I have openfire 3.5 and I’m using SSO for all my users to connect. I have an AD server that it authenticates through. Everything has been working perfectly until this morning. I came in and nobody can connect, and when I try to login to the admin console I can’t do that either. The setup was working flawlessly for about 3 months now and all of a sudden it wont do anything and I didn’t make any changes. Has anybody had this happen before? If I can’t get this fixed then I give up on Openfire, I can’t go back and totally redo the setup for all of this. Thanks in adnvance for your help.
Is the process running? Did you set it as a service or put the Openfire shortcut into the startup menu? Can you ping your server? Are the users getting errors indicating that they can’t find the server or that they can’t authenticate?
Yes the process is running. I stopped the server once they couldn’t connect and then started it again - so it is running. I can also pull up the admin page, I just can’t login. Everybody is having errors authenticating. The problem seems to be between the AD server and the chat server.
Did the password for the account you used for LDAP bind during setup change or expire? If it did you will not connect.
I didn’t change it and it’s set to never expire so it shouldn’t have.
edit the openfire.xml with the server off to have the <setup> tag read <setup>false</setup>. Then start the server, go to the admin page and step through the setup screens again. Click every test button. Most settings are preserved as they are already in the openfire.xml.
Ok, that fixed the AD bind. I guess the password just needed to be reset. Now the problem I have is that when I start the openfire server I get this error “Checksum Failed! [Krb5LoginModule] authentication failed Checksum Failed”. I know why I am getting this. I am getting this error because I reset the password on the xmpp login in AD. How do I change the password in Openfire to match this?
Ok, I found the password I originally used for the keytab bind and I changed it in AD but I am still having the same error. I guess I need to regenerate the keytab?
edit the openfire.xml file or rerun setup as I previously instructed.
You should have a different ID to generate the keytab to. i purposefully made a keytab user. This user is set to never expire as well. That way the AD bind ID can be reset if needed.
I do have two separate users. I have one for the LDAP bind and one for the keytab bind. I thought the original problem was with the keytab bind so I reset the password. The problem was with the LDAP bind though. I fixed that problem by re-running setup. Now because I changed the password on the keytab bind I am having a different problem. At first I couldn’t remember what password I used for the keytab bind, but I have found that and reset it to what it was to begin with - however I am still having the same problem.
I have found with AD if you edit the keytab user in anyway it pretty much ruins the keytab and its user. I have had to in the past completely delet the keytab user and recreate it and its keytab to fix errors I caused by alteriing the keytab user.
Ok this problem has been fixed. I regenerated the Keytab and now everything is working again. Thanks again for your help mtstravel - after all the help you’ve given me I owe you a dinner or something!!
Yea I may have to do that yet. Everything is working but I am getting a lof of red writing in the openfire info box. For now though all is well, I’ll mess with the other part later. Thanks again for the help.
Ok, everything is working now but I am experiencing some wierd stuff. In the openfire box that pops up when you start the server I see a lot of red writing and now in the client chat list it only shows first names instead of first and last names. I am thinking I should totally delete the xmpp user in AD and recreate the keytab. If I do this do I need to make any other changes to gss.conf, krb5.ini or openfire.xml?
no you won’t need to recreate those files. your roster errors com from the re-setup process. you need to fix your vcard mappings and the <nameFiled> sections of the openfire.xml (see attachment).
Ok, everything is working flawlessly now. Thanks again for all of your help!!