Авторизация Active Directory (Архива v2.2 или выше)
Обновление: Архива v2.5 (или выше) обладает исправленной системой авторизации, которая вместо Kereberos использует NTLM v2 аутентификацию. Как часть процесса обновления предыдущих версий (таких как v2.3, v2.1, v2.0, OSE и других), настройки Active Directory прежних версий продукта должны быть переустановлены. Для более подробной информации смотрите Авторизацию.
LDAP Attribute must be selected in Active Directory Role Assignment 0
You have a role assignment with a missing LDAP attribute. You need to redefine your role assignments.
User is authenticated, but no role is assigned
Exactly as says. Authentication was successful, although a role could not be assigned to the user. You need to create a matching role assignment in Active Directory.
failed to authenticate user:The account is not found
Edit your server.conf file in C:\Program Files\MailArchiva\Server\webapps\ROOT\WEB-INF\conf\server.conf Change the parameter "authentication.bind.attribute=UserPrincipalName" to "authentication.bind.attribute=sAMAccountName"
End user's cannot see their own emails
Make sure that the mail attribute is correct. If you are using MS Exchange, it should be set to proxyAddresses. If you are using another mail server it may be something else. e.g. mail.
In addition there must be the value %email% in the user role filter.
Active Directory Authentication (v2.1 and lower) Including OSE)
Note: The troubleshooting tips in this section do not apply to Архива v2.5 or higher!
There are several reasons why the Архива email archiving server might not be able to authenticate with Active Directory. They are:
Login Domain Incorrect: krb Error 68
KDC_ERR_WRONG_REALM 68 Reserved for future use Your service account login domain or user account login domain is incorrect.
Solution: Check the service account login domain (e.g. admin@business.local) or user login domain (e.g. user@smallbusiness.local)
There is a missing entry in the hosts file
Either your DNS is not configured correctly or you are running Архива in a test environment. In these cases, an entry needs to be added to your hosts file to help Архива resolve your AD by FQDN. In Архива 2.0 and greater, you may need to click the Add To Hosts button to automatically add the ip address info to the hosts file. For OSE and older versions of EE, the hosts file is updated automatically, however, sometimes it can go astray and add more entries than necessary causing authentication to fail. In this situation:
- Delete all Архива inserted entries in your hosts file
- Add the IP address, fully qualified domain name (FQDN) and name of the server running Active Directory to your c:\windows\system32 \drivers\etc\hosts file (Windows) or \etc\hosts (Linux) .
You need add the following entry (WITH CAPITALS included) in the hosts file on the machine running the Архива server:
192.168.0.100 ACTIVEDIRECTORY.COMPANY.LOCAL ACTIVEDIRECTORY
(NB: Please replace ACTIVEDIRECTORY.COMPANY.LOCAL with the ACTUAL fully qualified domain name of your Active Directory server!!! If you do not do this, you will get Server Not Found In Kereberos Database error. This error will only appear in your debug.log file)
Server Not Found In Kerberos Database
In your host file, you must substitute ACTIVEDIRECTORY.COMPANY.LOCAL ACTIVEDIRECTORY" with the fully qualified domain name of your Active Directory Server. For instance, you server may be called AD01 and your company HITECHINC. In which case, you would add the following to your hosts file:
192.168.0.100 HITECHINC.LOCAL AD01
In the Архива email archiving server Configuration screen you will want to specify the following in Active Directory configuration settings:
Kerberos Server: ad01.hitechinc.local:88 LDAP Server Address: ad01.hitechinc.local:389
The important point is that the fully qualified name of your AD controller must correlate exactly to the name of the server registered in Active Directory.
KDC and LDAP Address must be fully qualified domain names
Ensure that your KDC and LDAP address is fully qualified (e.g. activedirectory.company.com)
Do not use the short name or ip adresss of the server
You must use the fully qualified name when logging in
You login using john@company.com, not just john.
There is clock skew between the AD controller and the Архива server
The time need to be exactly the same between these machines.
Password is incorrect
You entered an incorrect password when testing the account.
Server unable to reach the AD controller
Drop into a DOS prompt and ping the AD server using the fully qualified domain name. i.e. type:
ping ACTIVEDIRECTORY.COMPANY.LOCAL
Firewall blocking ports 88 and 389
Enable ports 88 and 389 on your firewall. It is a good idea to shutdown your firewall while testing (if you are having real problems)
Wrong Base DN
Make sure you are using the correct Base DN. No quotes needed. Change to DC=company, DC=com. It does not need to be any more complicated than that.
No Roles Are Assigned
Don't forget to create a role assignment for your test user. If a role is not assigned to a user, then you wont be able to perform a Test login for that user.
No support for encryption type
When atttempting to authenticate against a Windows 2008 server, you might receive the message "no support for encryption type" or something equivalent. To maintian backward compatibility against older AD controllers, by default, Архива uses DES encryption for kerberos authentication. This is not compatible with Windows 2008 server which uses AES as the default encryption type.
The easiest way to get Архива to authenticate is to enable DES authentication in individual AD accounts. From the AD console, select user properties, select Account tab and select "Use kerberos DES encryption types for this account".
Alternatively, it is possible to enable AES encryption in Архива by creating a file called kr5.conf with the following:
[libdefaults]
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
Save the krb5.conf in /usr/local/mailarchiva/server/webapps/mailarchiva/WEB-INF/conf (Linux)
c:\Program Files\MailArchiva\Server\webapps\mailarchiva\server\WEB-INF\conf
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
Save the krb5.conf in /usr/local/mailarchiva/server/webapps/mailarchiva/WEB-INF/conf (Linux)
c:\Program Files\MailArchiva\Server\webapps\mailarchiva\server\WEB-INF\conf
Troubleshooting Complex Active Directory Problems
- First off, please reboot the server and try again before following these advanced instructions. Sometimes it takes a reboot to sort a Kerberos problem out.
- Stop the Server
- Enable DEBUG logging in the ServerLog
- Start the Server from the DOS console (to do this in Windows, run the following exe C:\Program Files\MailArchiva\Server\bin\MailArchivaServer.exe)
- From the Configuration Screen in the Email Discovery and Administration Console, click the Test Login button in the AD configuration
- Examine both the Console Output and Debug Log (kerberos protocol handshake information should be outputted to the console)
- Check out Jaas Kereberos Troubleshooting to solve your problem.
LDAP Authentication
Cannot find user due to UID mismatch
Архива cannot locate the user logging in since your uid's do not have the domain (e.g. "@company.com") appended to them and you have mistakenly specified a default login domain. The default login domain should be empty (blank) if your uid's dont have the domain name appended.