I have looked over and followed everything I can find to get SSO working and still fail everytime.

In the Server log Info: I get User Login Failed. Failure to initialize security context

The Openfire server is running on Windows Server 2008 x64 SP2 and we are running Active Directory at 2003 functionality level.

gss.conf file:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“georgefern.local”

principal=“xmpp/gfim.georgefern.local@georgefern.local”

debug=true;

};

xmpp {

com.sun.security.auth.module.Krb5LoginModule required storeKey=false debug=true;

};

The database.ofProperty values:

xmpp.domain gfim

xmpp.fqdn gfim.georgefern.local

sasl.gssapi.config C:/gss.conf

sasl.gssapi.debug true

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm georgefern.local

I tried havign all of this in the xml file but in the logs it told me not to use that and to put them in the properties.

On the client anyone can log in if they type in their username (First Initial Last Name) and their AD password. While trying to get this working I have successfully broken fastpath and can’t seem to fix it either although I havn’t spent much time trying that as SSO is more important right now.

Same here…I am at a loss…I have tried everything andstill get the “Please check your principal and serversettings”. Very frustrating…can someone please shed light onthis…I also have a thread that I opend in may… http://community.igniterealtime.org/message/212953#212953

I have made some progress now. I have made it to the point of getting Checksum failed !

This is what I get when using the windows generated keytab:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/Program Files (x86)/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
principal is xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4B 25 66 E2 91 D4 BC AE 86 A1 7B 90 76 5C 6F 31 K%f…v\o1

Added server’s keyKerberos Principal xmpp/gfim.georgefern.local@GEORGEFERN.LOCALKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4B 25 66 E2 91 D4 BC AE 86 A1 7B 90 76 5C 6F 31 K%f…v\o1

[Krb5LoginModule] added Krb5Principal xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL to Subject
Commit Succeeded

Checksum failed !

This is what I get when using the java generated keytab:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/Program Files (x86)/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
principal is xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4B 25 66 E2 91 D4 BC AE 86 A1 7B 90 76 5C 6F 31 K%f…v\o1

Added server’s keyKerberos Principal xmpp/gfim.georgefern.local@GEORGEFERN.LOCALKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4B 25 66 E2 91 D4 BC AE 86 A1 7B 90 76 5C 6F 31 K%f…v\o1

[Krb5LoginModule] added Krb5Principal xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL to Subject
Commit Succeeded

Checksum failed !

The diffrence in the Openfire launch window is that with the java file in place all of it is in red and the windows file only Checksum failed ! is in red.

Anybody know what to do now?

Maybe I was a bit pre-mature on my last post…

I rebooted the server not just OpenFire but the windows server and it let me sign in with SSO. Need to test from a few other stations to be sure.

I followed this guide the first time and well did it again today. this time it looks like it worked. http://community.igniterealtime.org/docs/DOC-1362

The diffrence is that in 3.7 you don’t use the XML you put the properties in the database.

In previous versions I was able to sing in with SSO but when it came time for the user to change the pw in AD (we expire every 90 days) the sso failed. I was never working even though it appeard to be. with the SSO option checked. Let me know if you got it fully working…as I also trived the java key generator (bot ways logged into the PDC ad the domain admin account…

Can you go into more detials: What/where did you add to the properties of the database?

in the database properties under sasl.gssapi.config I have “C:/Program Files (x86)/Openfire/conf/gss.conf” is there more?

I went to System Properties and added the Properties there.

sasl.gssapi.config

C:/Program Files (x86)/Openfire/conf/gss.conf

sasl.gssapi.debug

true

sasl.gssapi.useSubjectCredsOnly

false

sasl.mechs

GSSAPI

sasl.realm

GEORGEFERN.LOCAL

OK I had everything in there but the sasl.realm which i added…restarted the srv 08 and still get the check principal error grrrrrr

Don’t forget the client side registry key even on win 7. It will fail without it. No need to reboot after inserting it either just restart Spark Client.

Sorry to ask but that might be the part I may missing…what reg key?

