SlideShare a Scribd company logo
1 of 21
Download to read offline
IBM Connections Mail
Plugin Configuration with
Exchange Backend
Michele Buccarello
4/16/2015
This document describe how to configure the IBM Connection Mail Plugin with Exchange Backend
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 1
Table of Contents
PREREQUISITES............................................................................................................................................ 2
WHAT THE WIKI SAYS .................................................................................................................................. 2
KERBEROS CONFIGURATION........................................................................................................................ 2
CONFIGURE THE AUTODISCOVERY SERVLET................................................................................................. 7
CERTIFICATE EXPORT ............................................................................................................................... 8
IMPORT THE SSL CERTIFICATE IN WEBSPHERE.........................................................................................11
CONFIGURE socialmail-discovery-config.xml ...........................................................................................12
TROUBELSHOOTING....................................................................................................................................13
WIDGET ARCHITECTURE..........................................................................................................................13
SERVER SIDE........................................................................................................................................14
BROWSER SIDE....................................................................................................................................14
AUTHENTICATION FLOW.........................................................................................................................14
ADDITIONAL TRACE.................................................................................................................................15
GATHERING TRACE AND DEBUG INFORMATION......................................................................................16
HTTP 400 ISSUE (negotiation header too long) ........................................................................................19
DELEGETION DOESN’T WORK ONLY IN CHROME .....................................................................................20
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 2
PREREQUISITES
This guide cover all configuration of IBM Connections Mail plugin with Exchange as a backend, before to
read check these requirements
1) IBM Connections 5 CR2 or later
2) IBM Connections Mail 1.6
3) Exchange server compliant with System Requirements and with Kerberos enabled. For system
requirements check http://www-01.ibm.com/support/docview.wss?uid=swg27036069
4) A good knowledge about Kerberos protocol and delegation process
5) A basic knowledge about Exchange Web Services (EWS) and autodiscovery mechanism
6) Kerberos Enabled on all Exchange server (NTLM auth works only with autodiscoery process not for
EWS )
7) A basic knowledge about Whireshark
WHAT THE WIKI SAYS
In the URL below you could find all official information about Mail Plugin configurations
http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita
This guide is a compendium about the configuration and authentication flow for the Exchange integration.
KERBEROS CONFIGURATION
In the official wiki the first step is configuring correctly the SPNEGO and KERBEROS authentication
mechanism as described in this link
http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita
Before to start the SPNEGO configuration two steps are important requirement:
1) Mapping an Active Directory Account to Administrativer roles
http://www-
01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accou
nmhhhbnt.dita?lang=en
2) Create a Service Principal Name and Keytab file
http://www-
01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service
_account.dita?lang=en
You could skip the point one only if your installation is built with an active directory user, check the image
below if during your installation process in the administrator user id field you have used an user from LDAP.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 3
In the wiki the point two is really detailed but if you are going to do this configuration on Windows 2012
Active Directory some extra steps are a requirement to avoid problems with Kerberos authentication:
- Windows 2012 have a strong encryption this creates problems with the Kerberos protocol because
normally the communication between the Key Distribution Center and the Domain Computer
works via UDP protocol but the UDP payload isn’t unable to contain all encrypted information
because it is really small than the TCP packet, to force the communication via TCP protocol you
must add this line inside the krb5.conf  udp_preference_limit = 1
- If you are going to setup Kerberos in an Active Directory Domain forest with child site and Different
Realm you must explicit all realm in the sections realms and domain_realm
- If you see error related to the KDC options you must manually set this options in the krb5.ini, in
particular with Windows 2012 I force the proxiable = false and renewable = false, this step is not a
requirement and it solve problems in the infrastructure where I setup the Kerberos authentication.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 4
In the image below a full example of the krb5.ini
Below the screen about Kerberos / SPNEGO WebSphere settings.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 5
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 6
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 7
In the step five you should add the generic property inside the properties tag. In my environment I
experienced some problems but more investigation are required about this generic property:
- <genericProperty name="shindig.config.container.overrides">
By default in connections 5 we have a generic property “shinding overrides” in the sections properties and
if you follow the wiki the result would be something like this
We experienced some problems with the this configuration because it seems the first property is
overwritten by the second. To avoid any strange issue we merge the two property into a big one.
Now we have successful complete all Kerberos / SPNEGO configuration.
CONFIGURE THE AUTODISCOVERY SERVLET
The autodiscovery servlet is used to discovery the mail server where the mail file is located, in particular
Exchange have the own system to give this type of information. In the wiki link we could find all information
about the autodiscovery configuration:
- http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita
