Hello All,
I tried looking for this but couldn’t find an answer. In a similiar way that Outlook 2007 can use auto discovery, can spark login to an openfire server without a user typing in the username or password ever and have spark automatically use the credientials of the logged in user.
Thank you for any helping!
That is called Single Sign On or SSO. I have attached docs i have compiled when configuring my system for this.
openfire.xml (4131 Bytes)
krb5.ini (142 Bytes)
krb5fix.reg (836 Bytes)
SSO-method.doc (31232 Bytes)
spark.properties (940 Bytes)
An easy option would just be to turn on the “Auto Login” option on the Spark login prompt and that way, the user only needs to type their username or password once and it will be saved.
That is exactly what i need! I will probably have a few questions as I try to set this up. First question: do the two users have to be domain admins? What rights do they need?
Thanks again!
Althought that would be easier ther is no guarantee it will continue to function when the domain password credentials change. We force all users to change their password after a set period. This would cause an error with spark. The only difficulty with SSO is on the admin side, in regards to setting it up. On the client side it makes life much easier. truely nothing has to be done if spark setting are configured correctly via the network.
In theory they do not need to be domain admins. However i found mixed results if they are not. Just be certain they are set to have their passwords never expire.
Thanks for the reply Puff. At first, I thought about using the auto logon but because some of our clients have roaming profiles and others don’t and we all use exhange 07 with outlook 07, I wanted to use SSO if possible.
Ok. I set there password to not expire. Could you explain more about the keytab? I am a little confused about it. Is it just a file named keytab that has the lines you provided in it? If so, are the below lines correct?
C:>ktpass /princ xmpp/openfire@GCBE.LOCAL /mapuser xmpp-keytab@GCBE.LOCAL /pass ******** /out jabber.keytab
openfire is the name of the server
the user is keytab
i just put stars for the password.
The keytab is a file (jabber.keytab) created by the server by running the command you have in your post. It is need by the openfire server to establish the connection with the domain for SSO.
Thanks for explaining that. One more question. When you have this line in the gss.conf file, “xmpp/fqdn.of.server@YOUR.DOMAIN.COM”…should my line read the following (assuming my server is named openfire and my domain is login.local)
xmpp/openfire.login.local@login.local
xmpp/openfire.login.local@LOGIN.LOCAL
Case is important. If have caps use caps.
Ok. One more question.
• Bind server to AD with desired name to get a FQDN you can use (alias won’t work)
What exactly does that line mean?
Thanks again for all of your help!
This line means that the physical name assigned to the computer/server should be the name used for Openfire. This can be found in the server’s system properties (see attachment)
After quite a while on this, I am a little lost. Are there any logs that would tell me where to look for a problem? My spark clients are getting an error message about sso not working. I attached the screen.
Any help would be great!
Double-Post—sorry…
I see in your picture you did not use the FQDN of the server. You must use that everywhere to have SSO work. If your openfire server does not have a FQDN for xmpp domain as well you will have this issue. See my attachments. Note those names all match the AD name for the computer found ins the computers system properties.
Ok. Well I thought I fixed that but now my server name is showing the 127.0.0.1 and the Server Certificates tab says, “Found RSA certificate that is not valid for the server domain.” Would you know how to fix that?
I am not sure if this helps but I also get the following message at the OpenFire launch window:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/OPENFIRE.GCBE.LOCAL@GCBE.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
authentication failed
Receive timed out
I believe that the 127.0.0.1 thing is fixed now but I still get the certificate error. Any suggestions?
You can delete the certificates through the admin interface of the openfire server, as well as generate the appropriate ones. If you continue to get errors about principle…blah, then you may need to recreate the keytab. again make sure you use the FQDN of the server.
