the krb5.ini needs to be in the root of the windows directory of both the client and server. I did not modify the server registry. If you want to this is the proper string for it:
Ok placing the ini file on the root did not resolve the issue.
However I have noticed something odd. When I tried to reinstall the openfire server and use ‘xmpp’ as the admin instead of ‘openfire’, xmpp failed when testing on the ‘Test Settings’ connection in the wizard. So I reset the password on xmpp account and then retested and it worked. Finished the wizard and then ran openfire server. Logged into the server console with no issues. Then I realized spark SSO still didn’t work and recreated the keytab file and it still failed.
For the heck of it just a second ago I tried to just login to spark WITH a password and it failed. Soooo I tried to login to the openfire console and it failed. So I uninstalled the openfire server, reinstalled and boom ‘xmpp’ user failed on the connection screen again. It seems that the keytab generation CHANGES the xmpp user’s password or otherwise disallows it from being used by openfire.
So does or does not the openfire admin need to be the same user? Very confusing.
Ok on that first setup screen it has a box that says Domain: (yet the question mark help popup says that the server hostname should be listed) I have always just put ‘techlinkserver’
Im around, but not as often as I used to be. I dont work with windows, so Im not much of an expert here. I wrote the SSO stuff with my knowledge of Kerberos, and since AD uses Kerberos it became possible to do it on AD. But it certainly isnt easy
From what I read here, the client is not choosing the GSSAPI method for authentication. This can be for any number of reasons, so a few things I want to know:
What version of Spark are you using?
Does Spark generate any output in its log files? (we might want to turn debugging on to get more)
What is the output from the server right BEFORE the client sends the auth packet? (it should say what mechanisms the server supports, we want GSSAPI in that list)
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 217)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Nov 17, 2008 3:19:55 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Spark Output.log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Thomas@TECHLINK.LOCAL
Commit Succeeded
As far as output on the server, where exactly do you mean?
By output, I mean turn on the debug stuff in Spark so you can see the XML packets that go back and forth. If you want, just send all the server output. But Im looking for the step right before the client attempts to authenticate.
Openfire is not advertising GSSAPI. The old way was in the openfire.xml config file, but its now been moved into the System Properties (in the admin console). Set the property sasl.mechs to GSSAPI. You might need to restart Openfire, you might not. I dont recall how well that property is cached.
If that is already set as such, then check the openfire logs to see why it rejected it.
Ok so there was no System Property at all named that.
So I created **sasl.mechs **name and put the value of GSSAPI. I restarted the openfire server and it still failed but the spark debugger shows more activity back and forth than before. The new log from spark Raw Received packets show:
Several parts of the XML config have been moved into the server properties (stored in the database) from the original implementation. The solution Jive employed was to take the value from the file, import it into the DB, then delete it from the file. That is normal.
Now that Openfire is advertising the GSSAPI method, the focus is back on Spark, since it has decided to not use GSSAPI. Do the logs for spark show anything different now?