Can't get SSO to work please help

Openfire Openfire Support
1

Hello,

I tried the past 2 days to get SSO to work. I have OpenFire 3.6.2 installed on Windows 2003 Standard (domain member server), we have a Windows2003 Active Directory (one Forest/Domain). On Windows XP we use as IM client Spark 2.5.8 .

I have check discussions and documents here but still SSO doesn’t work and I don’t know what else to do.

I tried the documentations:

http://www.igniterealtime.org/community/docs/DOC-1060

http://www.igniterealtime.org/community/docs/DOC-1362

http://www.igniterealtime.org/community/docs/DOC-1616

Here is what I did:

  • created user xmpp-openfire and checked “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”

  • on domain controller:

setspn -A xmpp/slsv-test2.domain.com@DOMAIN.COM xmpp-openfire

ktpass -princ xmpp/slsv-test2.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL

  • on openfire server: ktab -k xmpp.keytab -a xmpp/slsv-test2.domain.com@DOMAIN.COM

  • created gss.conf in Openfire\conf folder:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.COM"
principal="xmpp/slsv-test2.domain.com@DOMAIN.COM"
debug=true;
};

  • created krb5.ini in C:\Windows on openfire server and spark client:

[libdefaults]
default_realm = DOMAIN.COM
noaddresses = true

[realms]
DOMAIN.COM = {
kdc = slsv-dc1.domain.com
admin_server = slsv-dc1.domain.com
default_domain = domain.com
}

[domain_realms]
biggenet.com = DOMAIN.COM
.biggenet.com = DOMAIN.COM

  • added in openfire.xml after :
GSSAPI

DOMAIN.COM

true

C:/Program Files/Openfire/conf/gss.conf
false

  • added in registry on Windows XP SP2 client:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

domain.com is replaced by the domain what we have.

At the beginning I had on the server in the debug window the message Checksum failed and Authentication failed, I recreated the keytab file and tried the java/openfire one and the one created on the domain controller.

Then I redid the whole configuration and wiped every SSO setting on the server and every file.

Now it doesn’t even load/open the gss.conf.

The strange thing is that after starting the openfire server most sasl settings in the openfire.xml disappeared:

I have now only in there:

DOMAIN.COM

and in the openfire System Properties I have:

sasl.gssapi.config C:/Program Files/Openfire/conf/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI

I don’t know if that is normal. So I removed all sasl entries in the openfire.xml and added entry sasl.realm DOMAIN.COM in the openfire System Properties.

I don’t know what I should check or what I can do to get it to work. I can connect with Spark by typing in the password but SSO just doesn’t work.

Any help would be appreciated.

Thanks

2

I got it working now.

I started fresh on another server with a new xmpp-openfire user account.

Here is how I did it:

I installed on the other server openfire version 3.6.3 (that probably didn’t make a difference). At the installation I used the FQDN of the server as host name, you can verify that later in the Admin Console in Server Information is at Server Name the FQDN of the server is in there. The setting xmpp.domain is then also the FQDN of the server.

I removed the self signed ssl certificates, added the CA root certificate from our domain/AD and imported the newly created ssl certificate (used the FQDN of the server). The process of getting the SSL working on Windows is a bit complicated and another topic.

I checked now if the server is working and SSL works.

I followed now the instructions from this document: http://www.igniterealtime.org/community/docs/DOC-1362

I used there the ktab tool on the openfire to generate the Keytab file and did NOT create the keytab file on the KDC via ktpass.

The krb5.ini is on the server and the client.

At changing the openfire.xml make sure the openfire server is not running. The entry authorization is not necessary in the openfire.xml at this Openfire version. I did not set the property xmpp.fqdn .

After I changed the openfire.xml and started the server it imported all setting correct in the database they are now to see in System Properties in the Admin Console:

sasl.gssapi.config C:/Program Files/Openfire/conf/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm DOMAIN.COM

In the openfire.xml is now only:

As I had problems with SSO I captured the network packets and the clients to see more and noticed a packet with: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN .

Now that SSO works I see a new packet looking for Kerberos: Standard query SRV _kerberos._udp.DOMAIN.COM and the client received the correct response with a KDC hostname. I also see a new packet with: KRB5KRB_ERR_RESPONSE_TOO_BIG but SSO seems to work. I don’t know if that message is concerning.

Well that are my findings and what I did to get SSO working.

3

Hi,

I am having trouble getting the SSL working for my openfire. Please advise how you added the CA root certificate and added newly created ssl certificate.

Thanks,

CAT09