I have a Windows 2003 Server environment where I have Openfire 3.6.0a installed along with Spark 2.5.8. Openfire is configured to use Active Directory. When I try to connect manually I have no issue. However when I check use SSO it fails after timing out. I have not manually configured any files, other than changing the default port to 9191 for the admin page. Just ran the wizard and installed it.
The weird thing is that it worked twice for me initially. Hours and hours later uninstalling and reinstalling I could never resolve it.
The other weird thing is that I installed the day prior exactly the same way on another server at another location with the same exact setup and it works flawlessly.
I have read wiki and discussion group searches on this issue until I’m blue in the face but I can’t get over the fact that it works flawlessly at one location and not the other and even at that location it worked TWICE initially.
Ok I had not seen your article. However before I check all those things I say again, I did not do ANYTHING other than go through the install wizard on our own in house office server/client and it works perfectly everytime.
No keytab was created, no registry setting was modified and no krb5.ini installed. Nothing. Just click on SSO and it works…perfectly.
In fact the setup that does NOT work has the openfire server using the FQDN whereas the one that does has just the server name itself! Very odd.
I must add that if I have to add change/something on every client that is not good. It should just work.
There is little chance that spark just works with SSO without doing what I suggested. It is more likely that the password has been stored locally for the user. You can check this by opening the user’s home directory, open the spark folder, then edit the spark.properties file. If there is a password there then you are not really using SSO.
and have you copied all the files to the appropriate places on the openfire server and the client machines and made the appropriate registry edits at both locations?
the krb5.ini needs to be in the root of the windows directory of both the client and server. I did not modify the server registry. If you want to this is the proper string for it:
Ok placing the ini file on the root did not resolve the issue.
However I have noticed something odd. When I tried to reinstall the openfire server and use ‘xmpp’ as the admin instead of ‘openfire’, xmpp failed when testing on the ‘Test Settings’ connection in the wizard. So I reset the password on xmpp account and then retested and it worked. Finished the wizard and then ran openfire server. Logged into the server console with no issues. Then I realized spark SSO still didn’t work and recreated the keytab file and it still failed.
For the heck of it just a second ago I tried to just login to spark WITH a password and it failed. Soooo I tried to login to the openfire console and it failed. So I uninstalled the openfire server, reinstalled and boom ‘xmpp’ user failed on the connection screen again. It seems that the keytab generation CHANGES the xmpp user’s password or otherwise disallows it from being used by openfire.
So does or does not the openfire admin need to be the same user? Very confusing.
Ok on that first setup screen it has a box that says Domain: (yet the question mark help popup says that the server hostname should be listed) I have always just put ‘techlinkserver’
Im around, but not as often as I used to be. I dont work with windows, so Im not much of an expert here. I wrote the SSO stuff with my knowledge of Kerberos, and since AD uses Kerberos it became possible to do it on AD. But it certainly isnt easy
From what I read here, the client is not choosing the GSSAPI method for authentication. This can be for any number of reasons, so a few things I want to know:
What version of Spark are you using?
Does Spark generate any output in its log files? (we might want to turn debugging on to get more)
What is the output from the server right BEFORE the client sends the auth packet? (it should say what mechanisms the server supports, we want GSSAPI in that list)
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 217)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Nov 17, 2008 3:19:55 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
java.lang.NullPointerException
at org.jivesoftware.smack.XMPPConnection.createPacketCollector(XMPPConnection.java :758)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:51)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Spark Output.log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Thomas@TECHLINK.LOCAL
Commit Succeeded
As far as output on the server, where exactly do you mean?