Openfire & SSO

I have been browsing the forums for the past few days trying to make SSO work with our set up only to come up empty.

Here is our current set up.

OpenFire 3.7.1 - Server 2008 R2

DC - Server 2008 R2 (2003 R2 functionality)

Spark 2.6.3

I have followed the instrcutions and redid things a few time just to make sure.

On the DC

 1. setspn -a xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM xmpp-openfire (sucsess)

 2. ktpass -princ xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM -mapuser xmpp-openfire@corp.int-pop.com -pass * -pType      KRB5_NT_PRINCIPAL (sucsess)

On the OpenFire Server:

 1. ktab -k xmpp.keytab -a xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM (sucsess). Tested this with kinit.
  1. Moved the xmpp.keytab to the Resources folder

  2. Created the gss.conf file

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“CORP.INT-POP.COM

     principal="xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM"

isInitiator=false

debug=true;

};

  1. Added the below to the openfire.xml

CORP.INT-POP.COM

GSSAPI

false

C:/Program Files (x86)/openfire/conf/gss.conf

  1. Created teh krb5.ini file and added to both server & client (c:/windows)

[libdefaults]

default_realm = CORP.INT-POP.COM

noaddresses = true

[realms]

CORP.INT-POP.COM = {

kdc = corpdc07.corp.int-pop.com

default_domain = corp.int-pop.com

}

[domain_realms]

corp.int-pop.com = CORP.INT-POP.COM

.corp.int-pop.com = CORP.INT-POP.COM

  1. Added the reg on both the server & the client.

No matter what I try I get the following error "Unable to connect using Singl Sing-On. Please check your principal and server settings.

on the Win7 machine spark logs.

Jul 12, 2012 5:46:19 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

And this on the WinXP machine spark logs.

Jul 11, 2012 6:27:24 PM org.jivesoftware.spark.util.log.Logwarning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException:GSS initiate failed [Caused by GSSException: No valid credentials provided(Mechanism level: Server not found in Kerberos database (7))]

I’m not sure what else to do. I think I’ve tried most everything. Any help would be greatly appriciated

whats your domain/forest level?

Windows Server 2003 and it’s a child domain right under parent.

I did try to do the KDC part on both, Server 2003 R2 and Server 2008 R2 with the same results.

Anyone ran into this problem and was able to figure it out?

Check this thread

http://community.igniterealtime.org/message/222939#222939