powered by Jive Software

Openfire 3.7 SSO not working

I am able to log in to openfire without SSO but when I try and use it I get this error in Spark.

On the server I get:

2012.03.29 09:53:31 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: jsmith

I have a Windows 2003 Domain and Openfire is installed on the PDC. I have made the registry changes and dropped in the krb5 file.

Any help?

did you create the user mapping and great the keytab file? If not, you need to do that as well.

I created the keytab file for sure. Where/how do I create the user mapping?

Doesnt the fact that it currently works with AD credentials mean the user mapping is correct?

I guess I meant to say you have to create the user mapping for the service principal (SPN). Then once you do that, you create your keytab file.

now…sso uses kerberos tickets to read login/password info from the OS and then passes that to the server. signing on using regular username and password is entered by the user and then authenticated against your ldap.

I followed the instructions here to map the SPN and create the keytabe file. http://community.igniterealtime.org/docs/DOC-1362

I used the recreated the keytab 2 times once using the windows utility and once using the java. no change.

Here is my gss.conf file:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“INCORPORATED.COM

principal="xmpp/SERVER1.INCORPORATED.COM@INCORPORATED.COM"

debug=true;

};

KRB5.ini:

[libdefaults]

default_realm = INCORPORATED.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

INCORPORATED.COM = {

kdc = SERVER1.incorporated.com

admin_server = SERVER1.incorporated.com

default_domain = incorporated.com

}

[domain_realms]

incorporated.com = INCORPORATED.COM

.incorporated.com = INCORPORATED.COM