The first step described in the section 2.A says to ask the certificate to the administrator, we could export
the certificate manually from the browser. Below the screens show an export of the ibm ssl certificate, the
steps are the same for Exchange.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 8
CERTIFICATE EXPORT
Click on the padlock icon, and the click on view certificates.
Click on Certification Path
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 9
Export the Certificate authority and the intermediate certificate ( first and second certificate)
CA Export: select the first certificate and click “view certificate”.
Check in the new window if in the certificate path there is only the CA certificate
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 10
Now we export the CA
In the last screen press finish to complete the export of CA certificate and close the CA window.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 11
The same steps are used for the intermediate certificate the important thing is to select in the first window
under certificate path the second certificate
After click on view certificate apply the same steps to export the intermediate certificate.
At this point we need to import this certificates on the WebSphere cacertes via keytool utility.
IMPORT THE SSL CERTIFICATE IN WEBSPHERE
The commands are described in the section 2.b, below the command used
keytool -import -file cacert.cer -alias exchange_cacert -
keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts
keytool -import -file intermdiate.cer -alias exchange_intermediatecert -
keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts
the default password for cacerts file is changeit.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 12
CONFIGURE socialmail-discovery-config.xml
In the wiki step three and four you need to copy the socialmail-discovery-config-template.xml
from the ConnectionsMail folder and paste it in theDMGR folder:
- WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config
In the steps five and six are described the options, in the image below an example configuration.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 13
TROUBELSHOOTING
IBM Connections Mail Plugin is a widget based on open-social gadget running on Apache Shinding widget
container. In IBM Connections, the Apache shinding implementation is contained in the
WidgetContainer.ear installed in the InfraCluster server.
The mustgather link is:
- http://www-01.ibm.com/support/docview.wss?uid=swg21677101
all websphere trace must set in the server where the widgetcontainer.ear is located.
WIDGET ARCHITECTURE
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 14
SERVER SIDE
IBM Connections Mail opensocial gadget use a different Ajax Proxy the name is CREAjaxProxy. This Ajax
proxy is used to send all back-end call to the Exchange EWS WebService, for example the HTTPS post with
the delegated credential are sent through the CREAjaxProxy to the Exchange Mail server.
The discovery Servlet is registered as an extension point via OSGI in the Widget Container application.
BROWSER SIDE
On the browser side all ajax call are sent via makerRequest servlet ( the apache shinding implementation of
the method gadget.makerRequest) the response of this call is a json with the backend http response code (
rc=401 for example).
AUTHENTICATION FLOW
This image shows all network calls to take the user's email from Exchange.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 15
ADDITIONAL TRACE
To track all request related to:
- Widget container (CREAjaxProxy)
- Kerberos Delegation / SPNEGO
You must add this trace and JVM properties on the server where is located the WidgetContainer.ear
application.
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 16
GATHERING TRACE AND DEBUG INFORMATION
Before to start you need to have this requirements:
- A domain computer with WireShark and Fiddler installed
- If the domain computer is a windows 7 machine check if the klist command is available on the
command prompt, otherwise install the windows resource kit.
- Install on the Connections Server WireShark if you are in Windows or use tcpdump with the –s0
parameter to take the full payload under linux
- Enable trace on the infracluster Server and test the mail with the homepage application because is
in the same cluster of the WidgetContainer application.
1. Verify the browser settings for SPNEGO authentication
http://www-
01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEG
O_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0
2. Clear Kerberos token via klist
3. Start fiddler and WireShark on computer domain and wireshark on the server
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 17
4. On domain Computer put this filter
5. On Connections Server put this filter
6. Check four Kerberos request on WireShark Domain Computer
7. Check on fiddler if the request to discoveryServlet and makerRequest servlet have the right
response
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 18
the field rc is the HTTP response code if you get http 401 that means you are not authorized and
the delegation process doesn’t work propertly.
8. Check in the logs if there are problems on Kerberos ticket decryption
9. Check if the GSSCredential are correctly read
10. Check If the delegation process works correctly
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 19
11. Check if the CREAjaxProxy contact correctly the Exchange EWS WebService
HTTP 400 ISSUE (negotiation header too long)
When we try to automatically login in Connections some users receive a white page with HTTP error 400, in
this case you need to increase on all HTTP server the maximum header size if in the fiddler trace inside the
HTTP packe you saw the error header is too long inside the HTML response. This error doesn’t affect all
users for example in my case all users that had ten or more group in active directory get the HTTP 400
error, when groups became nine the SPNEGO authentication works. This happen because the header
NEGOTIATION contains the Kerberos TGT and the Microsoft privilege attribute certificate (PAC), the second
contains several logical components, including group membership data for authorization, alternate
credentials for non-Kerberos authentication protocols, and policy control information for supporting
interactive logon. To increase the header size put inside the virtualhost this apache directive:
- LimitRequestFieldSize 12392
The number is suggested inside the apache wiki http://httpd.apache.org/docs/2.2/mod/core.html. In the
image below an example configuration
IBM Connections Mail Plugin Configuration with Exchange Backend
IBM Connections Mail Plugin with Exchange Backend
Author:Michele Buccarello Page 20
DELEGETION DOESN’T WORK ONLY IN CHROME
Like Firefox in CHROME you must enable the delegation to have the mail plugin fully functional.
Follow the links below to enable the Kerberos delegation
- https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

