Spark / OpenFire SSO failure

In addition to googling for a couple weeks and going through the other SSO forum posts, Here’s some of what I’ve been following to get this off the ground:

http://community.igniterealtime.org/docs/DOC-1102

http://community.igniterealtime.org/docs/DOC-1060

I’m not even close to being an expert on this subject. I do have past experience successfully setting up a Windows clients >> Linux server >> Windows AD/DC SSO system but that was doing AD Kerberos SSO through the web browser for an internal trouble ticket website and did not use Java.

My setup:

-OpenFire 3.7.0 server running on CentOS 5.6 x64

-Authenticating via Kerberos against AD domain at Win2k3 level

-KDC is Win2K8R2 domain controller

-Spark 3.6.0 running on Windows XP SP3 clients

-Server Java:

[root@chat]# java -version

java version “1.6.0_24”

Java™ SE Runtime Environment (build 1.6.0_24-b07)

Java HotSpot™ 64-Bit Server VM (build 19.1-b02, mixed mode)

-Client has Java 6 u 24 as well

-Spark is able to sign in against active directory accounts without a problem when credentials are manually entered. All functions seem to be working fine except SSO.

-Same error seen on all attempts on multiple computers and multiple accounts:

“Unable to connect using Single Sign-on. Please check your principal and server settings.”

Steps I’ve taken:

on KDC >> AD >> create new user “openfire.xmpp”

Enable the account options “Unable to change password”, “Password never expires” and “Does not require Kerberos Preauthentication” on the Account

setspn -A xmpp/chat.mydomain.com@MYDOMAIN.COM openfire.xmpp

Registering ServicePrincipalNames for CN=OPENFIRE XMPP,CN=Users,DC=mydomain,DC=com

xmpp/chat.mydomain.com@MYDOMAIN.COM

Updated object

ktpass -princ xmpp/chat.mydomain.com@MYDOMAIN.COM -mapuser openfire.xmpp@mydomain.com -pass PASSWD -ptype KRB5_NT_PRINCIPAL out xmpp.keytab

Targeting domain controller: myDC.mydomain.com

Successfully mapped xmpp/chat.mydomain.com to openfire.xmpp.

Password succesfully set!

Key created.

Output keytab to xmpp.keytab:

Keytab version: 0x502

keysize 64 xmpp/chat.mydomain.com@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype

0x17 (RC4-HMAC) keylength 16 (0x8748126ddcdb9fae00e7695759545503)

-copied xmpp.keytab over to the linux OpenFire server into /opt/openfire/resources/

-/opt/openfire/conf/gss.conf contents:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=/opt/openfire/resources/xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm=“MYDOMAIN.COM

principal="xmpp/chat.mydomain.com@MYDOMAIN.COM"

debug=true

};

/opt/openfire/conf/openfire.xml:

9090

9091

en

org.jivesoftware.database.DefaultConnectionProvider

com.mysql.jdbc.Driver

jdbc:mysql://chat.mydomain.com:3306/openfire

root

PASSWD

select 1

true

true

5

25

1.0

true

GSSAPI

MYDOMAIN.COM

true

/opt/openfire/conf/gss.conf

false

Not 100% sure this is even needed on the windows clients, but here’s c:\windows\krb5.ini on the Windows client and the same is in /etc/krb5.conf on the Linux

OpenFire server:

[libdefaults]

default_realm = MYDOMAIN.COM

[realms]

MYDOMAIN.COM = {

kdc = mydc.mydomain.com

kdc = mydc2.mydomain.com

admin_server = mydc.mydomain.com

default_domain = mydomain.com

}

[domain_realms]

mydomain.com = MYDOMAIN.COM

.mydomain.com = MYDOMAIN.COM

from OpenFire server:

[root@chat openfire]# kinit openfire.xmpp

Password for openfire.xmpp@MYDOMAIN.COM:

[root@chat openfire]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: openfire.xmpp@MYDOMAIN.COM

Valid starting Expires Service principal

05/23/11 14:32:24 05/24/11 00:34:04 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM

renew until 05/24/11 14:32:24

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

set the following reg key on client and rebooted:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

Value Name: AllowTGTSessionKey

Value Type: REG_DWORD

Value: 1

-enable SSO in client options and it automatically fills in the correct username/servername but we get "Unable to connect using Single Sign-on. Please check

your principal and server settings." after trying login

-disable SSO in client and try to auth manually using AD credentials and it logs in successfully

-verified is actually auth’ing correctly against AD by trying a bad password and watching it give username/password failure message.

