OF 3.6.0, Win 2003 AD and SSO - was working with 3.5.1 but no more

Openfire Openfire Support
1

Hi everyone,

I’ve had a disasterous day with an openfire upgrade from 3.5.1 failing horribly with lots of database errors (another issue entirely!) anyway I decided not to roll back to my 3.5.1 backups where everything was working well but to take the opportunity to perform a clean install of OF and get rid of all the old legacy junk in the database (random errors logged, still references to wildfire and jivemessenger!)

Anyway the server is now running back on the same box (only Openfire was re-installed), authenticating against ad, importing ldap users etc. Last thing I’m trying to do is get SSO working again. I’ve copied the jabber.keytab and gssapi.conf files from the backup onto the new server. I’m not sure if it’s still needed but I added the xmpp.fqdn property back in as this caused me some issues last time I set up SSO.

I’ve added the SASL sections back into the openfire.xml config file which have now been removed from there and imported into the database and show up under server.properties. I’ve switched on server debugging.

sasl.gssapi.config

D:/Program Files/Openfire/conf/gssapi.conf

sasl.gssapi.debug

true

sasl.gssapi.useSubjectCredsOnly

false

sasl.mechs

GSSAPI,ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,NTLM

sasl.realm

EMEDIA.CO.UK

I have NOT created the LooseAuthorizationPolicy provider as the docs say this is not needed for 3.5 and above (although I did have it in my old version?!)

My GSSAPI.CONF file

/**

  • Login Configuration for JAAS.

*/

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“D:/Program Files/Openfire/resources/jabber.keytab”

doNotPrompt=true

useKeyTab=true

realm=“EMEDIA.CO.UK

principal=“xmpp/vm-athena.emedia.co.uk@EMEDIA.CO.UK”

debug=true;

};

I’ve not touched my XP SP2 clients as these were all working fine before with the correct reg keys and krb5.ini files.

When I try and connect using SSO from a Spark 2.5.8 client, the only thing logged on the server is the following in the debug log:

2008.10.08 17:12:44 NIOConnection: startTLS: using c2s

The following is logged in the spark warn.log file

08-Oct-2008 16:56:57 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)

The client has picked up the right username and realm.

Whats going wrong?

Please save me from tearing more of my hair out :slight_smile:

cheers

Steve

2

Well I fixed this myself.

My problem was assuming everything was working properly before the upgrade. When I went through every step again it turns our a recent change in DNS servers had not replicated the reverse DNS zone so my server was not able to get resolved both forwards and backwards.

Add the reverse zone back in and SSO worked fine. So SSO had not been working for about 2 months!

Steve

3

Hey Steve

I have read a lot of your posts about SSO, AD and pandion etc. Im running OF 3.6.0 and the old pandion 2.5 here but i just CAN’T get SSO to work… it works great on SPARK, but keeps bugging me on Pandion… could you PLEASE enlight me about your knowledge…and SPARK is just too RAM heavy compaired :frowning:

you can reach me on msn: mengo25 (AT( hotmail.com or mail: mengo25 (AT( gmail.com

Thanks

Michael