powered by Jive Software

MOSX Server + AD 2003 + SSO Help


I seem to have a issue with SSO.


AD 2003 LDAP

MOSXS 10.4 running Openfire 3.3.3

Spark Client

I have installed Openfire and configured it for AD users. This is working a treat once i figured out the base dn. However i thought i would go one step further and setup SSO. However i followed the guide on Configuring Openfire for use with kerberos.

I have created the keytab file and put it into the relevant directory /usr/local/openfire/resources

I have created the gss.conf file and stuck it in the conf directory beside openfire.xml

I have ammended the openfire.xml file for sasl and provider sections.

I then stopped and restarted the server through system preferences however the openfire setup started from scratch. I had a look at the openfire.xml file and all my data i entered before configuring gss.conf was in there.

I can go through the setup and configure ldap and groups etc but at the last stage, Adding a admin user, i add a user that and it looks like it accepts it however the finish box never appears. It is like it stuck. When i add a bogus user in there i get a msg stating the user was not found.

When i revert the openfire.xml file back to the original i can login to the openfire server. But i really want to get SSO working as i cannot expect students at our college to put in the server address.

Some advice from the pros would be a help.

Kind Regards

Jamie Thomson

Does anyone know which direction i should be going in? Post logs etc? I have tried regenerating hte keytab file this morning however im still getting the same issue|? May aswell just scrap SSO then.



Make sure you have a fully working Openfire setup before adding any SSO options. It sounds like you are having some trouble getting things installed first. (You cant add an admin user at install time if you are using LDAP, since Openfire dosnt actually store the users). Once you get that issue resolved, add in the SSO options from that document. If after adding the SSO options to openfire.xml you get kicked back into the setup screen, then you did something wrong, most likely a typo in the openfire.xml. Check the logs, it should tell you something useful.

Also as a note: The students will still need to enter the server name in the client. You can pre-populate that if you wish, but you can do that without SSO too. Do you have complete control over the workstations the students are using (like a lab envrionment?) or are you hoping to get SSO from their personal computers? SSO with AD only works if the users actually log into the domain on a workstation that is joined to the domain.

Hello and thanks for your response. Openfire was working great, students can login and instant messaging works a treat. I was trying to take it one step further and get SSO working however it did not happen.

I dont think SSO is such a big deal if i can pre-populate the server settings, Is this just a plist file on osx? BTW Forgot to mention all users login to a mac that is bound to active directory so they are using domain credentials to login anyway. Any ideas how to populate the server settings box.

If they are logging into a Mac, there is a good chance they do not have

the credentials to make SSO work properly. I think OSX’s AD logins are

only utilizing the LDAP features, and not Kerberos. To check, find the

Kerberos application and see if you have any tickets. If you do not

have any tickets, then no credentials are obtained at login, so SSO wont


Hello When a user logs into a mac bound to active directory tehy have a kerberos ticket for 10hrs. In the kerberos app it shows as

(v5) jamie@mydomain.domain.ac.uk



Do you know how to pre-populate the server settings? Thanks jamie