0001200: SOGoProxyAuthenticator does not pass Kerberos SPNEGO authentication to IMAP server - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0001200	SOGo	Backend Mail	public	2011-03-23 03:12	2017-12-21 01:28

Reporter	steve	Assigned To
Priority	normal	Severity	feature	Reproducibility	always
Status	new	Resolution	open
Product Version	1.3.5

Summary	0001200: SOGoProxyAuthenticator does not pass Kerberos SPNEGO authentication to IMAP server
Description	When using Kerberos SPNEGO auth for SSO to SOGo, auth is passed perfectly after applying the result of ticket 1113 for SOGo calendar and contacts. However, auth is not passed properly to IMAP server such that mail can be displayed.
Additional Information	From the SOGo log: Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0xa22ee18[NGImap4ConnectionManager]> IMAP4 login failed: host=imap.4test.net, user=steve@4test.net, pwd=no url=imaps://steve%404test.net@imap.4test.net/ base=(nil) base-class=(nil)) = <0x0xa2af380[NGImap4Client]: login=steve@4test.net(pwd) socket=<NGActiveSSLSocket[0x0xa289ff0]: mode=rw address=<0x0xa1c65d0[NGInternetSocketAddress]: host=webmail.4test.net port=55036> connectedTo=<0x0x9fdc940[NGInternetSocketAddress]: host=imap.4test.net port=993>>> Mar 22 19:42:14 sogod [13526]: <0x0A1CFDE8[SOGoMailAccount]:0> renewing imap4 password Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0A1CFDE8[SOGoMailAccount]:0> no IMAP4 password available Mar 22 19:42:14 sogod [13526]: [ERROR] <0x0A1CFDE8[SOGoMailAccount]:0> Could not connect IMAP4
Tags	No tags attached.

jaywalker 2012-10-31 10:47 reporter ~0004760	Can this problem be avoided when the imap server is configured to support GSSAPI authentication as well? If sogo forwards the ticket, this might be a solution to the problem.

steve 2012-11-01 05:14 reporter ~0004764	Unfortunately, the ticket is not forwarded. I actually gave up on this for the time being and began using CAS which works great. As it turns out Cyrus-IMAP has a feature coming in 2.5 where it will accept SPNEGO for authentication. That should make this much easier to do, and reasonably secure as well, such that it might just work out of the box.

jaywalker 2012-11-01 13:50 reporter ~0004765	I tested against a dovecot IMAP server configured to accept SPNEGO authentication. SOGo however still fails with the same error message.

rjsalts 2017-12-21 01:28 reporter ~0012484	There kerberos ticket would presumably be for HTTP/webserver@REALM, not IMAP/imapserver@REALM. I think you need s4u2proxy or s4u2self support in sogo itself to request a ticket on behalf of the user for the IMAP/... or SMTP/... services.

Date Modified	Username	Field
2011-03-23 03:12	steve	New Issue
2012-10-31 10:47	jaywalker	Note Added: 0004760
2012-11-01 05:14	steve	Note Added: 0004764
2012-11-01 13:50	jaywalker	Note Added: 0004765
2017-12-21 01:28	rjsalts	Note Added: 0012484