More Related Content

What's hot

Ibm connections docs 2 install guide
Ibm connections docs 2 install guideIbm connections docs 2 install guide
Ibm connections docs 2 install guideRoberto Boccadoro
 
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!Klaus Bild
 
Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Klaus Bild
 
XCC Cloud for IBM Connections Cloud
XCC Cloud for IBM Connections Cloud XCC Cloud for IBM Connections Cloud
XCC Cloud for IBM Connections Cloud TIMETOACT GROUP
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the InstallersKlaus Bild
 
Installing community surveys in connections 5.5
Installing community surveys in connections 5.5Installing community surveys in connections 5.5
Installing community surveys in connections 5.5Roberto Boccadoro
 
MAS202 - Customizing IBM Connections - Downloadable
MAS202 - Customizing IBM Connections - DownloadableMAS202 - Customizing IBM Connections - Downloadable
MAS202 - Customizing IBM Connections - Downloadablepaulbastide
 
Connections customization lite
Connections customization liteConnections customization lite
Connections customization liteSharon James
 
What's New in XCC 12 - Release
What's New in XCC 12 - ReleaseWhat's New in XCC 12 - Release
What's New in XCC 12 - ReleaseTIMETOACT GROUP
 
IBM Connections - Customizing and Extending
IBM Connections - Customizing and ExtendingIBM Connections - Customizing and Extending
IBM Connections - Customizing and ExtendingStuart McIntyre
 
XCC Release 6.0 Feature Overview
XCC Release 6.0 Feature OverviewXCC Release 6.0 Feature Overview
XCC Release 6.0 Feature OverviewTIMETOACT GROUP
 
XCC - What's New Release 10
XCC - What's New Release 10XCC - What's New Release 10
XCC - What's New Release 10TIMETOACT GROUP
 
Make Your IBM Connections Deployment Your Own: Customize It!
Make Your IBM Connections Deployment Your Own: Customize It!Make Your IBM Connections Deployment Your Own: Customize It!
Make Your IBM Connections Deployment Your Own: Customize It!Klaus Bild
 
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8Teamstudio
 
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...TIMETOACT GROUP
 

What's hot (20)

Ibm connections docs 2 install guide
Ibm connections docs 2 install guideIbm connections docs 2 install guide
Ibm connections docs 2 install guide
 
