powered by Jive Software

Can't make Spark and SSO work without Spark credential cache

Hi,

I’ve read and made many tests before that post… So I really hope to find some help.

I have 1 Domain controler dccommundev1 for my test domain COMMUNDEV1.FR (w2k3 standard with JRE 6 upd12 ) and 1 Win 2003 hosting Openfire v3.6.2 with JRE 6 upd11 named openfire1.

I have configured SSO on the servers according to the following tutorials :

http://www.igniterealtime.org/community/docs/DOC-1060.pdf

http://www.igniterealtime.org/community/docs/DOC-1616

http://www.igniterealtime.org/community/docs/DOC-1362Windows SSO procedure

I am able to make SSO works ONLY if I check the box “Remember password” on spark logon windows and activate SSO after. For me it is not real SSO… Because for a “new” client if I don’t save the password and directly activate the SSO I get the error "Unable to connect using Single Sign-On. Please check your principal and server settings (attached file).

I can’t make Spark work without the credential cache… Is it possible ? How ?

I’ve attached the krb5.ini, the gss.conf and my openfire SASL config. I’ve generated the keytab with both Java and windows tool with no success…

I did not activated the LDAPS or TLS. I don’t force the use of SSL between client/openfire and openfire/Active Directory

So if someone have an idea and can help me ? I would be in heaven !
gss.conf (272 Bytes)
krb5.ini (309 Bytes)


I’m in the same boat. The documentation is pretty inconsitant and unclear. This doesn’t appear to be correct. Also, KRB5.ini is not needed for new installations (purely windows environment)…at least that’s my understanding from here.

Can anyone else confirm this?

Also, where is the debug information for all of this go because it is not in the openfire server logs.

Thanks

The krb5.ini file is needed by windows clients. The problem is every install of AD is different. Different security, different settings, etc. THere is no concrete step by step because this is windows after all. No two machines are ever alike even when cloned.

I’ve got this problem too.

Setup of W2k3 AD, 2 domain controllers (1 PDC, 1 BDC), Openfire 3.6.3 on Linux, Spark on Terminal Servers through Citrix.

If I do not “save the password” (and from what I can see, that’s sooooooooo worryingly unsecure, saving it in plain text format, encrypted with the key that’s available from the source code, or am I wrong in that?) and the entries:

passwordSaved=true

password=

are not in the spark.properties file, then Single Sign On does not work. When I change my passwd on the AD system, I then have to re-enter my new password on the spark sign-in window and resave it.

Any progress/ideas/diagnosis suggestions on this, much-more-learned then me peeps?

Thanks

Daryn

Bump.

I too have been attempting the very same sort of setup. And have started to run out of ideas.

I’d really like to see someone address the possible causes of a “401” auth response, when attempting to get SSO going…

wow is this driving me nuts. I’ve gone through all the steps probably 5 times now and it still doesn’t work.

is there something in a log somewhere that explain why it’s not working beyond the login failure message???

SSO can be a challenge to get working. I had a few issues myself, but it does work great once you get it going.

Todd Getz how to here is pretty accurate

http://www.igniterealtime.org/community/docs/DOC-1616

If you followed his post, then the problem is likely your keytab file. the windows ktpass is hit or miss…mostly miss

create a new keytab file using java’s KTAP

ktab -k xmpp.keytab -a xmpp/servername.domain.com@DOMAIN.COM

Once you do that, use kinit on your new keytab file (located in openfire\jre\bin)

kinit -k -t xmpp.keytab xmpp/servername.domain.com@DOMAIN.COM “password” (replace password with the password you used and without the quotes)

If it runs without any errors, you’re file is good. If it gives you errors, then go back into AD and reset the password (use the same password as before) on the user that you used to map xmpp/servername.domain.com@REALM.COM

Run kinit again

If all is good, place the file in your resources folder, restart openfire.

Let me know if this helps

kinit reports no errors, still does not work.

Why is it that the openfire.xml file always reverts back to this:

GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL

instead of what I entered in which was this:

GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL OPENFIRE.LOCAL true C:\Program Files\Openfire\conf\gss.conf false

Plus, what’s really weird now is that “Account” in spark for SSO says “xmpp/openfiretest.openfire.local”. WTH?

hmnmm…I don’t know. I did this from scratch today and didn’t have any problems. I’ll try to write something up in the next day or two on the steps I took. Maybe you’ve over looked something.

jayfire wrote:

kinit reports no errors, still does not work.

Why is it that the openfire.xml file always reverts back to this:

GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL

instead of what I entered in which was this:

GSSAPI,CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL OPENFIRE.LOCAL true C:\Program Files\Openfire\conf\gss.conf false

Plus, what’s really weird now is that “Account” in spark for SSO says “xmpp/openfiretest.openfire.local”. WTH?

I’ve seen the " “xmpp/openfiretest.openfire.local” when I tried to use SSO from the domain controller. Try from another pc and let me know what happens. as far as the xml, don’t worry about it. the settings have been moved to the database. If you pull up the webgui, you should now see the gssapi settings.