Author Topic: http-proxy SSO (single sign on) zentyal 3.0 - problem  (Read 21927 times)

Sam Graf

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #45 on: November 13, 2012, 01:57:47 pm »

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #46 on: November 13, 2012, 04:59:25 pm »
Hello,

we have checked and we could use kerberos with the 'Domain admin' group members. We have used Microsoft Explorer 8 (version 6 does not work in any case for kerberos).

Check that:
- the proxy is not in mode transparent
- the client specifies the proxy with its full qualified domain name, with IP it will not work
- clocks are synchronized

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #47 on: November 13, 2012, 05:29:21 pm »
This so called "admin group membership" issue is not confirmed by Christophe, however, he solved his problem reinstalling Zentyal with different domain name. Testing further, I think he was able to reproduce this issue reinstalling with previous domain name. I'll come back to him in order to confirm and I'll let you know.

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #48 on: November 20, 2012, 12:59:04 pm »
Cristian : about adms group.

If created a lot of users and groups combinations, none of them works as expected.

Javier Amor
- the client specifies the proxy with its full qualified domain name, with IP it will not work

I didn't know that, I've changed it (zentyal-domain.lan) but still same problems.

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #49 on: November 20, 2012, 01:20:22 pm »
"zentyal-domain.lan" doesn't look like FQDN but domain name  ::)

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #50 on: November 20, 2012, 01:27:23 pm »
that's the name

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #51 on: November 20, 2012, 02:28:05 pm »
No this is not the name... or at least what you show is not the evidence that the name is correct.
And if name is correct, there is something really weird or I'm totally puzzled  :o

Based on LDAP settings you show, name you are supposed to set in proxy conf is zentyal.zentyal-domain.lan and not zentyal-domain.lan

I also wonder if you file sharing service work as expected: Netbios name doesn't match hostname, so Netbios over TCP doesn't work, does it?

This is really strange and I'm like in a dream today.
- This is the second thread which is tightly linked to misunderstanding between host, domain and FQDN
- I already saw in the past this "zentyal-domain.lan" domain naming with "zentyal" as hostname and similar confusion but as far as I remember, this was with another forum member.

I'm very tempted to launch a poll and make some stats: how many Zentyal users are using this very confusing naming convention?
Is it because of default names proposed by Zentyal wizard?
« Last Edit: November 20, 2012, 02:30:10 pm by christian »

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #52 on: November 20, 2012, 02:47:54 pm »
I realize you are using default naming convention proposed by Zentyal installation wizard.
What makes things even more confusing is your Netbios name  ::)

I hope Zentyal team will read this thread and potentially change this wizard and/or update documentation to make things clearer, although very few users read the fucking manual.

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #53 on: November 20, 2012, 02:54:09 pm »
yes, I used the default name instalation since I was doing tests with beta installations.

I think I haven't change it, because in beta it was the better option not to touch this things.

Should I do a new installation and set a better name ?

which can you suggest me ? :)

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #54 on: November 20, 2012, 03:51:38 pm »
For the time being and for testing purpose, just fix settings in your browser in order to use the right proxy (Zentyal) FQDN.
Once this works, you will have time to reinstall if really needed.

FastLaneJB

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #55 on: December 01, 2012, 12:16:10 pm »
Hi,

I'd just like to add that this isn't working at all for me either with SSO without it then it works fine.

So I've got just 2 rules. Both go through filter groups but I've tried it without. Neither of the rules cover all users so if you don't authenticate properly you won't be able to browse. Transparent proxy is off (I intend to use a GPO to push the proxy settings out if I get this working).

I've got Zentyal running as a Samba 4 domain, Windows 7 clients joined to the domain and Internet Explorer 9 (I've tried Firefox as well). My domain ends with a .local and I've put in the FQDN of the server of zentyal.domain.local and also tried domain.local (Does still point to the Zentyal box so goes to the proxy but doesn't work either).

Infact because I don't have a rule that works for all users when I have SSO on enabled I still get the username and password box come up. However entering a valid username and password I get a Banned User error page.

I'd like to point out that Zarafa SSO also doesn't work. For this if I enable it I get a domain login box appear but entering a valid user doesn't work.

I have moved my users from the OU=Users,DC=domain,DC=local area of AD to better apply Group Policies to various users.

Zentyal is fully patched up by doing an apt-get dist-upgrade so it should be fully current at the time of writing.

richie1985

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #56 on: January 02, 2013, 09:18:03 am »
are there any news? still dont work by my site with the same problem (sso, fqdn proxy)

please help

richie1985

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #57 on: January 02, 2013, 09:28:57 am »
okay i found the issue, internet explorer 6 wont work!

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #58 on: February 26, 2013, 12:32:28 pm »
Hi there.

after a few moths out, I tried again to use zentyal + sso + proxy, but once again without no luck.

scenario : 1 server zentyal (2 netcards) + windows XP desktops (using firefox 19)

everything works perfect, login into domain and accessing to shared folders, but when I try to set the rules to the proxy/dansguard it does not work with SSO activated.

my domain is incatest.lan, my server zentyal2013.incatest.lan, I've tried both in the firefox proxy configurations, but it give me the same error, that I am unable to navigate throw the proxy.

I assume that something is correctly working, because when I enable in the proxy the rule "allow everyone" it works, but when I disable it, it does not work (wich is correct). Seems that the group that the user belongs is not recognized.

When using only a group that is allowed to navigate, the proxy show me that it does not accept connections, the same as if I deny everyone. "cache access denied"

can anybody help me ?

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #59 on: February 27, 2013, 09:28:24 am »
hi there. at last ! :)

I've changed the server proxy name to lowercase in the firefox proxy configuration, and now I works :)

really happy now !

going to test "categorized list" :)

so today begins my transition from W2003 AD, W2003 file server to zentyal solution, (plus proxy+content filtering server)  wish me luck !