Help. I am trying to get SSO working with Openfire 3.6.4 and Spark 2.5.8 and I’m having no luck. I am running Windows Server 2003 Domain Controller with Active Directory. My Openfire server is also running Windows Server 2003. If it matters, both are running on VMware. My client machines are Windows XP Pro SP3. The database is MS SQL 2005, but I also had the same issues using the embedded database.
I have followed many different instructions from this forum, such as the following. And still no luck
http://www.igniterealtime.org/community/docs/DOC-1362
http://www.igniterealtime.org/community/docs/DOC-1616
http://www.igniterealtime.org/community/docs/DOC-1060
I created 2 users in my domain.
OpenfireAdmin: this account is used for admin webgui logon and also LDAP.
xmpp-openfire: used for SSO/keytab. This account is a member of Domain Users has properties “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”.
I ran the following commands from the C: prompt on my primary domain controller and did not get any errors:
setspn -A xmpp/openfireserver.domain.com@DOMAIN.COM xmpp-openfire
ktpass -princ xmpp/openfireserver.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL
I ran the following command from C:\Program Files\Openfire\jre\bin on my openfire server and did not get any errors.
ktab -k xmpp.keytab -a xmpp/servername.domain.com@DOMAIN.COM
I also tried the Windows ktpass utility:
ktpass -princ xmpp/openfireserver.domain.com@DOMAIN.COM -mapuser xmpp-openfire@Adomain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab
I moved the xmpp.keytab file to C:\Program Files\Openfire\resources on the Openfire server.
I created the gss.conf in the C:\Program Files\Openfire\conf folder:
> com.sun.security.jgss.accept {
> com.sun.security.auth.module.Krb5LoginModule
> required
> storeKey=**true**
> keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
> doNotPrompt=**true**
> useKeyTab=**true**
> realm="DOMAIN.COM"
> principal="xmpp/openfireserver.domain.com@DOMAIN.COM"
> debug=**true**;
> };
I added the following to the openfire.xml file, and after restarting the openfire server, all of these now show in the System Properties, except for the realm (that is still in this file).
GSSAPI DOMAIN.COM true C:/Program Files/Openfire/conf/gss.conf false
I created the krb5.ini file in C:\WINDOWS on both the Openfire server and my client machine as follows:
[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5[realms]
DOMAIN.COM = {
kdc = domaincontroller.domain.com
admin_server = domaincontroller.domain.com
default_domain = domain.com
}[domain_realms]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
I added the following to the registry on the client. Do I need to do this on the Openfire server too?
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
> Value Name: AllowTGTSessionKey
> Value Type: REG_DWORD
> Value: 1
I have rebooted my Openfire server and the client machine. And SSO still won’t work. If I log in with my password and select Save Password, SSO will work on the next try. But I suspect it isn’t really using SSO. It stops working if I change my network password.
I get the error “Unabled to connect using Single Sign-on. Please check your principal and server settings.”
When I use debug mode in Spark, here’s what I get in the “Raw Sent Packets”
<stream:stream to=“openfireserver” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
<stream:stream to=“openfireserver” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
firstname.lastname
firstname.lastnamespark
And here’s what I get in the “Raw Received Packets”
<?xml version='1.0' encoding='UTF-8'?>stream:featuresGSSAPI</mechani sms>zlib</stream:features>
<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib
firstname.lastname
firstname.lastnamespark
Any help would be greatly appreciated. I am running out of things to try.
Thank you!