I’'m trying to setup openfire-3.3.2 and spark-2.5.4 to use SSO.
Platform - linux.
I already have working kerberos, actually all my users login to their workstation using kerberos accounts.
Here is my setup:
Openfire:
I’'ve set up Openfire with internal databases and created “haizaar” user (besides “admin” user).
Then I’'ve followed this instructions:
http://wiki.igniterealtime.org/display/WILDFIRE/GSSAPI+Authentication
When Spark tries to connect, I see in stdout.log that xmpp/orion.mydomain.com@MYDOMAIN.COM principal is successfully loaded from keytab. So I assume my setup is right.
Spark:
After running
ln -s /tmp/krb5cc_wdk3kf /tmp/krb5cc_1000
(1000 is my uid), Spark was able to successfully load my TGT and to obtain ticket for xmpp/orion.mydomain.com@MYDOMAIN.COM (I’'ve saw this by running klist and in KDC logs).
In Spark, I’'ve clicked Advanced and entered orion.mydomain.com in Host field. And flagged “Use single-sign-on…” in SSO tab.
Everything looked perfect, but when I pressed “login” button, authentication failed. with the following exception listed in Openfire’'s warn.log:
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
It looks to me that there is some mismatch in FQDN, JID,… soup, that breaks the whole setup.
My realm is: MYDOMAIN.COM
My domain is: mydomain.com
Server runs on: orion.mydomain.com
Server uses principal: xmpp/orion.mydomain.com
I’'m trying to connect as user: haizaar@MYDOMAIN.COM
Also, I’‘m worried that there is sign near “Server Name” field in OpenFire admin console. I’'ve set Server Name field and xmpp.domain property to ‘‘orion.mydomain.com’’.
Any suggestions?