powered by Jive Software

How To: Video on setting up SSO/AD with Openfire


Warning…this video is pretty boring! This was my first attempt at creating a “how to” video. Hopefully someone will find it useful. The video only covers some basics. as Guus has stated in his video “…This video is intended as a demo that you can use to base your own process on. Don’t blindly follow these instructions, without giving thought to security, interoperability and performance.”

Use at your own risk!

feel free to use this as a reference as well

Need help setting up Openfire for SSO (Kerberos/GSSAPI) authentication againts Active Directory
New install of openfire / spark, Spark wont connect
Unknown Connection Error. Please review the logs for more information
Clients randomly disconnecting from OpenFire
Openfire+Spark+SSO is not working
OpenFire 3.9.3 SSO - can't get Kerberos to initialise
Spark OpenFire SSO/LDAP with Win10 and 2k16 - SASLError using GSSAPI
How to configure sso in spark 2.8.x
Spark Configuration
How to disable "save password" checkbox

That looks too easy :smiley: Anyway, it wasn’t boring. I have learned a few things. You should have probably mentioned you were using x64 version with JRE bundled, so one using x86 won’t be looking for Openfire in regular Program files, etc. Maybe i saw some other places to clarify, but nothing major. Good guide :wink:
Btw, i see Xen being used for virtualization. That’s what Amazon uses?


Hey speedy,

i tried your HowTo.
The LDAP-Connection worked fine, now i tried to setting up SSO, but i dont work for me.

My configs:

krb5.ini in C:/Windows:
    default_realm = XXX.NET

    XXX.NET = {
        kdc = codc1.xxx.net
        admin_server = codc1.xxx.net
        default_domain = xxx.net

    } [domain_realms]
    xxx.net = XXX.NET
    .xxx.net = XXX.NET
gss.conf in C:\Program Files\Openfire\conf

com.sun.security.jgss.accept {
    keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"

Openfire Serversettings:


When i try to LogIn, i got following answer:

Do you have any idea?

Thank you!!


Did you remember to make the registry edit on the workstation? Try running spark "as administrator"
If using the included openfire self-signed certification, make sure spark is set to accept all certificates.


Hello speedy,

thank u for ur reply.
Yes, the registry edit is done. Started Spark as administrator too.
Im using the included openfire certification, spark is set to accept all certificates in advanced options.

Today i will restart the openfireserver and workstation and try it again. I will contact you with the result.

Thanks, see u.


So, i tried it now after a restart again. I got the same result.
Here is my registry entry on the workstation.

Advanced options about certificates.

Any ideas?

Thanks :slight_smile:


warn.log.0 says:

Feb 06, 2018 2:38:42 PM org.jivesoftware.spark.util.log.Log warning
WARNUNG: Exception in Login:
org.jivesoftware.smack.SmackException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:123)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
	at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:169)
	at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:236)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.loginNonAnonymously(XMPPTCPConnection.java:373)
	at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:457)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1131)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:335)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:894)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:138)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	at org.jivesoftware.smack.sasl.javax.SASLJavaXMechanism.getAuthenticationText(SASLJavaXMechanism.java:120)
	... 10 more
Caused by: GSSException: No valid credentials provided (Mechanism level: codc1.xxx.net)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 12 more
Caused by: java.net.UnknownHostException: codc1.xxx.net
	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at sun.security.krb5.internal.TCPClient.<init>(Unknown Source)
	at sun.security.krb5.internal.NetClient.getInstance(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.sendIfPossible(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KdcComm.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.send(Unknown Source)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 15 more


do you have a system property called xmpp.fqdn?
if not, please add it, with a value that matches your cname/dns record you used for your xmpp server.
for example:
xmpp.fqdn xmpp.XXX.net


yes, i have.

my dns record:

and the xmpp.fqdn on openfire-server:




If you followed the video, than you likely have a cname xmpp.XXX.net that points to coof029.xxxxx.xxx. If so, use the cname for this value.


Ok, i did a mistake - i dont have a cname.
I created it now.

still get the same error message… but maybe i shoud check the video a one more time, after i realized that missing cname.


I followed the video, but I’m having issues as well. I know it DNS related, I get this error:

he following addresses failed: ‘_xmpp-client._tcp.dc02.xxx:5222’ failed because javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name ‘_xmpp-client._tcp.dc02.xxx’, ‘dc02.xxx:5222’ failed because java.net.ConnectException: Connection timed out: connect
at org.jivesoftware.smack.SmackException$ConnectionException.from(SmackException.java:255)

My server properties are
XMPP Domain Name- dc02.xxx

Server Host Name: dc02.xxx

I have added the SRV records just as the video stated, but I didn’t use “externaldomain.com”, I used my local domain zone.

SRV Record:
Domain: xxx.xxx
Service: xmpp-client
Protocol: _tcp
Port Number 5222
Host offering service: xmpp.xxx

Alisa: xmpp
FQDB: xmpp.xxx
FQDN Target: dc02.xxx

What am I doing wrong?


Abashi, i have replied on your other thread. Your xmpp domain and fqdn are wrong in Openfire. It shouldn’t be your server’s name.


Nice, detailed video, but I’d never want my installation to be accessible from an external domain. What changes would I need to make to do this without using an external domain?


Speedy might comment on the keytab file part, but i guess you do everything the same, just use internal domain instead of external domain (it is only an example here). So your SRV record would point to xmpp.irt.local. SPN probably will look like xmpp/xmpp.irt.local@irt.local and so on.


That is correct. Just substitute with your internal domain. Keep in mind, just because you are using your external domain as your xmpp domain, doesn’t mean it will be accessible from the outside. For external access you’d still need external DNS setup and firewall rules to allow the traffic. I like to use my external domain as my xmpp domain for many reason. Mainly so that my users email addresses and the jids are the same. this simplifies things for them. It will also allow you to more easily federate or allow for external access in the future should you choose to do so.


Thanks. I think I got it to work. Of course, I then realized that 80% of my users are still using the 2.7.x client, so they won’t connect to the new setup using DNS. The next couple of days will be spent upgrading al the PCs in my network with the newer 2.8 client. I appreciate the quick response - it was a big help.