powered by Jive Software

Problem with SSO and Openfire 1.7.1


I have read a lot of message on this forum and I still have SSO issue with Openfire that I can’t resolve.

I tried with both spark and pidgin (winXp) and the problem is the same, when I try to authentificate openfire 3.7.1 (hosted on a winXP SP2 with java 1.6.0_31-b05) returns the following packet :

On server side, nothing is reported in error.log, warn.log and debug.log.

The only thing logged is the following line in info.log :

2012.05.03 10:33:03 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

Openfire window report the following lines :

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Openfire/conf/xmpp.keytab refreshKrb5Config is false principal is xmpp/myserver.mydomain.fr@MYDOMAIN.FR tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/myserver.mydomain.fr@MYDOMAIN.FR

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3E D5 5C 8C FF 4B 45 67 CC DC 57 30 6E 51 FB C2 >…KEg…W0nQ…

Added server’s keyKerberos Principal xmpp/myserver.mydomain.fr@MYDOMAIN.FRKey Version 6key EncryptionKey: keyType=23 keyBytes (hex dump)=

0000: 3E D5 5C 8C FF 4B 45 67 CC DC 57 30 6E 51 FB C2 >…KEg…W0nQ…

  • [Krb5LoginModule] added Krb5Principal xmpp/myserver.mydomain.fr@MYDOMAIN.FR to Subject*

*Commit Succeeded *

I tried with the keytab genereted by ktpass and ktab, problem is still here

I have checked my keytab with the kinit utility (returns no error)

I have double checked my gss.conf and krb5.ini

Time between openfire host and kdc is synchronized

reverse DNS for myserver.mydomain.fr is OK

xmpp.fqdn = myserver.mydomain.fr

sasl.mechs = GSSAPI

sasl.realm = MYDOMAIN.FR

xmpp.domain = myserver.mydomain.fr

My KDC is an AD Controller hosted on win 2k3 server R2

Any help would be greatly appreciated.

Thank you

i posted my notes for getting sso to work. you can look over them here. let me know if you have any questions


Hello and thank you for your answer.

I had already read your notes, I did all the test you did and unfortunately the problem is still here :

  • The server is joined to the domain

  • Reverse DNS is OK (PTR record is created and nslookup return the right server name)

  • SPN is only mapped with one user

  • The kinit test doesn’t return anything

  • krb5.ini seems fine to me and is present in the windows folder of the client and the server :


default_realm = MYDOMAIN.FR



kdc = dc_controler.mydomain.fr

admin_server = dc_controler.mydomain.fr

default_domain = mydomain.fr



mydomain.fr = MYDOMAIN.FR

.mydomain.fr = MYDOMAIN.FR

  • Did the registry edit on the server and the client.

Any idea of what could be wrong ?



Anyone have another idea ?
I can post more information if needed.

Thanks for your help