Fix preauth redirection

Revision as of 18:08, 16 March 2023 by Aditya.patidar (talk | contribs) (→‎Solution)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to fix preauth redirection problem


   KB 24510        Last updated on 2023-03-16  




0.00
(0 votes)

Problem

Since Zimbra 9.0.0 Kepler Patch 30 and 8.8.15 James Prescott Joule Patch 37, Zimbra Pre-Auth will only work when it redirects to the zimbraPublicServiceHostname and that means your DNS domain should match zimbraPublicServiceHostname. In case you have not configured this correctly or use multiple redirection domains, refer to steps in this page.

After successfully authenticating with the username and password to the login page, get a ERROR 400 Bad Request.If zimbra is configured with a zimbra domain PreAuth key.

HTTP ERROR 400 Bad Request
URI: /service/preauth
STATUS: 400
MESSAGE: Bad Request
SERVLET: PreAuthServlet 

After refresh the page two times, get below error.

HTTP ERROR 400 authtoken is invalid
URI: /service/preauth
STATUS: 400
MESSAGE: authtoken is invalid
SERVLET: PreAuthServlet 

Solution

To fix this problem public service hostname should be configured.

Steps for Global Level Config

su - zimbra 
zmprov mcf zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmcontrol restart

Steps for Domain Level Config

su - zimbra 
zmprov md DOMAIN.COM zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmcontrol restart

If must use a different url, then provide an FQDN in zimbra_allowed_redirect_url.

zimbra_allowed_redirect_url

The setting of zimbra_allowed_redirect_url should be avoided and be used with caution. If zimbraPublicServiceHostname is set correctly and the DNS matches zimbraPublicServiceHostname, the setting of zimbra_allowed_redirect_url is not necessarily.

From the release notes:

A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default value of the zimbra_allowed_redirect_url attribute is blank which means PreAuth RedirectURL allowed a single URL only from the value of zimbraPublicServiceHostname attribute. If PreAuth RedirectURL is different from the value of zimbraPublicServiceHostname then we can allow the URL in zimbra_allowed_redirect_url.

  1. zimbra_allowed_redirect_url accepts a single URL at a time.
  2. zimbra_allowed_redirect_url supports start with URL. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allow https://wiki.zimbra.com/wiki/Zimbra_Releases/.
  3. This means you could set zimbra_allowed_redirect_url to https:// which will disable the PreAuth redirect security, this is NOT recommended.
Submitted by: Aditya Patidar
Verified Against: ZCS 8.8,ZCS 9.0 Date Created: 2023-03-15
Article ID: https://wiki.zimbra.com/index.php?title=Fix_preauth_redirection Date Modified: 2023-03-16



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search