Need help getting SSO to work

Christian_Garofalo · November 12, 2009, 4:37pm

Help. I am trying to get SSO working with Openfire 3.6.4 and Spark 2.5.8 and I’m having no luck. I am running Windows Server 2003 Domain Controller with Active Directory. My Openfire server is also running Windows Server 2003. If it matters, both are running on VMware. My client machines are Windows XP Pro SP3. The database is MS SQL 2005, but I also had the same issues using the embedded database.

I have followed many different instructions from this forum, such as the following. And still no luck

http://www.igniterealtime.org/community/docs/DOC-1362

http://www.igniterealtime.org/community/docs/DOC-1616

http://www.igniterealtime.org/community/docs/DOC-1060

I created 2 users in my domain.

OpenfireAdmin: this account is used for admin webgui logon and also LDAP.

xmpp-openfire: used for SSO/keytab. This account is a member of Domain Users has properties “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication”.

I ran the following commands from the C: prompt on my primary domain controller and did not get any errors:

setspn -A xmpp/openfireserver.domain.com@DOMAIN.COM xmpp-openfire

ktpass -princ xmpp/openfireserver.domain.com@DOMAIN.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL

I ran the following command from C:\Program Files\Openfire\jre\bin on my openfire server and did not get any errors.

ktab -k xmpp.keytab -a xmpp/servername.domain.com@DOMAIN.COM

I also tried the Windows ktpass utility:

ktpass -princ xmpp/openfireserver.domain.com@DOMAIN.COM -mapuser xmpp-openfire@Adomain.com -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab


I moved the xmpp.keytab file to C:\Program Files\Openfire\resources on the Openfire server.

I created the gss.conf in the C:\Program Files\Openfire\conf folder:

> com.sun.security.jgss.accept {
>     com.sun.security.auth.module.Krb5LoginModule
>     required
>     storeKey=**true**
>     keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"
>     doNotPrompt=**true**
>     useKeyTab=**true**
>     realm="DOMAIN.COM"
>     principal="xmpp/openfireserver.domain.com@DOMAIN.COM"
>     debug=**true**;
> };

I added the following to the openfire.xml file, and after restarting the openfire server, all of these now show in the System Properties, except for the realm (that is still in this file).

GSSAPI DOMAIN.COM true C:/Program Files/Openfire/conf/gss.conf false

I created the krb5.ini file in C:\WINDOWS on both the Openfire server and my client machine as follows:

[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
DOMAIN.COM = {
kdc = domaincontroller.domain.com
admin_server = domaincontroller.domain.com
default_domain = domain.com
}

[domain_realms]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

I added the following to the registry on the client. Do I need to do this on the Openfire server too?

> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
> Value Name: AllowTGTSessionKey
> Value Type: REG_DWORD
> Value: 1

I have rebooted my Openfire server and the client machine. And SSO still won’t work. If I log in with my password and select Save Password, SSO will work on the next try. But I suspect it isn’t really using SSO. It stops working if I change my network password.

I get the error “Unabled to connect using Single Sign-on. Please check your principal and server settings.”

When I use debug mode in Spark, here’s what I get in the “Raw Sent Packets”

<stream:stream to=“openfireserver” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“openfireserver” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
firstname.lastname
firstname.lastnamespark

And here’s what I get in the “Raw Received Packets”

<?xml version='1.0' encoding='UTF-8'?>
stream:featuresGSSAPI</mechani sms>zlib</stream:features>

<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib
firstname.lastname
firstname.lastnamespark

Any help would be greatly appreciated. I am running out of things to try.

Thank you!

Christian_Garofalo · November 12, 2009, 8:39pm

I get the following error if I run

kinit -k -t xmpp.keytab xmpp/openfireserver.domain
.com@DOMAIN.COM "password"

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp/openfireserver.domain
.com@DOMAIN.COM “password”
Exception: krb_error 906 Identifier doesn’t match expected value (906) Identifie
r doesn’t match expected value
KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.PAData.(Unknown Source)
at sun.security.krb5.internal.KRBError.(Unknown Source)
at sun.security.krb5.KrbAsRep.(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

C:\Program Files\Openfire\jre\bin>

Christian_Garofalo · November 12, 2009, 9:05pm

And I am getting the following error message in C:\Program Files\Spark\logs\error.log on my XP client.

Nov 12, 2009 4:01:58 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

Jason_L · November 14, 2009, 2:47am

maybe a silly question, but kerberos is very picky about lots of things. do you have a clock skew problem between the dc, openfire server, and client? They all need to be pretty darn close. the default clock skew indicates 5 minutes but I have had problems with less of a skew.

Christian_Garofalo · November 14, 2009, 2:58am

Hi, the clocks are the same. I got this working today.

I had an incorrect spn for my xmpp/server.domain.com@DOMAIN.COM mapped to a different user that I tried using this with before. I used the “setspn -d xmpp/server.domain.com@DOMAIN.COM username” command to remove it.

“setspn -l username” will show you all spns for a specific username.

Not sure if there is a command to show you all usernames mapped to a particular spn (reverse lookup).

On a side note, the krb5.ini was not required for me. Thanks.