We’ve configured an Openfire Server (4.2.3 on Ubuntu) and tested it against our AD setup using LDAP and regular challenge/response passwords but are trying to now switch over to using SSO. We followed the instructions here: SSO Configuration to setup a new server and everything appears to be configured properly but clients still cannot authenticate with SSO/GSSAPI.
When they connect we get the error saying they are unauthorized. I’m suspected that the issue might be the keytab file but we verified the creation of it and regenerated it a second time with no change in results. We’ve also verified that the clients (ubuntu) are able to use kerberos properly by testing with kinit and klist and similarly we have verified that the XMPP service is registered in the KDC using: setspn -L openfire
We also noticed that the AD service (user) account has the checkboxes for the AES encryption but we have the DES option not checked. Perhaps we need to specify the encryption method to match in Openfire?
Any help that could be given to troubleshoot this or even get better logging would be great. Thanks.
Here is the output we get from the clients at login:
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is username@DOMAIN.NET
May 15, 2018 3:22:19 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized