eclipse.jetty.servlet.</Item>

Issue is reproducible locally on 8.8.15, copying the attached jetty.xml.in followed by server restart resolved the issue. Jetty Version - 9.4.18

Attached is an updated jetty.xml.in file.
Issue has been reported to Development.

[L. Mark Stone]

Thanks John!

Do you know if this fix will make it into 8.8.15 Patch 2? (Or at least the Release Notes “Known Issues” section)?

Thanks again,
Mark

[jhurley]

The bug was report to late to be included to Patch 2