Fix preauth redirection: Difference between revisions

 
(4 intermediate revisions by 2 users not shown)
Line 7: Line 7:


==Problem==
==Problem==
Since Zimbra 9.0.0 Kepler Patch 30 and 8.8.15 James Prescott Joule Patch 37, Zimbra Pre-Auth will only work when it redirects to the zimbraPublicServiceHostname and that means your DNS domain should match zimbraPublicServiceHostname. In case you have not configured this correctly or use multiple redirection domains, refer to steps in this page.
After successfully authenticating with the username and password to the login page, get a ERROR 400 Bad Request.If zimbra is configured with a zimbra domain PreAuth key.
After successfully authenticating with the username and password to the login page, get a ERROR 400 Bad Request.If zimbra is configured with a zimbra domain PreAuth key.
<pre>
HTTP ERROR 400 Bad Request
URI: /service/preauth
STATUS: 400
MESSAGE: Bad Request
SERVLET: PreAuthServlet
</pre>
After refresh the page two times, get below error.
<pre>
HTTP ERROR 400 authtoken is invalid
URI: /service/preauth
STATUS: 400
MESSAGE: authtoken is invalid
SERVLET: PreAuthServlet
</pre>


==Solution==
==Solution==
This type of problem occurs where public service hostname, protocol and port values are not configured.
To fix this problem public service hostname should be configured.  
 
To fix this problem we have to set '''zimbraPublicServiceHostname''', '''zimbraPublicServiceProtocol''', and '''zimbraPublicServicePort''' on Domain or Global level configuration.  


===Steps for Global Level Config===
===Steps for Global Level Config===
  su - zimbra  
  su - zimbra  
  zmprov mcf zimbraPublicServiceHostname MAIL.DOMAIN.COM
  zmprov mcf zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServicePort 443
  zmcontrol restart
  zmcontrol restart


Line 24: Line 38:
  su - zimbra  
  su - zimbra  
  zmprov md DOMAIN.COM zimbraPublicServiceHostname MAIL.DOMAIN.COM
  zmprov md DOMAIN.COM zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmprov md DOMAIN.COM zimbraPublicServiceProtocol https
zmprov md DOMAIN.COM zimbraPublicServicePort 443
  zmcontrol restart
  zmcontrol restart


'''Note''': Replace '''DOMAIN.COM''' and '''MAIL.DOMAIN.COM''' with the actual value according to your environment.
If must use a different url, then provide an FQDN in zimbra_allowed_redirect_url.
 
=== zimbra_allowed_redirect_url ===
 
The setting of zimbra_allowed_redirect_url should be avoided and be used with caution. If zimbraPublicServiceHostname is set correctly and the DNS matches zimbraPublicServiceHostname, the setting of zimbra_allowed_redirect_url is not necessarily.


Above configuration also required for sharing where zimbra-proxy is configured.
From the release notes:


A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default value of the zimbra_allowed_redirect_url attribute is blank which means PreAuth RedirectURL allowed a single URL only from the value of zimbraPublicServiceHostname attribute. If PreAuth RedirectURL is different from the value of zimbraPublicServiceHostname then we can allow the URL in zimbra_allowed_redirect_url.


# zimbra_allowed_redirect_url accepts a single URL at a time.
# zimbra_allowed_redirect_url supports start with URL. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allow https://wiki.zimbra.com/wiki/Zimbra_Releases/.
# This means you could set zimbra_allowed_redirect_url to https:// which will disable the PreAuth redirect security, this is NOT recommended.


{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"

Latest revision as of 18:08, 16 March 2023

How to fix preauth redirection problem


   KB 24510        Last updated on 2023-03-16  




0.00
(0 votes)

Problem

Since Zimbra 9.0.0 Kepler Patch 30 and 8.8.15 James Prescott Joule Patch 37, Zimbra Pre-Auth will only work when it redirects to the zimbraPublicServiceHostname and that means your DNS domain should match zimbraPublicServiceHostname. In case you have not configured this correctly or use multiple redirection domains, refer to steps in this page.

After successfully authenticating with the username and password to the login page, get a ERROR 400 Bad Request.If zimbra is configured with a zimbra domain PreAuth key.

HTTP ERROR 400 Bad Request
URI: /service/preauth
STATUS: 400
MESSAGE: Bad Request
SERVLET: PreAuthServlet 

After refresh the page two times, get below error.

HTTP ERROR 400 authtoken is invalid
URI: /service/preauth
STATUS: 400
MESSAGE: authtoken is invalid
SERVLET: PreAuthServlet 

Solution

To fix this problem public service hostname should be configured.

Steps for Global Level Config

su - zimbra 
zmprov mcf zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmcontrol restart

Steps for Domain Level Config

su - zimbra 
zmprov md DOMAIN.COM zimbraPublicServiceHostname MAIL.DOMAIN.COM
zmcontrol restart

If must use a different url, then provide an FQDN in zimbra_allowed_redirect_url.

zimbra_allowed_redirect_url

The setting of zimbra_allowed_redirect_url should be avoided and be used with caution. If zimbraPublicServiceHostname is set correctly and the DNS matches zimbraPublicServiceHostname, the setting of zimbra_allowed_redirect_url is not necessarily.

From the release notes:

A new LC attribute zimbra_allowed_redirect_url has been introduced to control the PreAuth RedirectURL. By default value of the zimbra_allowed_redirect_url attribute is blank which means PreAuth RedirectURL allowed a single URL only from the value of zimbraPublicServiceHostname attribute. If PreAuth RedirectURL is different from the value of zimbraPublicServiceHostname then we can allow the URL in zimbra_allowed_redirect_url.

  1. zimbra_allowed_redirect_url accepts a single URL at a time.
  2. zimbra_allowed_redirect_url supports start with URL. For example, if zimbra_allowed_redirect_url is set to https://wiki.zimbra.com , then PreAuth RedirectURL also allow https://wiki.zimbra.com/wiki/Zimbra_Releases/.
  3. This means you could set zimbra_allowed_redirect_url to https:// which will disable the PreAuth redirect security, this is NOT recommended.
Submitted by: Aditya Patidar
Verified Against: ZCS 8.8,ZCS 9.0 Date Created: 2023-03-15
Article ID: https://wiki.zimbra.com/index.php?title=Fix_preauth_redirection Date Modified: 2023-03-16



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search