Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
peawet08 Absent Member.
Absent Member.
1905 views

LDAP/Active Directory Setup not working for IMAP or WebAcc

Hi,

Sorry if this is the wrong place to ask...

I'm new to Groupwise having been a Microsoft evangelist in a previous career. I am finding my way around groupwise but am trying to increase security by linking user accounts to Active Directory.

I have configured the LDAP Settings by configuring a new directory and New servers that link to AD and this is allowing me to browse the AD structure.

1st Question: If I am associating an existing Groupwise account with an AD account, should I ensure that the Groupwise account Name (id) is the same as the SAMAccountName in AD? My GW account name actually matched up to a different user in AD, so I changed it to match.

Once the account was associated, I didn't want to change the global password settings to use AD as i had only configured one user. So I edited the user, client settings, and removed the password and ticked the option to authenticate against AD.
Now, when opening the client on my workstation, the client connects without prompting for a password which I hope means it is actually using AD to connect.

The problem I now have is that when I try to connect using the WebAcc or IMAP, this now fails. I have checked the logs, and from the information that is in there I can see the authentication attempt but it doesn't tell me why apart from the response "Username/Password is invalid".

2nd Question: Is there a particular format the login has to use when using AD Authentication?

3rd Question: Is there a somewhere I can get more logging information for the login process?

Thanks

Mark
Labels (1)
0 Likes
17 Replies
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

Welcome to the forums and thank you for your questions 🙂

Okay... If you are manually associating accounts the GroupWise ID may be different from the SAMAccountName, though I would not recommend this. I believe best practice is to have them matching. This also means that you can use the tools built into GroupWise to do mass associations rather than going to each and every indiviudal account. Just note at this point, the UPN in AD must match the SAMAccountName if you want to configure SSO.

With regards to your account not prompting for a password and assuming you have not configured all the Kerberos stuff for SSO, it sounds like all you have done is removed the GroupWise password from your account. This can allow the client to start without prompting for a password, but WebAccess and IMAP will fail as those services absolutely require a password. Please go back to your user account in the GroupWise admin console and set a password. To complete the setup for LDAP authentication you need to change the security settings on the Post Office and configure LDAP authentication there.

When logging into GroupWise, IMAP, WebAccess you use your GroupWise ID. In case you are asking if you need to use LDAP format - no you don't.

As for logging information, start by ensuring the log level for all the components of your GroupWise system is set to Verbose. If you have indeed configured LDAP authentication between your POA and AD you would need to do LDAP traces to see what's happening at an LDAP level - note you'd have to disable SSL, if configured, to really see what is going on here.

I hope this information points you in the right direction. Please don't be shy to keep coming back here and posting more questions. We, the community, are all here to assist each other.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP/Active Directory Setup not working for IMAP or WebAcc

Ok, here is what IMHO is the basic misunderstanding:

Linking an account to a directory does *not* also mean the
authentication happens against the directory automatically. The
groupwise password will still be used, regardless if it's linked or not.

If you want to have the accounts to authenticate against the directory
instead of groupwise internal, you have to configure that seperately, in
the PO like Laura said.

She also got you covered on why imap and webaccess fail.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

mrosen;2485564 wrote:
Ok, here is what IMHO is the basic misunderstanding:

Linking an account to a directory does *not* also mean the
authentication happens against the directory automatically. The
groupwise password will still be used, regardless if it's linked or not.

If you want to have the accounts to authenticate against the directory
instead of groupwise internal, you have to configure that seperately, in
the PO like Laura said.

She also got you covered on why imap and webaccess fail.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de



Firstly, thanks for your responses!!

So if I removed the password against the client and told it to login using AD, is the client loging in with AD or simply using no password? If so, why have the option enabled to us AD?

Also, in the PO, if I enable LDAP authentication over Groupwise it seems to be a one or the other setting. I'm only testing with one user, so wouldn't this stop other users that are not linked to an AD user from connecting altogether?

Regards
Mark
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

When LDAP authentication is fully configured, any LDAP associated account will use LDAP authentication. Any GroupWise only user will still use the native GroupWise password/authentication.

Just be aware that when you set the client option to allow SSO with AD you had not completed the configuration by enabling LDAP authentication on the Post Office. Therefore you were not using LDAP/AD authentication. Your Post Office was still configured for GroupWise only authentication and you removed your GroupWise password and thus your account had no password.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Laura,

Thanks for your quick response.

That was my exactly what I thought might be happening.

I'm going to spin up copies of the servers in a test environment and flick the switch. I'm too nervous doing on the live system just yet.

Regards

Mark
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

Totally understood and it's always good to have a test environment. Come back and ask more questions as needed... it's great to have a newcomer join us 🙂

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

laurabuckley;2485580 wrote:
Hi Mark,

When LDAP authentication is fully configured, any LDAP associated account will use LDAP authentication. Any GroupWise only user will still use the native GroupWise password/authentication.

Just be aware that when you set the client option to allow SSO with AD you had not completed the configuration by enabling LDAP authentication on the Post Office. Therefore you were not using LDAP/AD authentication. Your Post Office was still configured for GroupWise only authentication and you removed your GroupWise password and thus your account had no password.

Cheers,


Hi Laura,

We are planning an upgrade to GW in the next few weeks. Is there anything in GW18 that changes in relation to AD Authentication that you would say is worth me waiting for?

Mark
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

You don't say exactly what version of GroupWise you are currently on. GroupWise 18.0.1 is currently available. Having said that we anticipate that GroupWise 18.0.2 will be available next week. There's nothing different in the way LDAP authentication works between 2014.x.x and 18.x.x 🙂

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Laura,

I'll bare that in mind thanks.

Mark
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

laurabuckley;2485602 wrote:
Hi Mark,

You don't say exactly what version of GroupWise you are currently on. GroupWise 18.0.1 is currently available. Having said that we anticipate that GroupWise 18.0.2 will be available next week. There's nothing different in the way LDAP authentication works between 2014.x.x and 18.x.x 🙂

Cheers,


Hi Laura,

I see that 18.0.2 is available for download. Are you aware of any reported issues with this release so far? Would you say it's good to rollout (To my test environment first) or should I wait a week or two?

Thanks

Mark
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

I'm not aware of any show-stoppers with 18.0.2

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

laurabuckley;2486203 wrote:
Hi Mark,

I'm not aware of any show-stoppers with 18.0.2

Cheers,


Cheers Laura and thanks for all your help

Mark
0 Likes
peawet08 Absent Member.
Absent Member.

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Laura,

Time to resurrect this.

I have enabled LDAP in the PO and am now able to connect using the AD password instead of the Groupwise password on the two configured test accounts and this is reflected in Webmail and using the GMS (ActiveSync). Other users can login fine.

In the client options for each test user I have cleared the password and enabled "Network Authentication (Active Directory)". When I launch the client it asks for the password and accepts the AD credentials (Which also allowed without the "Network Authentication (Active Directory)" selected).

I want to prevent the test users from being presented with the login box, whilst still allowing the rest of the company to continue being prompted for their Groupwise password.

In the guide here it states that I should run the "gwadminutil adsso -a" command at a post office level. If I run this command, how will it affect the majority of users who are still using Groupwise authentication? Will it then prevent the login box from appearing for just the users who are using AD?

Thanks

Mark
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP/Active Directory Setup not working for IMAP or WebA

Hi Mark,

Configuring SSO is done per Post Office. Therefore, any user authenticating using LDAP will be subject to SSO. Users still using GroupWise authentication will continue to be prompted for their user password until such time as they are LDAP associated and using their LDAP credentials.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.