Spark 2.5.3 SSO and AD? Documentation?

David_Thulson · June 1, 2007, 3:09pm

I am excited about the idea of using SSO, but have not been able to get it to work. I am running Spark 2.5.3 on Windows XP machines, Openfire 3.3.1 running on Windows Server 2003 and I am using AD for authentication. Some earlier forum posts seemed to indicate that SSO and AD did not mix well with the 2.5.3 betas. Should I expect SSO to work “out of the box” now? If I need to make configuration changes, is there a how-to or some kind of documentation on what needs to happen for SSO to work?

Darren_Sykes · June 1, 2007, 3:30pm

Slushpupie posted a FAQ on this forum. It’‘ll work fine with 2.5.3, as long as you’'re not locating your server using SRV records.

papawu · June 1, 2007, 8:02pm

If you run into any errors check out my or Deejay’'s post about SSO.

NO_MESSAGES_OR_FRIEN · June 1, 2007, 8:21pm

Man those posts are just jumbled with stuff. Can we get a break down of the steps to get SSO to work in a pure windows environment? This means windows spark client, windows openfire server, and active directory LDAP. I have tried most of the stuff in the other posts and still have no luck. I have posted all my logs and got no responces. I am rolling this out next week (I hope). Please might I suggest a step by step instruction thread for this.

Darren_Sykes · June 1, 2007, 9:51pm

I’‘ll post a step by step on Monday if there’'s demand for it.

I did say I’‘d do this before, but didn’'t see many people testing it.

SlushPupies post really does contain everything you need, but it isn’'t a simple technology…

Jason_L · June 2, 2007, 1:34pm

I’'m interested in a step-by-step of this

Jay · June 3, 2007, 9:10pm

Please read this: http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos

It should contain everything you need, depending on how experienced you are.

NO_MESSAGES_OR_FRIEN · June 4, 2007, 1:30pm

I have followed that wiki article and still get an error when attempting ans SSO connection. Spark give the following error: Unable to connect using Single Sign-On. Check your principal ans server settings.

Here is the gss.conf file:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”

doNotPrompt=true

useKeyTab=true

realm=“AD.MTSTRAVEL.COM”

principal="xmpp-mtschat@AD.MTSTRAVEL.COM"

debug=true;

};

Here is the openfire.xml changes:

Here is the info used and output for keytab generation on AD server:

C:>ktpass /princ xmpp-mtschat@AD.MTSTRAVEL.COM /mapuser xmpp-mtschat@ad.mtstrav

el.com /pass * /out jabber.keytab

Targeting domain controller: mts1.ad.mtstravel.com

Failed to set property “servicePrincipalName” to “xmpp-mtschat” on Dn "CN=MTS Ch

at Server,CN=Users,DC=ad,DC=mtstravel,DC=com": 0x13.

WARNING: Unable to set SPN mapping data.

If xmpp-mtschat already has an SPN mapping installed for xmpp-mtschat, this i

s no cause for concern.

Type the password for xmpp-mtschat:

Type the password again to confirm:

Key created.

Output keytab to jabber.keytab:

Keytab version: 0x502

keysize 55 xmpp-mtschat@AD.MTSTRAVEL.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype

0x3 (DES-CBC-MD5) keylength 8 (0x941a1a6791eada0e)

Account xmpp-mtschat has been set for DES-only encryption.

My jabber.keytab is in the proper folder and all users have read access.

Jay · June 4, 2007, 1:37pm

You didnt set the service principal correctly. The name of this principal is VERY important. It must be in this form:

xmpp/fqdn.of.server@REALM

Where fqdn.of.server is the fully qualified domain name of the server (see below on how to determine that) and REALM is your realm (AD.MTSTRAVEL.COM in your case). Also note that the prefix is “xmpp/” not “xmpp-” That is important.

To determine the FQDN, do this:

run “nslookup servername” to get the IP address of the server

run “nslookup ipaddress” to get the FQDN of the server.

The FQDN may not be be the same name as your Openfire domain name. That is ok.

Jay · June 4, 2007, 1:38pm

Oh, and you DO NOT want all users to have read access to your keytab. This is a HUGE security risk. Only the user that the Openfire server runs as needs to be able to read this file.

Darren_Sykes · June 4, 2007, 1:40pm

there’'s a lot of things wrong with that:

From a quick scan:

Your principal name is wrong it should be xmpp/fqnofserver@REALM
Your gssapi config file is wrong - you need to use unix style slashes when specifying the keytab location
With KTPASS you should be using the short username, so ‘‘xmpp-openfire’’ as specified in the guide would be a decent user to create for mapping to.

D

NO_MESSAGES_OR_FRIEN · June 4, 2007, 2:17pm

I regenerated the keytab witht the changes you stated.

Here is the new gss.conf:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”

doNotPrompt=true

useKeyTab=true

realm=“AD.MTSTRAVEL.COM”

principal="xmpp/mtschat.ad.mtstravel.com@AD.MTSTRAVEL.COM"

debug=true;

};

Spark still returns the same error.

Jay · June 4, 2007, 2:19pm

The error logs on the server will be of more use to us. Is anything indicated there?

NO_MESSAGES_OR_FRIEN · June 4, 2007, 2:42pm

none whatsoever. Which I find rather wierd. I even turned on debug mode.

Jay · June 4, 2007, 2:44pm

Do you have a working (tested) Openfire setup without SSO? Its best to start from there if you havent. Even a non-SSO Openfire without debugging will generate some log entries.

NO_MESSAGES_OR_FRIEN · June 4, 2007, 2:49pm

I should clarify, I clear the logs then attempt to connect via SSO. Spark returns the error but there is nothing in the logs on openfire. If I login normally then the logs get populated with various information. This is a working openfire 3.3.1 server.

Jay · June 4, 2007, 2:52pm

How about the Spark logs then? Spark may not be getting far enough to connect to the server.

NO_MESSAGES_OR_FRIEN · June 4, 2007, 3:08pm

Here is the spark error logs:

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))

at com.sun.security.sasl.gsskerb.GssKrb5Client.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)

… 11 more

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Darren_Sykes · June 4, 2007, 3:19pm

OK.

Create the file is specifies (c:\windows\krb5.ini) and add this to it (replacing the obvious)

default_realm = ad.domain.com

ad.domain.com= {

kdc = domaincontroller.ad.domain.com

default_domain = ad.domain.com

}

.ad.domain.com= ad.domain.com

edited to add: libdefaults, realms and domain_realm should all be contained in square brackets but the forum broke the formatting

Message was edited by: DeeJay

papawu · June 4, 2007, 3:19pm

Create a file called krb5.ini in c:\windows with the following. “libdefaults” and “realms” are both surrounded by square brackets

default_realm = DOMAIN.LOCAL

noaddresses = true

DOMAIN.LOCAL = {

kdc = YOURDC.DOMAIN.LOCAL

default_domain = DOMAIN.LOCAL

}

Make sure everything is in caps.