Using signed SSL certificates in Mac OS X Server 10.5 is a bit of a black art. In this article I describe how it’s done. Some services, such as the web service, work fine with signed certificates by default. However, the iChat (jabber), iCal (caldav), Mail (postfix/cyrus), and possibly other services do not work properly without some additional work on the command line (“Terminal”).

The problem in OS X Server 10.5 is that the System Admin app fails to provide decrypted private keys, and points some services to a certificate that doesn’t work for that service. The result is that those services will fail to allow connections over SSL.

I will describe how to fix the Mail, iChat and iCal services. The solution is basically the same for them all: decrypt the private key and replace the encrypted version in the combined certificate-key file, then update the service’s settings to use the proper certificate.

(more…)

This article will show you how to dramatically improve the effectiveness of the anti-spam system that is built into Mac OSX Server 10.5. After the upgrade, at least 99.9% of spam should be prevented from reaching your user’s e-mail Inboxes.

This process requires that the Developer Tools are installed on the system. As always, backup your server before making any changes.

(more…)

I ran into several difficulties setting up Podcast Producer in Leopard server. I followed the setup instructions in the manual, but when it came to getting Xgrid up and running, I hit a wall.

Here are the problems that I encountered:

“agent could not determine the expected controller service principal”

The Podcast Producer manual says that Kerberos authentication in Xgrid is necessary (page 26)…
(more…)

Kerberos and Single Sign-on in Leopard Server

It has been awhile since my last post of this series — sorry to keep you waiting. Kerberos on Mac OS X Server is a finicky thing, and it took me this long to get it working! Well, I did take a 3 week vacation, and was busy with other projects for at least 2 weeks … but it was a major pain in the ass to set up, and I’m not yet entirely satisfied.

To get straight to the point, the following procedure got kerberos with single sign-on up and running for me. Hopefully it will work for you too.

(more…)