I placed krb5.ini on my xp client root C:\
I placed the keytab file on the 2003 Server at F:\Program Files\Openfire\resources
I placed gss.conf file on the 2003 Server at F:\Program Files\Openfire\conf
However I ran your registry update ONLY on the xp client as you documented. Should I run this on the server as well?
the krb5.ini needs to be in the root of the windows directory of both the client and server. I did not modify the server registry. If you want to this is the proper string for it:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberosParameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Ok placing the ini file on the root did not resolve the issue.
However I have noticed something odd. When I tried to reinstall the openfire server and use ‘xmpp’ as the admin instead of ‘openfire’, xmpp failed when testing on the ‘Test Settings’ connection in the wizard. So I reset the password on xmpp account and then retested and it worked. Finished the wizard and then ran openfire server. Logged into the server console with no issues. Then I realized spark SSO still didn’t work and recreated the keytab file and it still failed.
For the heck of it just a second ago I tried to just login to spark WITH a password and it failed. Soooo I tried to login to the openfire console and it failed. So I uninstalled the openfire server, reinstalled and boom ‘xmpp’ user failed on the connection screen again. It seems that the keytab generation CHANGES the xmpp user’s password or otherwise disallows it from being used by openfire.
So does or does not the openfire admin need to be the same user? Very confusing.
Thanks
The admin can be pretty much any user. that xmpp user is just used for the keytab generation.
Ok on that first setup screen it has a box that says Domain: (yet the question mark help popup says that the server hostname should be listed) I have always just put ‘techlinkserver’
Is that correct or FQDN?
FQDN should be used at all times.
Ok changed setup to false and ran through and used FQDN and openfire as admin. Still no SSO.
I do not know what to tell short of SSO is damn hard to accomplish. Slushpuppy helped me and it took several days to iron out all the bugs.
Is Slushpuppy around? Should I PM him?
Im around, but not as often as I used to be. I dont work with windows, so Im not much of an expert here. I wrote the SSO stuff with my knowledge of Kerberos, and since AD uses Kerberos it became possible to do it on AD. But it certainly isnt easy 
From what I read here, the client is not choosing the GSSAPI method for authentication. This can be for any number of reasons, so a few things I want to know:
What version of Spark are you using?
Does Spark generate any output in its log files? (we might want to turn debugging on to get more)
What is the output from the server right BEFORE the client sends the auth packet? (it should say what mechanisms the server supports, we want GSSAPI in that list)
Spark version 2.5.8
Spark Error.log:
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 217)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Nov 17, 2008 3:19:55 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Spark Output.log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Thomas@TECHLINK.LOCAL
Commit Succeeded
As far as output on the server, where exactly do you mean?
Thanks
By output, I mean turn on the debug stuff in Spark so you can see the XML packets that go back and forth. If you want, just send all the server output. But Im looking for the step right before the client attempts to authenticate.
Here is the Raw Received Packets window contents:
<?xml version='1.0' encoding='UTF-8'?>stream:featuresPLAINANONYMOUSzlib</stream:features>
</stream:stream>
Openfire is not advertising GSSAPI. The old way was in the openfire.xml config file, but its now been moved into the System Properties (in the admin console). Set the property sasl.mechs to GSSAPI. You might need to restart Openfire, you might not. I dont recall how well that property is cached.
If that is already set as such, then check the openfire logs to see why it rejected it.
Ok so there was no System Property at all named that.
So I created **sasl.mechs **name and put the value of GSSAPI. I restarted the openfire server and it still failed but the spark debugger shows more activity back and forth than before. The new log from spark Raw Received packets show:
<?xml version='1.0' encoding='UTF-8'?>stream:features
zlib
</stream:features>
zlib
</stream:features>
thomas
thomasspark</r esource>
I still don’t see GSSAPI anywhere in that packet above.
Here is the latter part of openfire.xml:
org.jivesoftware.database.EmbeddedConnectionProvider
true
false
Here is a simplified version of that config from a working server:
GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNALDOMAIN.COM
true
C:\Program Files\Openfire\conf\gss.conf
false
Substitue your proper information into the tag, and the tag.
Ok added that and it didn’t work.
Spark raw received packet:
<?xml version='1.0' encoding='UTF-8'?>stream:features
GSSAPI</mechani sms>zlib
</stream:features>
GSSAPI</mechani sms>zlib
</stream:features>
thomas
thomasspark</r esource>
Current openfire.xml:
<?xml version="1.0" encoding="UTF-8"?>9090
9091
en
org.jivesoftware.database.EmbeddedConnectionProvider
GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL
TECHLINK.LOCAL
true
false
However notice that after the openfire server starts it COMPLETELY deletes the:
C:\Program Files\Openfire\conf\gss.conf
false
Several parts of the XML config have been moved into the server properties (stored in the database) from the original implementation. The solution Jive employed was to take the value from the file, import it into the DB, then delete it from the file. That is normal.
Now that Openfire is advertising the GSSAPI method, the focus is back on Spark, since it has decided to not use GSSAPI. Do the logs for spark show anything different now?
Which part of the debug log? I posted the new raw recieve packet above.
Raw Sent:
<stream:stream to=“techlinkserver.techlink.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
<stream:stream to=“techlinkserver.techlink.local” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
thomas
thomasspark</r esource>
Connection 1 Packet window shows(showing ‘type’ in brackets):
[Get]
thomas[Set]
thomas spark[Result]
thomas[Error]
thomas spark