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
 
Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way
 
XCC Cloud for IBM Connections Cloud
XCC Cloud for IBM Connections Cloud XCC Cloud for IBM Connections Cloud
XCC Cloud for IBM Connections Cloud
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the Installers
 
Installing community surveys in connections 5.5
Installing community surveys in connections 5.5Installing community surveys in connections 5.5
Installing community surveys in connections 5.5
 
MAS202 - Customizing IBM Connections - Downloadable
MAS202 - Customizing IBM Connections - DownloadableMAS202 - Customizing IBM Connections - Downloadable
MAS202 - Customizing IBM Connections - Downloadable
 
Xcc layout-options
Xcc layout-optionsXcc layout-options
Xcc layout-options
 
XCC Documentation
XCC   DocumentationXCC   Documentation
XCC Documentation
 
Connections customization lite
Connections customization liteConnections customization lite
Connections customization lite
 
What's New in XCC 12 - Release
What's New in XCC 12 - ReleaseWhat's New in XCC 12 - Release
What's New in XCC 12 - Release
 
IBM Connections - Customizing and Extending
IBM Connections - Customizing and ExtendingIBM Connections - Customizing and Extending
IBM Connections - Customizing and Extending
 
XCC Release 6.0 Feature Overview
XCC Release 6.0 Feature OverviewXCC Release 6.0 Feature Overview
XCC Release 6.0 Feature Overview
 
XCC 11
XCC 11XCC 11
XCC 11
 
XCC - What's New Release 10
XCC - What's New Release 10XCC - What's New Release 10
XCC - What's New Release 10
 
Make Your IBM Connections Deployment Your Own: Customize It!
Make Your IBM Connections Deployment Your Own: Customize It!Make Your IBM Connections Deployment Your Own: Customize It!
Make Your IBM Connections Deployment Your Own: Customize It!
 
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8
IBM Presents the Notes Domino Roadmap and a Deep Dive into Feature Pack 8
 
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...
 
What's new in XCC 13
What's new in XCC 13What's new in XCC 13
What's new in XCC 13
 
XCC Self Study Guide
XCC Self Study GuideXCC Self Study Guide
XCC Self Study Guide
 

Similar to IBM Connections mail with exchange backend

NT341 Mail Server Integration
NT341 Mail Server IntegrationNT341 Mail Server Integration
NT341 Mail Server IntegrationRyan Ellingson
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
obiee 12c installation guidelines
obiee 12c installation guidelinesobiee 12c installation guidelines
obiee 12c installation guidelineskumud thakur
 
Free ERP 2BizBox Quick Start Tutorial
Free ERP 2BizBox Quick Start TutorialFree ERP 2BizBox Quick Start Tutorial
Free ERP 2BizBox Quick Start Tutorial253725291
 
Bsmc troubleshooting guide
Bsmc troubleshooting guideBsmc troubleshooting guide
Bsmc troubleshooting guidekobyah
 
Advanced Programming Using Visual Basic. NET
Advanced Programming Using Visual Basic. NETAdvanced Programming Using Visual Basic. NET
Advanced Programming Using Visual Basic. NETTony Lisko
 
Quick reference guide_for_windows_system931_install
Quick reference guide_for_windows_system931_installQuick reference guide_for_windows_system931_install
Quick reference guide_for_windows_system931_installSarfraz Khan
 
I doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docI doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docVERUS BRASIL
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...Protect724tk
 
Integrating IBM Watson IoT Platform IBM Blockchain Lab
Integrating IBM Watson IoT Platform IBM Blockchain LabIntegrating IBM Watson IoT Platform IBM Blockchain Lab
Integrating IBM Watson IoT Platform IBM Blockchain LabRahul Gupta
 
Informatica object migration
Informatica object migrationInformatica object migration
Informatica object migrationAmit Sharma
 
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)topomax
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger LabDev_Events
 

Similar to IBM Connections mail with exchange backend (20)

NT341 Mail Server Integration
NT341 Mail Server IntegrationNT341 Mail Server Integration
NT341 Mail Server Integration
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
obiee 12c installation guidelines
obiee 12c installation guidelinesobiee 12c installation guidelines
obiee 12c installation guidelines
 
