I’ve been trying, and failing, to get SSO to work using the latest Openfire server (3.5.0 RC1) - having tried 3.4.5. It’s running on SLES10 and I’m trying to access it using Spark on a SuSe 10.2 client. The Kerberos environment used is MIT running on Solaris (yup, we love Unix ) - which is working fine, as we use it for SSO to our workstations and servers; as well as using it for Kerberos HTTP(S) authentication to our web server (which is running on the the same server as Openfire). I’m pretty sure (99.9999%'ish) I’ve got everything configured correctly, but I’m getting the following error (which seems to indicate that the service keytab is not being acknowledged,or sent, properly): No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Now when I was checking the available docs for the umpteenth time I came across this little snippet (I missed it before, as it was under a section regarding DNS and we use krb5.conf files):
Multi-homed servers (servers with more than one IP address) are not supported with SSO at this time, but if you know what you are doing it may be possible.
Now the server I have installed Openfire on is most certainly multi-homed, having 3 separate IP addresses. So my question is (yes I’m finally getting to it), is the above statement still true? If so I’m boned
Incidentally, is there a way of setting Spark’s Kerberos settings, e.g. a gss.conf file equivalent - I would like to get it to store the service ticket in my ticket cache, so that I can at least verify I’m obtaining it correctly (the log file on the KDC seems to indicate I am, but I’d like to be sure).