OpenFire 3.9.3 SSO - can't get Kerberos to initialise

Openfire Openfire Support
1

I’m trying to get SSO integration working for one of our clients at the moment and have been following https://community.igniterealtime.org/docs/DOC-2585, trying to set up SSO, but I’m not having a lot of luck so far.

The OpenFire server is on a server running Windows Server 2008 R2 SP1. The domain controller is on Windows Server 2008 SP1. So far, I’ve successfully run the following steps:-

  • on the print server, I’ve modified local policy to allow all Kerberos encryption types except DES_CBC_CRC
  • I’ve confirmed there is a PTR record in the reverse lookup pointing to the correct server
  • I’ve created an xmpp-user, setting it so the password can’t be changed, it never expires, to use Kerberos DES encryption and not to require Kerberos preauthentication
  • The following commands have been run on the domain controller:-
    • setspn -A xmpp/lttnsydprt.TitanWheel.locall@TITANWHEEL.LOCAL xmpp-user
    • ktpass -princ xmpp/lttnsydprt.TitanWheel.locall@TITANWHEEL.LOCAL -mapuser xmpp-user@TitanWheel.local -pass * --ptype KRB5_NT_PRINCIPAL (and entered the password for this account)
  • krb5.ini has been created as follows and placed in C:\Windows and C::- (I’ve seen more than one place suggest krb5.ini should be in the root directory, so I’m covering all bases)
    [libdefaults]

default_realm = TitanWheel.local

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5

[realms]

TitanWheel.local = {

kdc = ttnsydfs.TitanWheel.local

admin_server = ttnsydfs.TitanWheel.local

default_domain = TitanWheel.local

}

[domain_realms]

TitanWheel.local = TitanWheel.local

.TitanWheel.local = TitanWheel.local

  • Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\All owTGTSessionKey has been created with a DWORD value of 0x1
  • Created the keytab file by running ktab -k xmpp.keytab -a xmpp/ttnsydprt.TitanWheel.local@TITANWHEEL.LOCAL and entered the password

However, when I try and test the keyfile, I get the following output:-

C:\Program Files (x86)\Openfire\jre\bin>kinit -k -t xmpp.keytab xmpp\ttnsydprt.T

itanWheel.local@TITANWHEEL.LOCAL RCsTD0HiKX9L

Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun

d in Kerberos database

KrbException: Client not found in Kerberos database (6)

    at sun.security.krb5.KrbAsRep.<init>(Unknown Source)

    at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)

    at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)

    at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)

    at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

Caused by: KrbException: Identifier doesn’t match expected value (906)

    at sun.security.krb5.internal.KDCRep.init(Unknown Source)

    at sun.security.krb5.internal.ASRep.init(Unknown Source)

    at sun.security.krb5.internal.ASRep.<init>(Unknown Source)

    ... 5 more

I’ve also tried generating the keytab using ktpass -princ xmpp/ttnsydprt.TitanWheel.local@TITANWHEEL.LOCAL -mapuser xmpp-user@TitanWheel.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab, and get exactly the same error message as above.

I’ve tried proceeding beyond this to configure OpenFire anyway with the keytab file, but somewhat unsurprisingly, SSO isn’t working.

Can anyone shed some light on where I might be going wrong here?

1 Like
2

Hi, I’m experiencing the exact same problem, did you ever resolve this?

3

this is a pretty old thread, and the procedure used back then is not the same procedure used today. you may want to create a new thread. Also take a look at How To: Video on setting up SSO/AD with Openfire

4

I just wanted to reply here in case someone else stumbles over this. I was getting “Server not found in Kerberos database” errors, turned out to be duplicate SPNs and remedied with setspn -D