Hi all… we’‘ve got a strange problem with SSO and can’‘t seem to get it to work… except for one user account on one box. It seems I can only get SSO to work when I log onto the Openfire server itself as jadmin (jadmin is both a domain administrator and an Openfire administrator account). When I log into the Openfire server desktop and launch Spark 2.5.3 with SSO, it works. However, when I log onto any other box (workstation, other servers) using the jadmin domain administrator account, SSO does not work. I’'m thinking there is something seriously wrong with my setup. Might it have something to do with the fact my JIDs are user@mydomain.com while my internal fqdn is different?
I’'ve read the following posts and tried to understand them as best as I could:
http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos
http://www.igniterealtime.org/forum/thread.jspa?threadID=26606&tstart=375
http://www.igniterealtime.org/forum/thread.jspa?messageID=148242𤌒
I am not using the startup BAT files referenced in one of the posts, should I be? I’'m also not sure if I need SRV records or how to go about ensuring they are correct.
Here’'s our setup:
-
Openfire 3.3.1 on Windows Server 2003 SP2 domain member, host name: jhost.mydomain.NET
-
Openfire configured Server Name: jabber.mydomain.COM
-
Spark 2.5.3 client on Windows Server 2003 SP2 Terminal Server (domain member)
-
Openfire using LDAP to Active Directory
-
Openfire running as Windows service under domain account: mydomain.net\openfire
-
Openfire host server and all client machines have JRE 6 installed with JCE
-
Created keytab file using ktpass util, version 5.2.3790.3959:
ktpass -princ xmpp/jhost.mydomain.net@MYDOMAIN.NET -mapuser openfire@mydomain.net -pass xxxxxxxx -out jabber.keytab
- Is the WARNING and KRB5_NT_UNKNOWN normal ? :
Targeting domain controller: kdcserv.mydomain.net
Using legacy password setting method
Successfully mapped xmpp/jhost.mydomain.net to openfire.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to jabber.keytab:
Keytab version: 0x502
keysize 81 xmpp/jhost.mydomain.net@MYDOMAIN.NET ptype 0 (KRB5_NT_UNKNOWN) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x16e4e111f29a8fa04d8bf546fafe5919)
- When I run “klist tickets” I see (not xmpp/jhost.mydomain.net ?):
Server: host/jhost.mydomain.net@MYDOMAIN.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 6/17/2007 3:16:13
Renew Time: 6/17/2007 3:16:13
-
Created PTR record for jhost.mydomain.net in DNS
-
Set “openfire” domain account to “User cannot change password”
-
Set “openfire” to enable “Password never expires”
-
Set “openfire” to enable “Use DES encryption types for this account”
-
Set “openfire” delegation to “Trust this user for delegation to any service (Kerberos only)”
-
After running ktpass, “openfire” account “User logon name” was set to: xmpp/jhost.mydomain.net
-
I checked NTFS file perms for “openfire” domain account access to jabber.keytab file on Openfire host and they’'re good
-
I updated the regsitry on the spark terminal server: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters allowtgtsessionkey (1)
-
Here is my gss.conf file:
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab=“C:/Program Files/Openfire/conf/jabber.keytab” doNotPrompt=true useKeyTab=true realm=“MYDOMAIN.NET” principal=“xmpp/jhost.mydomain.net@MYDOMAIN.NET” debug=true; };
-
I added the
-
And still, I can use SSO with the jadmin user account if I log directly into the host running Openfire and launch spark from there. Oddly enough though, SSo does not work on the same host using a typical domain user account.
-
On any host I can still log in with jadmin or any standard domain user by using spark and standard username/password entry.