I am excited about the idea of using SSO, but have not been able to get it to work. I am running Spark 2.5.3 on Windows XP machines, Openfire 3.3.1 running on Windows Server 2003 and I am using AD for authentication. Some earlier forum posts seemed to indicate that SSO and AD did not mix well with the 2.5.3 betas. Should I expect SSO to work “out of the box” now? If I need to make configuration changes, is there a how-to or some kind of documentation on what needs to happen for SSO to work?
Slushpupie posted a FAQ on this forum. It’‘ll work fine with 2.5.3, as long as you’'re not locating your server using SRV records.
If you run into any errors check out my or Deejay’'s post about SSO.
Man those posts are just jumbled with stuff. Can we get a break down of the steps to get SSO to work in a pure windows environment? This means windows spark client, windows openfire server, and active directory LDAP. I have tried most of the stuff in the other posts and still have no luck. I have posted all my logs and got no responces. I am rolling this out next week (I hope). Please might I suggest a step by step instruction thread for this.
I’‘ll post a step by step on Monday if there’'s demand for it.
I did say I’‘d do this before, but didn’'t see many people testing it.
SlushPupies post really does contain everything you need, but it isn’'t a simple technology…
I’'m interested in a step-by-step of this
Please read this: http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos
It should contain everything you need, depending on how experienced you are.
I have followed that wiki article and still get an error when attempting ans SSO connection. Spark give the following error: Unable to connect using Single Sign-On. Check your principal ans server settings.
Here is the gss.conf file:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”
doNotPrompt=true
useKeyTab=true
realm=“AD.MTSTRAVEL.COM”
principal="xmpp-mtschat@AD.MTSTRAVEL.COM"
debug=true;
};
Here is the openfire.xml changes:
Here is the info used and output for keytab generation on AD server:
C:>ktpass /princ xmpp-mtschat@AD.MTSTRAVEL.COM /mapuser xmpp-mtschat@ad.mtstrav
el.com /pass * /out jabber.keytab
Targeting domain controller: mts1.ad.mtstravel.com
Failed to set property “servicePrincipalName” to “xmpp-mtschat” on Dn "CN=MTS Ch
at Server,CN=Users,DC=ad,DC=mtstravel,DC=com": 0x13.
WARNING: Unable to set SPN mapping data.
If xmpp-mtschat already has an SPN mapping installed for xmpp-mtschat, this i
s no cause for concern.
Type the password for xmpp-mtschat:
Type the password again to confirm:
Key created.
Output keytab to jabber.keytab:
Keytab version: 0x502
keysize 55 xmpp-mtschat@AD.MTSTRAVEL.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype
0x3 (DES-CBC-MD5) keylength 8 (0x941a1a6791eada0e)
Account xmpp-mtschat has been set for DES-only encryption.
My jabber.keytab is in the proper folder and all users have read access.
You didnt set the service principal correctly. The name of this principal is VERY important. It must be in this form:
xmpp/fqdn.of.server@REALM
Where fqdn.of.server is the fully qualified domain name of the server (see below on how to determine that) and REALM is your realm (AD.MTSTRAVEL.COM in your case). Also note that the prefix is “xmpp/” not “xmpp-” That is important.
To determine the FQDN, do this:
run “nslookup servername” to get the IP address of the server
run “nslookup ipaddress” to get the FQDN of the server.
The FQDN may not be be the same name as your Openfire domain name. That is ok.
Oh, and you DO NOT want all users to have read access to your keytab. This is a HUGE security risk. Only the user that the Openfire server runs as needs to be able to read this file.
there’'s a lot of things wrong with that:
From a quick scan:
-
Your principal name is wrong it should be xmpp/fqnofserver@REALM
-
Your gssapi config file is wrong - you need to use unix style slashes when specifying the keytab location
-
With KTPASS you should be using the short username, so ‘‘xmpp-openfire’’ as specified in the guide would be a decent user to create for mapping to.
D
I regenerated the keytab witht the changes you stated.
Here is the new gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”
doNotPrompt=true
useKeyTab=true
realm=“AD.MTSTRAVEL.COM”
principal="xmpp/mtschat.ad.mtstravel.com@AD.MTSTRAVEL.COM"
debug=true;
};
Spark still returns the same error.
The error logs on the server will be of more use to us. Is anything indicated there?
none whatsoever. Which I find rather wierd. I even turned on debug mode.
Do you have a working (tested) Openfire setup without SSO? Its best to start from there if you havent. Even a non-SSO Openfire without debugging will generate some log entries.
I should clarify, I clear the logs then attempt to connect via SSO. Spark returns the error but there is nothing in the logs on openfire. If I login normally then the logs get populated with various information. This is a working openfire 3.3.1 server.
How about the Spark logs then? Spark may not be getting far enough to connect to the server.
Here is the spark error logs:
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
at com.sun.security.sasl.gsskerb.GssKrb5Client.(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)
… 11 more
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:785)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:185)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:589)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
OK.
Create the file is specifies (c:\windows\krb5.ini) and add this to it (replacing the obvious)
default_realm = ad.domain.com
ad.domain.com= {
kdc = domaincontroller.ad.domain.com
default_domain = ad.domain.com
}
.ad.domain.com= ad.domain.com
edited to add: libdefaults, realms and domain_realm should all be contained in square brackets but the forum broke the formatting
Message was edited by: DeeJay
Create a file called krb5.ini in c:\windows with the following. “libdefaults” and “realms” are both surrounded by square brackets
default_realm = DOMAIN.LOCAL
noaddresses = true
DOMAIN.LOCAL = {
kdc = YOURDC.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
Make sure everything is in caps.