05 160723204945
05 16072320494505 160723204945
05 160723204945
 
Free ERP 2BizBox Quick Start Tutorial
Free ERP 2BizBox Quick Start TutorialFree ERP 2BizBox Quick Start Tutorial
Free ERP 2BizBox Quick Start Tutorial
 
Bsmc troubleshooting guide
Bsmc troubleshooting guideBsmc troubleshooting guide
Bsmc troubleshooting guide
 
Anypoint b2 b
Anypoint b2 bAnypoint b2 b
Anypoint b2 b
 
Introduction to OBIEE 11g
Introduction to OBIEE 11gIntroduction to OBIEE 11g
Introduction to OBIEE 11g
 
Data link mamut_magento
Data link mamut_magentoData link mamut_magento
Data link mamut_magento
 
Advanced Programming Using Visual Basic. NET
Advanced Programming Using Visual Basic. NETAdvanced Programming Using Visual Basic. NET
Advanced Programming Using Visual Basic. NET
 
Quick reference guide_for_windows_system931_install
Quick reference guide_for_windows_system931_installQuick reference guide_for_windows_system931_install
Quick reference guide_for_windows_system931_install
 
I doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docI doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.doc
 
LTRSEC-2017-LG
LTRSEC-2017-LGLTRSEC-2017-LG
LTRSEC-2017-LG
 
Visual connect
Visual connectVisual connect
Visual connect
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
Integrating IBM Watson IoT Platform IBM Blockchain Lab
Integrating IBM Watson IoT Platform IBM Blockchain LabIntegrating IBM Watson IoT Platform IBM Blockchain Lab
Integrating IBM Watson IoT Platform IBM Blockchain Lab
 
Informatica object migration
Informatica object migrationInformatica object migration
Informatica object migration
 
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)
Full screen Web Browser support RS-232 / TCPIP peripheral (plugin)
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
 

Recently uploaded

Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabbereGrabber
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Primacy Infotech
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...CloudMetic
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionMohammed Fazuluddin
 

Recently uploaded (20)

Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 

IBM Connections mail with exchange backend

  • 1. IBM Connections Mail Plugin Configuration with Exchange Backend Michele Buccarello 4/16/2015 This document describe how to configure the IBM Connection Mail Plugin with Exchange Backend
  • 2. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 1 Table of Contents PREREQUISITES............................................................................................................................................ 2 WHAT THE WIKI SAYS .................................................................................................................................. 2 KERBEROS CONFIGURATION........................................................................................................................ 2 CONFIGURE THE AUTODISCOVERY SERVLET................................................................................................. 7 CERTIFICATE EXPORT ............................................................................................................................... 8 IMPORT THE SSL CERTIFICATE IN WEBSPHERE.........................................................................................11 CONFIGURE socialmail-discovery-config.xml ...........................................................................................12 TROUBELSHOOTING....................................................................................................................................13 WIDGET ARCHITECTURE..........................................................................................................................13 SERVER SIDE........................................................................................................................................14 BROWSER SIDE....................................................................................................................................14 AUTHENTICATION FLOW.........................................................................................................................14 ADDITIONAL TRACE.................................................................................................................................15 GATHERING TRACE AND DEBUG INFORMATION......................................................................................16 HTTP 400 ISSUE (negotiation header too long) ........................................................................................19 DELEGETION DOESN’T WORK ONLY IN CHROME .....................................................................................20
  • 3. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 2 PREREQUISITES This guide cover all configuration of IBM Connections Mail plugin with Exchange as a backend, before to read check these requirements 1) IBM Connections 5 CR2 or later 2) IBM Connections Mail 1.6 3) Exchange server compliant with System Requirements and with Kerberos enabled. For system requirements check http://www-01.ibm.com/support/docview.wss?uid=swg27036069 4) A good knowledge about Kerberos protocol and delegation process 5) A basic knowledge about Exchange Web Services (EWS) and autodiscovery mechanism 6) Kerberos Enabled on all Exchange server (NTLM auth works only with autodiscoery process not for EWS ) 7) A basic knowledge about Whireshark WHAT THE WIKI SAYS In the URL below you could find all official information about Mail Plugin configurations http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_pre-install.dita This guide is a compendium about the configuration and authentication flow for the Exchange integration. KERBEROS CONFIGURATION In the official wiki the first step is configuring correctly the SPNEGO and KERBEROS authentication mechanism as described in this link http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_spnego.dita Before to start the SPNEGO configuration two steps are important requirement: 1) Mapping an Active Directory Account to Administrativer roles http://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_kerb_configure_AD_accou nmhhhbnt.dita?lang=en 2) Create a Service Principal Name and Keytab file http://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/secure/t_install_kerb_create_service _account.dita?lang=en You could skip the point one only if your installation is built with an active directory user, check the image below if during your installation process in the administrator user id field you have used an user from LDAP.
  • 4. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 3 In the wiki the point two is really detailed but if you are going to do this configuration on Windows 2012 Active Directory some extra steps are a requirement to avoid problems with Kerberos authentication: - Windows 2012 have a strong encryption this creates problems with the Kerberos protocol because normally the communication between the Key Distribution Center and the Domain Computer works via UDP protocol but the UDP payload isn’t unable to contain all encrypted information because it is really small than the TCP packet, to force the communication via TCP protocol you must add this line inside the krb5.conf  udp_preference_limit = 1 - If you are going to setup Kerberos in an Active Directory Domain forest with child site and Different Realm you must explicit all realm in the sections realms and domain_realm - If you see error related to the KDC options you must manually set this options in the krb5.ini, in particular with Windows 2012 I force the proxiable = false and renewable = false, this step is not a requirement and it solve problems in the infrastructure where I setup the Kerberos authentication.
  • 5. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 4 In the image below a full example of the krb5.ini Below the screen about Kerberos / SPNEGO WebSphere settings.
  • 6. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 5
  • 7. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 6
  • 8. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 7 In the step five you should add the generic property inside the properties tag. In my environment I experienced some problems but more investigation are required about this generic property: - <genericProperty name="shindig.config.container.overrides"> By default in connections 5 we have a generic property “shinding overrides” in the sections properties and if you follow the wiki the result would be something like this We experienced some problems with the this configuration because it seems the first property is overwritten by the second. To avoid any strange issue we merge the two property into a big one. Now we have successful complete all Kerberos / SPNEGO configuration. CONFIGURE THE AUTODISCOVERY SERVLET The autodiscovery servlet is used to discovery the mail server where the mail file is located, in particular Exchange have the own system to give this type of information. In the wiki link we could find all information about the autodiscovery configuration: - http://www-01.ibm.com/support/knowledgecenter/SSVMJU_1.6.0/icm_discovery.dita The first step described in the section 2.A says to ask the certificate to the administrator, we could export the certificate manually from the browser. Below the screens show an export of the ibm ssl certificate, the steps are the same for Exchange.
