Warning…this video is pretty boring! This was my first attempt at creating a “how to” video. Hopefully someone will find it useful. The video only covers some basics. as Guus has stated in his video “…This video is intended as a demo that you can use to base your own process on. Don’t blindly follow these instructions, without giving thought to security, interoperability and performance.”
Use at your own risk!
feel free to use this as a reference as well
That looks too easy 
Anyway, it wasn’t boring. I have learned a few things. You should have probably mentioned you were using x64 version with JRE bundled, so one using x86 won’t be looking for Openfire in regular Program files, etc. Maybe i saw some other places to clarify, but nothing major. Good guide 
Btw, i see Xen being used for virtualization. That’s what Amazon uses?
Hey speedy,
i tried your HowTo.
The LDAP-Connection worked fine, now i tried to setting up SSO, but i dont work for me.
My configs:
krb5.ini in C:/Windows:
[libdefaults]
default_realm = XXX.NET
[realms]
XXX.NET = {
kdc = codc1.xxx.net
admin_server = codc1.xxx.net
default_domain = xxx.net
} [domain_realms]
xxx.net = XXX.NET
.xxx.net = XXX.NET
gss.conf in C:\Program Files\Openfire\conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="XXX.NET"
principal="xmpp/xmpp.xxx.net";
debug=true;
};
Openfire Serversettings:
Spark-Settings:
When i try to LogIn, i got following answer:
Do you have any idea?
Thank you!!
Did you remember to make the registry edit on the workstation? Try running spark "as administrator"
If using the included openfire self-signed certification, make sure spark is set to accept all certificates.
Hello speedy,
thank u for ur reply.
Yes, the registry edit is done. Started Spark as administrator too.
Im using the included openfire certification, spark is set to accept all certificates in advanced options.
Today i will restart the openfireserver and workstation and try it again. I will contact you with the result.
Thanks, see u.
So, i tried it now after a restart again. I got the same result.
Here is my registry entry on the workstation.
Advanced options about certificates.
Any ideas?
Thanks 
EDIT:
warn.log.0 says:
Feb 06, 2018 2:38:42 PM org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
org.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:123)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:236)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:373)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1131)
at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)
at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:894)
at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:138)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:120)
... 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 12 more
Caused by: java.net.UnknownHostException: codc1.xxx.net
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.krb5.internal.TCPClient.<init>(Unknown Source)
at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.sendIfPossible(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KrbTgsReq.send(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 15 more
do you have a system property called xmpp.fqdn?
if not, please add it, with a value that matches your cname/dns record you used for your xmpp server.
for example:
xmpp.fqdn xmpp.XXX.net
yes, i have.
my dns record:
and the xmpp.fqdn on openfire-server:
update:
old-login-window:
new:
If you followed the video, than you likely have a cname xmpp.XXX.net that points to coof029.xxxxx.xxx. If so, use the cname for this value.
Ok, i did a mistake - i dont have a cname.
I created it now.
still get the same error message… but maybe i shoud check the video a one more time, after i realized that missing cname.
I followed the video, but I’m having issues as well. I know it DNS related, I get this error:
he following addresses failed: ‘_xmpp-client._tcp.dc02.xxx:5222’ failed because javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name ‘_xmpp-client._tcp.dc02.xxx’, ‘dc02.xxx:5222’ failed because java.net.ConnectException: Connection timed out: connect
at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:255)
My server properties are
XMPP Domain Name- dc02.xxx
Environment
Server Host Name: dc02.xxx
I have added the SRV records just as the video stated, but I didn’t use “externaldomain.com”, I used my local domain zone.
SRV Record:
Domain: xxx.xxx
Service: xmpp-client
Protocol: _tcp
Port Number 5222
Host offering service: xmpp.xxx
CNNAME:
Alisa: xmpp
FQDB: xmpp.xxx
FQDN Target: dc02.xxx
What am I doing wrong?
Abashi, i have replied on your other thread. Your xmpp domain and fqdn are wrong in Openfire. It shouldn’t be your server’s name.
Nice, detailed video, but I’d never want my installation to be accessible from an external domain. What changes would I need to make to do this without using an external domain?
Speedy might comment on the keytab file part, but i guess you do everything the same, just use internal domain instead of external domain (it is only an example here). So your SRV record would point to xmpp.irt.local. SPN probably will look like xmpp/xmpp.irt.local@irt.local and so on.
That is correct. Just substitute with your internal domain. Keep in mind, just because you are using your external domain as your xmpp domain, doesn’t mean it will be accessible from the outside. For external access you’d still need external DNS setup and firewall rules to allow the traffic. I like to use my external domain as my xmpp domain for many reason. Mainly so that my users email addresses and the jids are the same. this simplifies things for them. It will also allow you to more easily federate or allow for external access in the future should you choose to do so.
Thanks. I think I got it to work. Of course, I then realized that 80% of my users are still using the 2.7.x client, so they won’t connect to the new setup using DNS. The next couple of days will be spent upgrading al the PCs in my network with the newer 2.8 client. I appreciate the quick response - it was a big help.
Do you have higher resolution for the same video ?
some text details can not be seen.
thanks
I’m afraid not. I made that video a while ago
I made an account specifically for this problem. I have for years tried to get to this to work. It still does not work but I feel like this was the closest I have gotten. Is there anyway you or someone can help me get this to work?
I have configured the following:
spark.domain.local in DNS as Forward look up zone in windows DNS. An A record pointing to the openfire server (which is an DC as well) of FQDN of spark.domain.local with a PTR record as well. i have a srv record _xmpp-client pointed to domain spark.domain.local HOST openfireserver.domain.local with port 5222.
my gss.conf is as follows:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“DOMAIN.LOCAL”
principal=“xmpp/spark.domain.local@domain.local”;
debug=true;
};
my krb5.ini:
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = openfire.domain.local
admin_server = openfire.domain.local
default_domain = domain.local
} [domain_realms]
domain.local = DOMAIN.LOCAL
.DOMAIN.local = DOMAIN.LOCAL
I made a keytab file as in this video with accounts in AD.
I added server properties:
sasl.realm = DOMAIN.LOCAL
sasl.gssapi.useSubjectCredsOnly = false
xmpp.domain = spark.domain.local (This was already there)
xmpp.fdqn = spark.domain.local
I get this error:
rg.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:127)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:193)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:157)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:202)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginInternal(XMPPTCPConnection.java:403)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:546)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1128)
at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:370)
at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:910)
at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:139)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:124)
… 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
… 19 more
Please tell me what I am doing wrong. I have krb5.ini in my windows dir of open fireserver / DC. I have keytab in resources dir of open fire, and the gss.conf in the openfire conf dir. These are the exact way they are written in with the exception of the actual domain name for security purposes.
its been a while since I’ve set this up. I’ve been meaning to setup a home lab but have yet been able to (both time, and no hardware). My job role has changed, and I no longer have access to things I once did. 