Open Fire SSO - SASL authentication failed

hay guys, i am trying to implement SSO on our spark server.

i have the lastest version of spark and of openfire,

i have followed the SSO instructions and i keep getting please check your principal and server settings.

i have checked in my spark logs and this is what i have

SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate( 209)
at org.jivesoftware.smack.XMPPConnection.login(
at org.jivesoftware.LoginDialog$LoginPanel.login(
at org.jivesoftware.LoginDialog$LoginPanel.access$400(
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(
at org.jivesoftware.spark.util.SwingWorker$
at Source)

i can manually login to spark.

thanks for your help


i am going to post some more information in here.

the AD users shows this as the username: xmpp/


<?xml version="1.0" encoding="UTF-8"?> 9090 9091 en org.jivesoftware.database.EmbeddedConnectionProvider OYEZ_PRESS.COM - true

gss.conf {
keyTab="C:/Program Files/Openfire/resources/xmpp.keytab"


default_realm = OYEZ_PRESS.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

kdc =
admin_server =
default_domain =

[domain_realms] = OYEZ_PRESS.COM = OYEZ_PRESS.COM

One thing i noticed when i got it working was that i should force it to use a specific xmpp host in the config in spark before u login and that should be the same as the principal used in the gss.conf. In your case it should be “” and then u can use the xmpp.domain address u have to connect to as address or whatever address to connect to your server but it should be the same as your “xmpp.domain” or “xmpp.fqdn”

I also found out that the krb5.ini works best with only rc4-hmac enctypes and skip the rest for some reason.

U need to have a user so the xmpp can auth for kerberos

Create a user named xmppauth (can be whatever) and set a password on it and remember it (in this example “xmpppass”

ktpass -princ xmpp/@ -mapuser -pass KTB5_NT_PRINCIPAL -out C:\openfire\resources\xmpp.keytab

ktpass -princ xmpp/ -mapuser xmppauth -pass xmpppass KTB5_NT_PRINCIPAL -out C:\openfire\resources\xmpp.keytab

setspn is auto included here and is not needed for this to work. (atleast in my setup)

Remember the register keys on both the server and clients + reboot for them to activate

One thing is to put the xmpp.keytab in “C:\openfire\resources\xmpp.keytab” and not in the normal install folder as it can bugg some.

I dont see if u have the property, sasl.gssapi.useSubjectCredsOnly = false or the sasl.gssapi.debug = true enabled but they should be.

Also u should have all the Service Location (SRV) records in your dns, “_jabber, _kerberos, _xmpp-client, _xmpp_server” and so on…

Also try to put your gss.conf in “C:\openfire\conf\gss.conf”

It worked for me atleast maybe it will work for you.

when you talk about teh host in the config of spark, i take it you mean the server box under username and pw on the client itself ? that is set o

i have taken out all other encyrption type of my krb5 and jsut left rc4 in it.

i already have a user created for xmp authing, its called xmpp-openfire but i cannot logon manually with that account, maybe it didnt created correctly.

when running the KTPASS should i run that on my openfire server because i was running it on my primary BDC…

i will created a new folder structure and copy the keytab and gss into the new structure.

here are my gssapi settings, i think they are correct.





in regards to teh srv records i take it they are placed under _tcp…

_jabber > lonspk01

_kereros > points to everyone of our BDC’s

_xmpp-clients > not sure where this should point to

_xmpp_server > not sure where this should point to either

sorry if it seems im asking alot of questions, i havent done much work with srv records

in the serverbox in the login dialog i use a dns alias to connect but the xmpp host is in the advance -> connection -> host

The logon thing is something i have not solved but it must be able to logon atleast on the openfire server machine because it want to auth in your AD and it must be allowed to logon on the server atleast…

i think the ktpass should be run on your AD server atleast

the _xmpp-client and _xmpp-server points at our dns alias that points on the openfire server basicly…

its very tricky and can break very easy i have noticed, also something i noticed was when i was upgrading to .3.7.0 server the SSO broke on both the old 3.6.4 and the new 3.7.0 and i have not figured it out yet…