Here is my gss.conf file:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”

doNotPrompt=true

isInitiator=false

useKeyTab=true

realm=“GEORGEFERN.LOCAL”

principal=“xmpp/gfim.georgefern.local@GEORGEFERN.LOCAL”

debug=true;

};

My krb5.ini file in both server and client %windir% folders

[libdefaults]

default_realm = GEORGEFERN.LOCAL

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

GEORGEFERN.LOCAL = {

kdc = gfcindc01.georgefern.local

admin_server = gfcindc01.georgefern.local

default_domain = georgefern.local

}

[domain_realms]

domain.com = GEORGEFERN.LOCAL

.domain.com = GEORGEFERN.LOCAL

Current keytab file was created via java method

ktab -k xmpp.keytab -a xmpp/servername.domain.com@REALM.COM

On Windows 2000 SP4, Windows 2003 Server and later or Windows Vista:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ParametersValue Name: AllowTGTSessionKeyValue Type: REG_DWORDValue: 1

On Windows XP SP2, SP3… :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\KerberosValue Name: AllowTGTSessionKeyValue Type: REG_DWORDValue: 1

Found that in http://community.igniterealtime.org/docs/DOC-1362

follow the method for vista on win 7

I am at a loss…I have tried everything…I went through the doic again…from scratch…tried both the windows and jave keytab files…verified the KRB5.ini on both client/server…still get the Principal error…

Are you seeing any errors in the OpenFire launcher? Thats where I got errors about checksum.

With the sasl.gssapi.debug=true everything with the krb5login should show there or at least it does on mine. Both successfull and failed attempts.

If nothing is there then the server is still not quite right.

I have only ever setup this one server so I am no expert but if you post your files i might be able to see something that will help

ok…here ya go…

1. Created a domain account xmpp-openfire and assigned it a password and made it part of the domain users group

2. From a dos prompt in RA the PDC I ran

a. setspn -A xmpp/Jabber.gsprecision.com@GSPRECISION.COM xmpp-openfire

b. ktpass -princ xmpp/``Jabber.gsprecision.com@GSPRECISION.COM`` -mapuser xmpp-openfire@AD_domain.com -pass * -ptype KRB5_NT_PRINCIPAL (using the password that I set for the xmpp-openfire domain user)

c. From the jre6/bin directory on RA

1. `ktab -k xmpp.keytab -a xmpp/Jabber.gsprecision.com@REALM.COM ``(using the password that I set for the xmpp-openfire domain user)```

2. Copied the xmpp.keytab to the resources directory on the open fire server

3. Added this into the System Properties

4. sasl.gssapi.config C:/Program Files (x86)/Openfire/conf/gss.conf

   2. sasl.gassapi.debug true

   3. sasl.gssapi.useSubjectCredsOnly false

   4. sasl.mechs GSSAPI

   5. sasl.realm GSPRECISION.COM

5. I put the KRB5.ini in both windows directories of the client/server

[libdefaults]

default_realm = GSPRECISION.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

GSPRECISION.COM = {

kdc = ra.gsprecision.com

admin_server = ra.gsprecision.com

default_domain = gsprecision.com

}

[domain_realms]

domain.com = GSPRECISION.COM

.domain.com = GSPRECISION.COM

[logging]

kdc = CONSOLE

5. Added the reg hack for Vista (on win 7 and did the XP) testing from multiple computers os’s

6. Added xmpp.fdqn Jabber.gsprecision.com

7. Set the xmpp.domain gsprecision.com

8. Spark 2.6.2 set to SSO with DNS

I do not get any error messaged in the listener (which I assume that is the main server window) other than starting Monitoring pluggin…Did I miss something?

And I have also tried the USE krb5.conf or krb5.ini options as well

ohh and my gss.conf file

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“GSPRECISION.COM”

principal="xmpp/Jabber.gsprecision.com@gsprecision.com"

debug=true;

};

Your command is wrong, you should be using

ktpass -princ xmpp/Jabber.gsprecision.com@GSPRECISION.COM -mapuser xmpp-openfire@gsprecision.com -pass * -ptype KRB5_NT_PRINCIPAL

ktab -k xmpp.keytab -a xmpp/Jabber.gsprecision.com@GSPRECISION.COM

I am using the SSO file method

the principal should end in @GSPRECISION.COM Very important that the Realm be in CAPS