I have been browsing the forums for the past few days trying to make SSO work with our set up only to come up empty.
Here is our current set up.
OpenFire 3.7.1 - Server 2008 R2
DC - Server 2008 R2 (2003 R2 functionality)
Spark 2.6.3
I have followed the instrcutions and redid things a few time just to make sure.
On the DC
1. setspn -a xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM xmpp-openfire (sucsess)
2. ktpass -princ xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM -mapuser xmpp-openfire@corp.int-pop.com -pass * -pType KRB5_NT_PRINCIPAL (sucsess)
On the OpenFire Server:
1. ktab -k xmpp.keytab -a xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM (sucsess). Tested this with kinit.
-
Moved the xmpp.keytab to the Resources folder
-
Created the gss.conf file
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“CORP.INT-POP.COM”
principal="xmpp/jabber01.corp.int-pop.com@CORP.INT-POP.COM"
isInitiator=false
debug=true;
};
- Added the below to the openfire.xml
CORP.INT-POP.COM
GSSAPI
false
C:/Program Files (x86)/openfire/conf/gss.conf
- Created teh krb5.ini file and added to both server & client (c:/windows)
[libdefaults]
default_realm = CORP.INT-POP.COM
noaddresses = true
[realms]
CORP.INT-POP.COM = {
kdc = corpdc07.corp.int-pop.com
default_domain = corp.int-pop.com
}
[domain_realms]
corp.int-pop.com = CORP.INT-POP.COM
.corp.int-pop.com = CORP.INT-POP.COM
- Added the reg on both the server & the client.
No matter what I try I get the following error "Unable to connect using Singl Sing-On. Please check your principal and server settings.
on the Win7 machine spark logs.
Jul 12, 2012 5:46:19 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
And this on the WinXP machine spark logs.
Jul 11, 2012 6:27:24 PM org.jivesoftware.spark.util.log.Logwarning
WARNING: Exception in Login:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException:GSS initiate failed [Caused by GSSException: No valid credentials provided(Mechanism level: Server not found in Kerberos database (7))]
I’m not sure what else to do. I think I’ve tried most everything. Any help would be greatly appriciated