Hello. I’m having trouble with sso kerberos authentication. Openfire server hosted on Ubuntu 12.04 LTS, DC - WinServer 2008 R2. Clients have WinXP or Win7.
When i’m trying to login from WinXP i get error:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]
From Win7:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Illegal key size)]
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121)
at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
Advice: Check everything over in detail for incorrect paths and typo errors. When I first tried SSO, I had an incorrect file path in the openfire.xml which caused a similar erro as above! Once spotted and fixed SSO worked seamlessly.
Check the path of your gss.conf in your openfire.xml in C:\Program Files\Openfire\conf\
Make sure it is as: C:/Program Files/Openfire/conf.gss.conf
You can use any account to connect to AD. I would recommend not using the xmpp-openfire. In my lab i used the default domain administrator. But it only needs to be a user with read rights.
When I add record to hosts file, SSO starts working. Problem seems to be in DNS records. Could you please describe all DNS records, you added to get SSO working?
I have this situation: openfire installed on win2008r2, connects to AD using my account. From the console domain user accounts I see. All set up using your instructions, but Spark SSO to connect to does not want to, but if a password manually - it works.