Not applicable
1656 views

SSO Active Directory UPN sAMAccountName

Hi Folks

We're currently facing a problem to get Single Sign On working in our environment.
GroupWise 2014 R2 14.2.2
Windows Server 2016 Domain functional level 2012 R2
Client Windows 10 1703 GroupWise Client 14.2.2 Build 126868

Single Sign On works if the sAMAccountName and the userPrincipalName are identical.
Let's say there is a user L_ABCD with following configuration:
userPrincipalName: L_ABCD@ad.somedomain.com
sAMAccountName: L_ABCD
Domain: ad.somedomain.com
GroupWise Account name: L_ABCD

In this configuration the login works fine.

In our case the userPrincipalName and the sAMAccountName are not identical, because of Microsoft Office 365.
For clarity:
userPrincipalName: alpha.bet@somedomain.com (Same as e-mail)
sAMAccountName: L_ABCD
Domain: ad.somedomain.com
GroupWise Account name: L_ABCD

In this configuration SSO does not work and the user has to enter his password again.
The user still uses the sAMAccountName (L_ABCD) to login.

The output of klist looks the same in both variants.

In GroupWise debug POA log i can see the follwing error:
06:59:08 AFF7 Error: The authenticated user does not match the user requesting access to GroupWise [D092] in _WpeSSPIAuthorizeUser ()

Does someday have a hint for me?

Thank You
Marco
Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SSO Active Directory UPN sAMAccountName

On Fri, 22 Jun 2018 08:14:02 GMT, jbetschart
<jbetschart@no-mx.forums.microfocus.com> wrote:


Hi,


And if you enable the setting, do not ask for password if
authenticated to edir setting?

>
> Hi Folks
>
> We're currently facing a problem to get Single Sign On working in our
> environment.
> GroupWise 2014 R2 14.2.2
> Windows Server 2016 Domain functional level 2012 R2
> Client Windows 10 1703 GroupWise Client 14.2.2 Build 126868
>
> Single Sign On works if the sAMAccountName and the userPrincipalName are
> identical.
> Let's say there is a user L_ABCD with following configuration:
> userPrincipalName: L_ABCD@ad.somedomain.com
> sAMAccountName: L_ABCD
> Domain: ad.somedomain.com
> GroupWise Account name: L_ABCD
>
> In this configuration the login works fine.
>
> In our case the userPrincipalName and the sAMAccountName are *not
> *identical, because of Microsoft Office 365.
> For clarity:
> userPrincipalName: alpha.bet@somedomain.com (Same as e-mail)
> sAMAccountName: L_ABCD
> Domain: ad.somedomain.com
> GroupWise Account name: L_ABCD
>
> In this configuration SSO does not work and the user has to enter his
> password again.
> The user still uses the sAMAccountName (L_ABCD) to login.
>
> The output of klist looks the same in both variants.
>
> In GroupWise debug POA log i can see the follwing error:
> 06:59:08 AFF7 Error: The authenticated user does not match the user
> requesting access to GroupWise [D092] in _WpeSSPIAuthorizeUser ()
>
> Does someday have a hint for me?
>
> Thank You
> Marco


0 Likes
Not applicable

Re: SSO Active Directory UPN sAMAccountName

Hi,

Where can i find this setting?
The only thing i found is under Client-Options -> Security -> Networkauthentication (eDirectory or Active Directory) which is logically activated.

Thank you
Marco
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSO Active Directory UPN sAMAccountName

On Mon, 25 Jun 2018 08:16:02 GMT, jbetschart
<jbetschart@no-mx.forums.microfocus.com> wrote:

Hi,

With the option, do not sked for password if authenticated?
If so, if you use zcm as well, you could have a mehap if on different
micasa's.

use the latest version of all products.

>
> Hi,
>
> Where can i find this setting?
> The only thing i found is under Client-Options -> Security ->
> Networkauthentication (eDirectory or Active Directory) which is
> logically activated.
>
> Thank you
> Marco


0 Likes
Not applicable

Re: SSO Active Directory UPN sAMAccountName

Hi

Thank you for your answer and sorry for the late reply.

There isn't a setting "do not ask for password if authenticated"
We tested the authentication without ZENworks installed and still the same problem.

We updated the server to 14.2.3 last week.


Alex Warmerdam;2483044 wrote:
On Mon, 25 Jun 2018 08:16:02 GMT, jbetschart
<jbetschart@no-mx.forums.microfocus.com> wrote:

Hi,

With the option, do not sked for password if authenticated?
If so, if you use zcm as well, you could have a mehap if on different
micasa's.

use the latest version of all products.

>
> Hi,
>
> Where can i find this setting?
> The only thing i found is under Client-Options -> Security ->
> Networkauthentication (eDirectory or Active Directory) which is
> logically activated.
>
> Thank you
> Marco
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSO Active Directory UPN sAMAccountName

Hi,

Take a look at this TID: https://www.novell.com/support/kb/doc.php?id=7018598

Perhaps point 3 at the end is what is being referred to.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Not applicable

Re: SSO Active Directory UPN sAMAccountName

Hi

Now i got it. The hole time i was searching on the server side.
I checked the setting and it was already activated. So that shouldn't be the problem.

Thank you

Marco



laurabuckley;2483356 wrote:
Hi,

Take a look at this TID: https://www.novell.com/support/kb/doc.php?id=7018598

Perhaps point 3 at the end is what is being referred to.

Cheers,
0 Likes
comless_scott Absent Member.
Absent Member.

Re: SSO Active Directory UPN sAMAccountName

I had opened up a service request for this, NTS said it was working as designed. I thought that it is rather unfortunate.
After all the Kerberos functionality on the AD side seems to depend on userPrincipalName, which I tested and verified with other Kerberos enabled applications.
Considering that a sAMAccountName can't even support a period, it is not even a possibility to get in working at my customer locations.
I was going to try a windows POA to see if the same problems exist with it, but my customer decided to invest in a different solution instead.
I think the code might be different depending on if the server is Win or Lin, but that still doesn't mean it will work when the POA is on windows.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.