View Issue Details

IDProjectCategoryView StatusLast Update
0001200SOGoBackend Mailpublic2017-12-21 01:28
Reportersteve Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version1.3.5 
Summary0001200: SOGoProxyAuthenticator does not pass Kerberos SPNEGO authentication to IMAP server
Description

When using Kerberos SPNEGO auth for SSO to SOGo, auth is passed perfectly after applying the result of ticket 1113 for SOGo calendar and contacts. However, auth is not passed properly to IMAP server such that mail can be displayed.

Additional Information

From the SOGo log:

Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0xa22ee18[NGImap4ConnectionManager]> IMAP4 login failed:
host=imap.4test.net, user=steve@4test.net, pwd=no
url=imaps://steve%404test.net@imap.4test.net/
base=(nil)
base-class=(nil))
= <0x0xa2af380[NGImap4Client]: login=steve@4test.net(pwd) socket=<NGActiveSSLSocket[0x0xa289ff0]: mode=rw address=<0x0xa1c65d0[NGInternetSocketAddress]: host=webmail.4test.net port=55036> connectedTo=<0x0x9fdc940[NGInternetSocketAddress]: host=imap.4test.net port=993>>>
Mar 22 19:42:14 sogod [13526]: <0x0A1CFDE8[SOGoMailAccount]:0> renewing imap4 password
Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0A1CFDE8[SOGoMailAccount]:0> no IMAP4 password available
Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0A1CFDE8[SOGoMailAccount]:0> Could not connect IMAP4

TagsNo tags attached.

Activities

jaywalker

jaywalker

2012-10-31 10:47

reporter   ~0004760

Can this problem be avoided when the imap server is configured to support GSSAPI authentication as well? If sogo forwards the ticket, this might be a solution to the problem.

steve

steve

2012-11-01 05:14

reporter   ~0004764

Unfortunately, the ticket is not forwarded. I actually gave up on this for the time being and began using CAS which works great. As it turns out Cyrus-IMAP has a feature coming in 2.5 where it will accept SPNEGO for authentication. That should make this much easier to do, and reasonably secure as well, such that it might just work out of the box.

jaywalker

jaywalker

2012-11-01 13:50

reporter   ~0004765

I tested against a dovecot IMAP server configured to accept SPNEGO authentication. SOGo however still fails with the same error message.

rjsalts

rjsalts

2017-12-21 01:28

reporter   ~0012484

There kerberos ticket would presumably be for HTTP/webserver@REALM, not IMAP/imapserver@REALM. I think you need s4u2proxy or s4u2self support in sogo itself to request a ticket on behalf of the user for the IMAP/... or SMTP/... services.

Issue History

Date Modified Username Field Change
2011-03-23 03:12 steve New Issue
2012-10-31 10:47 jaywalker Note Added: 0004760
2012-11-01 05:14 steve Note Added: 0004764
2012-11-01 13:50 jaywalker Note Added: 0004765
2017-12-21 01:28 rjsalts Note Added: 0012484