GroupWise SSO with Azure / Entra joined device

Hi everyone,

I am currently trying to make GroupWise SSO work with an Azure/Entra joined device.

So the device is not domain joined, it is only Entra joined. But has line of sight to the domain controllers so it actually receives the Kerberos TGT.

The problem is, the client does not receive the Kerberos ticket for the groupwise SPN (service principle name).

If I join the device to the onprem AD, everything works fine, the ticket for groupwise gets granted and I am able to login seamlessly.

Does anyone have an idea or experience what can be done here?

Regards,

Philipp

PS: The reason behind going the Entra way is I want to implement a way for our users to work in office and mobile / in home office as seamlessly as possible.

Parents
  • 0

    I just found out that the Entra joined device is actually able to manually receive a Kerberos ticket for the groupwise specific SPN if I run the command

    klist get groupwise/server.my.domain.com

    Yet SSO still does not work and I get prompted for a password when trying to start the GW client even with the received Kerberos ticket. I guess I have to hand this over to support.

Reply
  • 0

    I just found out that the Entra joined device is actually able to manually receive a Kerberos ticket for the groupwise specific SPN if I run the command

    klist get groupwise/server.my.domain.com

    Yet SSO still does not work and I get prompted for a password when trying to start the GW client even with the received Kerberos ticket. I guess I have to hand this over to support.

Children
  • 0   in reply to 

    Based on the initial info "the device is not domain joined, it is only Entra joined, If I join the device to the onprem AD, everything works fine."

    I seem to see the logic as GW is using the user association to an AD object an this info in GW must match the AD info provided/found from the workstation info. 

    Is this available and has a match with the associated objected info GW the userID for this user in GW is used to start the mail with SSO, if this is not available ( no match) then SSO will not work

    Also the POA might give more info based on the error reported in verbose level when SSO is not working