Spark 2.5.5 SSO Wildfire all on windows hosts

gforty · August 15, 2007, 1:50pm

Hello all,

First off, I have read the discussion here: url_link http://www.igniterealtime.org/community/thread/26839?start=30&tstart=0

I am trying to get SSO to work.

I am close to getting this to work,

Spark launches and attempts to authenticate but fails with : Unable to connect with Single SIgn-On. Please check your principal and server settings.

Spark 2.5.5 on windows XP

Openfire 3.3.2 on WIndows 2003 box with a hostname of jabber.

Domain of d3.main.com.

I have a few questions to clarify.

I created a user called xmpp on the domain…is this correct? Domain user or local (to the Openfire box) user?

My syntax for running klist on the domain controller is as follows:

klist /princ xmpp/jabber.D3.MAIN.COM@D3.MAIN.COM /pass domainAdminsPassword /mapuser xmpp /out jabberKeytab.keytab

I get the following when I run the command above: WARNING: pType and account do not match.This might cause some problems.

Key Created.

does this look correct?

do I use the domain admins password?

do I need to start Openfire using the xmpp account?

does xmpp account need to be domain or local account and does it need to belong to administrator?

Thanks for any advice.

sfb · August 15, 2007, 3:10pm

I was just about to post an “I can’t get SSO to work” thread as well.

> I created a user called xmpp on the domain…is this correct?

I don’t think it matters what the username is, as long as it’s consistant, but it should be a domain account not a local one.

> does this look correct?

> do I use the domain admins password?

The same as I did, yes - except I used the password for the ‘xmpp’ account.

> do I need to start Openfire using the xmpp account?

Yes.

How’s the rest of your config - the openfire.xml and gss.conf?

( http://wiki.igniterealtime.org/display/WILDFIRE/ConfiguringOpenfirefor+Kerberos )

NO_MESSAGES_OR_FRIEN · August 15, 2007, 3:21pm

Try this command instead:

ktpass /princ xmpp/jabber.D3.MAIN.COM@D3.MAIN.COM /pass * /mapuser xmpp@D3.MAIN.COM /out jabberKeytab.keytab

gforty · August 15, 2007, 3:58pm

Thanks alot,

I tried that and am still getting the same warning.

WARNING: pType and account do not match.This might cause some problems.

key created.

keytab version:0x502

keysize 79 user/host.domain@domain pType 0 (KRB5_NT_UNKNOWN) vno 2 etype 0x17 (RC4-HMAC) keylength 16

Thanks.

NO_MESSAGES_OR_FRIEN · August 15, 2007, 5:28pm

I would question the account you are trying to map the keytab to then. I am assuming your personal account is a domain admin? You are trying create the keytab on your PDC? You are running all the latest patches on the PDC? If so then I would recommend that you delete and recreate the account.

gforty · August 15, 2007, 6:36pm

Hi,

thanks again.

I am creating the keytab as a domain admin on the domain controller that is up to date on patches.

I have already deleted and recreated the xmpp account, since earlier I tried creating a user called xmpp locally to the jabber server.

xmpp is now a domain user with full rights to the openfire/resources directory.

The ktpass command syntax has me questioning myself.

I am using the user xmpp as a principal and mapping that principal to the user xmpp.

Does this sound correct or do I need 2 users in AD and create a principal for user1 and map this principal to user2?

Also, I have read that Win2k and Win2k3 generate different pTypes by default, if I dont specify a specific pType perhaps this is causing the problem?

Thanks.

NO_MESSAGES_OR_FRIEN · August 15, 2007, 8:51pm

No you only need 1 AD user. But the Openfire server must also be known to AD (ie. bound or manually added into DNS).

So lets break down the keytab command:

ktpass /princ xmpp/jabber.D3.MAIN.COM@D3.MAIN.COM /pass * /mapuser xmpp@D3.MAIN.COM /out jabberKeytab.keytab

xmpp/jabber.D3.MAIN.COM@D3.MAIN.COM jabber.D3.MAIN.COM should be the fully qualified domain name of the chat server (a ping should resolve it). The @D3.MAIN.COM is just redundantly stating the domain it is found in.

/pass * will cause a prompt for the username authentication of the keytab mapuser

/mapuser xmpp@D3.MAIN.COM is your ad user that the /pass password is associated to (very circular I’m sorry).

the rest is the name of the file you have created.

gforty · August 15, 2007, 9:28pm

Very good detailed description. Thanks for that.

I have resolved the pType and account type do not match Warning.

I had to specify the ptype using the -ptype flag -ptype KRB5_NT_PRINCIPAL

The keytab generates correctly without warnings or errors.

I am Assuming this is the keytype Openfire requires.?

I get no errors when I run Spark aside from the <error code=“401” type=“AUTH”> stanza.

and the “Unable to connect using Single Sign-on. Please check your principal and server settings.”

Still cant auth using SSO.

Getting close, Thanks!

NO_MESSAGES_OR_FRIEN · August 15, 2007, 11:00pm

did you create the krb5.ini file, and put it on server and client? Configure your gss.conf file? Edit openfire.xml to look at gss.conf?

refer to the link in your original post for details. start at page 1. It goes through all my errors getting this configured.

gforty · August 17, 2007, 2:32pm

Ahh,

I did everything but the krb5.ini file, do I generate that somehow?

Not sure that step is in the wiki, at home currently so I dont have my work pc to verify this.

Will try this Monday.

Thanks for bearing with me on this.

Graham

NO_MESSAGES_OR_FRIEN · August 17, 2007, 2:45pm

You just need the ever powerful notepad to write your file.

gforty · August 20, 2007, 4:47pm

Created the krb5.ini file and dropped it on the client C://WINDOWS and also on the Jabber server at same location.

Sspark output.txt says:

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Acquire TGT from Cache

Principal is null

null credentials from Ticket Cache

authentication failed

Unable to obtain Princpal Name for authentication

Although Spark will only write this one time and then not rewrite it for each occurence of this problem which makes it hard to troubleshoot.

Any more ideas?

The only thing I didnt do was the registry hack (is this required?)

Thanks again.

NO_MESSAGES_OR_FRIEN · August 20, 2007, 6:12pm

The registry hack was needed for it to work for me.

NO_MESSAGES_OR_FRIEN · August 20, 2007, 6:21pm

Can you post your keytab content? I am not so sure about your keytab being correct either, but the principal could be a red hearing, if the krb5.ini is incorrect it may cause that. First eliminate the last know variable and add reg edits.

gforty · August 20, 2007, 8:47pm

From notepad 1 liner.

Thanks.

E D3.MAIN.COM xmpp jabberNew.D3.MAIN.COM ‚Å ‚ì|fá e)±w Ÿy

NO_MESSAGES_OR_FRIEN · August 21, 2007, 1:59pm

The krb5.ini needs to be structured on seperate lines.

Here is mine:

[libdefaults]
default_realm = AD.MTSTRAVEL.COM
noaddresses = true [realms]
AD.MTSTRAVEL.COM = {
kdc = mts1.ad.mtstravel.com
default_domain = ad.mtstravel.com
}