  • 9. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 8 CERTIFICATE EXPORT Click on the padlock icon, and the click on view certificates. Click on Certification Path
  • 10. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 9 Export the Certificate authority and the intermediate certificate ( first and second certificate) CA Export: select the first certificate and click “view certificate”. Check in the new window if in the certificate path there is only the CA certificate
  • 11. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 10 Now we export the CA In the last screen press finish to complete the export of CA certificate and close the CA window.
  • 12. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 11 The same steps are used for the intermediate certificate the important thing is to select in the first window under certificate path the second certificate After click on view certificate apply the same steps to export the intermediate certificate. At this point we need to import this certificates on the WebSphere cacertes via keytool utility. IMPORT THE SSL CERTIFICATE IN WEBSPHERE The commands are described in the section 2.b, below the command used keytool -import -file cacert.cer -alias exchange_cacert - keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts keytool -import -file intermdiate.cer -alias exchange_intermediatecert - keystore E:IBMWebSphereAppServerjavajrelibsecuritycacerts the default password for cacerts file is changeit.
  • 13. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 12 CONFIGURE socialmail-discovery-config.xml In the wiki step three and four you need to copy the socialmail-discovery-config-template.xml from the ConnectionsMail folder and paste it in theDMGR folder: - WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config In the steps five and six are described the options, in the image below an example configuration.
  • 14. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 13 TROUBELSHOOTING IBM Connections Mail Plugin is a widget based on open-social gadget running on Apache Shinding widget container. In IBM Connections, the Apache shinding implementation is contained in the WidgetContainer.ear installed in the InfraCluster server. The mustgather link is: - http://www-01.ibm.com/support/docview.wss?uid=swg21677101 all websphere trace must set in the server where the widgetcontainer.ear is located. WIDGET ARCHITECTURE
  • 15. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 14 SERVER SIDE IBM Connections Mail opensocial gadget use a different Ajax Proxy the name is CREAjaxProxy. This Ajax proxy is used to send all back-end call to the Exchange EWS WebService, for example the HTTPS post with the delegated credential are sent through the CREAjaxProxy to the Exchange Mail server. The discovery Servlet is registered as an extension point via OSGI in the Widget Container application. BROWSER SIDE On the browser side all ajax call are sent via makerRequest servlet ( the apache shinding implementation of the method gadget.makerRequest) the response of this call is a json with the backend http response code ( rc=401 for example). AUTHENTICATION FLOW This image shows all network calls to take the user's email from Exchange.
  • 16. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 15 ADDITIONAL TRACE To track all request related to: - Widget container (CREAjaxProxy) - Kerberos Delegation / SPNEGO You must add this trace and JVM properties on the server where is located the WidgetContainer.ear application.
  • 17. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 16 GATHERING TRACE AND DEBUG INFORMATION Before to start you need to have this requirements: - A domain computer with WireShark and Fiddler installed - If the domain computer is a windows 7 machine check if the klist command is available on the command prompt, otherwise install the windows resource kit. - Install on the Connections Server WireShark if you are in Windows or use tcpdump with the –s0 parameter to take the full payload under linux - Enable trace on the infracluster Server and test the mail with the homepage application because is in the same cluster of the WidgetContainer application. 1. Verify the browser settings for SPNEGO authentication http://www- 01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEG O_configweb_new.html?cp=SSAW57_8.5.5%2F1-3-0-21-3-0 2. Clear Kerberos token via klist 3. Start fiddler and WireShark on computer domain and wireshark on the server
  • 18. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 17 4. On domain Computer put this filter 5. On Connections Server put this filter 6. Check four Kerberos request on WireShark Domain Computer 7. Check on fiddler if the request to discoveryServlet and makerRequest servlet have the right response
  • 19. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 18 the field rc is the HTTP response code if you get http 401 that means you are not authorized and the delegation process doesn’t work propertly. 8. Check in the logs if there are problems on Kerberos ticket decryption 9. Check if the GSSCredential are correctly read 10. Check If the delegation process works correctly
  • 20. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 19 11. Check if the CREAjaxProxy contact correctly the Exchange EWS WebService HTTP 400 ISSUE (negotiation header too long) When we try to automatically login in Connections some users receive a white page with HTTP error 400, in this case you need to increase on all HTTP server the maximum header size if in the fiddler trace inside the HTTP packe you saw the error header is too long inside the HTML response. This error doesn’t affect all users for example in my case all users that had ten or more group in active directory get the HTTP 400 error, when groups became nine the SPNEGO authentication works. This happen because the header NEGOTIATION contains the Kerberos TGT and the Microsoft privilege attribute certificate (PAC), the second contains several logical components, including group membership data for authorization, alternate credentials for non-Kerberos authentication protocols, and policy control information for supporting interactive logon. To increase the header size put inside the virtualhost this apache directive: - LimitRequestFieldSize 12392 The number is suggested inside the apache wiki http://httpd.apache.org/docs/2.2/mod/core.html. In the image below an example configuration
  • 21. IBM Connections Mail Plugin Configuration with Exchange Backend IBM Connections Mail Plugin with Exchange Backend Author:Michele Buccarello Page 20 DELEGETION DOESN’T WORK ONLY IN CHROME Like Firefox in CHROME you must enable the delegation to have the mail plugin fully functional. Follow the links below to enable the Kerberos delegation - https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist