Fix preauth redirection
How to fix preauth redirection problem
Problem
Since Zimbra 9.0.0 Kepler Patch 30 and 8.8.15 James Prescott Joule Patch 37, Zimbra Pre-Auth will only work when it redirects to the zimbraPublicServiceHostname and that means your DNS domain should match zimbraPublicServiceHostname. In case you have not configured this correctly or use multiple redirection domains, refer to steps in this page.
After successfully authenticating with the username and password to the login page, get a ERROR 400 Bad Request.If zimbra is configured with a zimbra domain PreAuth key.
HTTP ERROR 400 Bad Request URI: /service/preauth STATUS: 400 MESSAGE: Bad Request SERVLET: PreAuthServlet
After refresh the page two times, get below error.
HTTP ERROR 400 authtoken is invalid URI: /service/preauth STATUS: 400 MESSAGE: authtoken is invalid SERVLET: PreAuthServlet
Solution
To fix this problem public service hostname should be configured.
Steps for Global Level Config
su - zimbra zmprov mcf zimbraPublicServiceHostname MAIL.DOMAIN.COM zmcontrol restart
Steps for Domain Level Config
su - zimbra zmprov md DOMAIN.COM zimbraPublicServiceHostname MAIL.DOMAIN.COM zmcontrol restart
If must use a different url, then provide an FQDN in zimbra_allowed_redirect_url.
zimbra_allowed_redirect_url
The setting of zimbra_allowed_redirect_url should be avoided and be used with caution. If zimbraPublicServiceHostname is set correctly and the DNS matches zimbraPublicServiceHostname, the setting of zimbra_allowed_redirect_url is not necessarily.
From the release notes:
A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default value of the zimbra_allowed_redirect_url attribute is blank which means PreAuth RedirectURL allowed a single URL only from the value of zimbraPublicServiceHostname attribute. If PreAuth RedirectURL is different from the value of zimbraPublicServiceHostname then we can allow the URL in zimbra_allowed_redirect_url.
- zimbra_allowed_redirect_url accepts a single URL at a time.
- zimbra_allowed_redirect_url supports start with URL. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allow https://wiki.zimbra.com/wiki/Zimbra_Releases/.
- This means you could set zimbra_allowed_redirect_url to https:// which will disable the PreAuth redirect security, this is NOT recommended.
Submitted by: Aditya Patidar |