56.2 Configuring Single Sign-On with Active Directory

GroupWise 18 supports Active Directory’s single sign-on capabilities allowing users to bypass the GroupWise login process by virtue of logging in once with Active Directory.

IMPORTANT:AD SSO is not supported if the GroupWise system is running in an OES cluster.

Make sure the following tasks are completed before continuing with the configuration of the server:

  • Make sure both the POA Server and the user workstation are joined to the same Active Directory domain.

  • Make sure the POA has the DNS name specified instead of the IP address in the GroupWise Admin Console > Post Office Agents > select the POA > Agent Settings > TCP/IP Address field.

  • Select Network authentication (eDirectory or Active Directory) in the Admin Console > Post Office > select the PO > Client Option > Security tab.

56.2.1 Windows POA

If you are using NT LAN Manager (NTLM) single sign-on, then no further configuration is required on the POA server. Complete the tasks below if you are using Kerberos single sign-on:

  • Register the POA as a Service Principle Name (SPN) by running the following command:

    gwadminutil adsso -a <path to post office directory>

    Example: gwadminutil adsso -a M:\mypo

  • Create a Service Connection Point (SCP) record to allow the client to automatically connect to the POA. If you do not run this command, users need to know the IP address and port number to connect to the POA. Run the following command to create the SCP:

    gwadminutil adsso -scp -a <path to post office directory>

56.2.2 Linux POA

Complete the tasks below to enable Kerberos single sign-on.

  • Make sure that all krb5 RPMs are installed on the server.

  • Make sure that the Linux server points to the AD server as its DNS server.

  • Join the Linux POA server to the windows domain by configuring the YaST2 > Network Services > Windows Domain Membership applet. The Kerberos Method in the Advanced Settings or Expert Settings needs to be system keytab.

  • Configure Kerberos by editing the /etc/krb5.conf file using the documentation for your version of SLES:

  • Add GroupWise to the keytab file for Kerberos by running the following command:

    net ads keytab add groupwise
  • Make sure that the /etc/krb5.keytab file is readable by the user that is running the GroupWise POA on the server. If it is not, do one of the following:

    • Change the ownership of the file to the same user as the user running the POA.

    • Add the POA user to a group and give the group read rights to the file.

  • Create a GroupWise Name Server in DNS to allow the client to automatically connect to the POA. If you do not do this, users need to know the IP address and port number to connect to the POA.