powered by Jive Software

Openfire+Spark+SSO is not working


#1

Hey,

I am trying to setup SSO using Openfire and Spark. I setup LDAP through Openfire and it works fine with Spark. Now I am having problems with SSO working even from the server.

My problem shows up in Spark in the advanced options:

I used this documentation:

My environment is:

KDC/AD on Windows Server 2012 R2 => DC01
Openfire Server on Windows Server 2008 R2 => srv10vc
Host/Client with has Windows 10

Version of Openfire: 4.1.6
Version of Spark: 2.8.3.960

krb.ini on Client/Openfire-Server:

[libdefaults]
default_realm = coeorg.NET
default_tkt_enctypes= rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
COEORG.NET = {
kdc = dc01.coeorg.net
admin_server = dc01.coeorg.net
default_domain = coeorg.net
}
[domain_realms]
domain.com = coeorg.net
.domain.com = coeorg.net

gss.conf on Openfire-Server:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files (x86)/Openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="COEORG.NET"
principal="xmpp/srv10vc@COEORG.NET"
debug=true;
};


Reverse DNS Lookup are existing.

So, can anyone take a look at this and tell me why it would not be authenticating or what I could possibly be missing?

Thanks! :slight_smile:


#2

perhaps this will be helpful


#3
  1. Время клиента должно совпадать с KDC
  2. Запустите Spark от имени администратора, если вход выполнен успешно, тогда в ОС старше Windows XP, UAC препятствует параметру AllowTGTSessionKey, необходимо отключить UAC.
  3. Если предыдущих два шага выполнены корректно, проверьте порт в firewall на OpenfireServer tcp 5222.
  4. Проверьте файл keytab. Перейдите на сервер Openfire
    cmd
    cd “c:\program files\openfire\jre\bin”
    kinit -k -t “PathFileKeytab” -p XMPP/fqdn@YOUR.DOMAIN
    Должны увидеть следующие: New ticket is stored in cache file…
    Если ошибка, значит где то ошиблись при создании SPN или Keytab
    Был рад помочь.