-In Spark SSO tab under advanced connection preferences I have tried file, dns, or manually setting options with same result

-nothing is actually showing up in /opt/openfire/logs/debug.log but the following appears in /opt/openfire/logs/warn.log on every failed SSO login attempt

and only on the SSO attempts:

2011.05.23 14:07:17 Closing connection due to error while processing message: YIIFQwYJKoZIh

vcSAQICAQBuggUyMIIFLqADAgEFoQMCAQ6iBwMFACAAAACjggReYYIEWjCCBFagAwIBBaELGwlDQVZDT y5DT02iITAfoAMCAQChGDAWGwR4bXBwGw5jaGF0LmNhdmNvLmNvbaOCBB0wggQZoAMCARehAwIBBK

KCBAsEggQHrfLY2dZxUeJZUgR+eAbw1Hqy5vmrR0wABWpK0afc8GWLgbzT0uhZVTyZBsAIBadCMAoZdM l8I0D0eDjmcDjU8PhCLNNw3dbSFZLJ8D4j4SCusfMC/mdojb0Txcq4e6Ln1G5KWwlFRZWthjEJxK5

hWNbBDndIXzkgvrv8EmDPbU92dVOOiAh8pwpr8ZRFZ4MI8YehPEUbXGG+6UZVw0a1b1D3nI0MRLffC1k QMxaoJjG4Mku/jkoWJOGLa2YzJrezmeMLnS1rkYAWNSS0o7JsedJXJ6Eddy7YCk8ZDHL8o3UsfCih

FP+ggnKPhE9l5PJtpf9acMqg0PJ27l7nZneo8mMM5N3FCqwOHF58JPvsnK5bnAg8Jfg3VMTo7c7zEi6t rHC4um7WutqtmDCLqkAAXGHpIYAIVy695tX1jZbgBIC30iTAGCBOZLyqb2ejjK4msadC+ag87/dJd

lqks//RZk1TP5isFFwiQZ98onPt26ePLYpb0njCD82yUYOA2qeknflDjLbathhhVTReYNr6yixzvCZ/v 35VGG+Xd8Fj1bG2XEUvBOkpIeyLBrEp9sAnlMpldhT8FyjCBH+EwxvaAqMuQMuKl1eMk95Yc/gFpQ

QCjWYClSm/cX9Ln6NSPcnwUzhEnUmtfnpP3P2f2cJykfJYqjr+z2TXc5Q6P2s5x2ogeDC+CCzzNuJtnW WWTIF4YURqF3Z4aBNATl9dlYVDB2EhVWHXlyO3smm+9xyljCYDBXO6sst06rJPbv9MvelA9ZAiQRN

SL03DVUAvySdH6+iPiLwDd/kiy4Gl9ynjyZIfvm3ZIKj7pMUjrFmatEXPlJkg5yoWYjkeGXosKhm8RVZ 3UGaaa8NYUKRbBzOY4zaf3k9IIIRmLrIP1rA30Gh/LhqmBKE/8xOXu62FX0m6vX3a2kYhizrOwCqR

XoctKM6MWfjK7iCwgvyKhrlThKw4ArYIrjbICyhcieuHQ2Wk4l88cb+Wep27razgE8rXVEkfOn54TJHv JLF7sPSfW5NTm9AHr0pViPKnJxn6wz4JekEBsd/xdYch8q+hTdoSb6t0gPkbp3bGCv5cNNJI/CRFQ

RqMqfFf4j7qH2uYAMNO3C6zeRr5Oum5qKKnJ/9crdw/n869lg9WH/C9j6eHtUbUA0fT6hMOzyXwO/L7T 4H5evhPjkxGsQXdbwiDfDOVsKMTEr5WLyKxJ8PX2Iutux6XxSNg9XUrTK8/FdCPJZpajU7/3rEgAg

80LONXhg75uIuM4UiLAsgdPS+ckGzKcGnKrqLx5JwhGUvpaG+lM2bS4Dw/NTl2tBI00/CgG8UDPVsDnT beJ6exdPk5cFhCwU4QvrN9zn2hHL26OWVfT+GsF97adfdrAEukgbYwgbOgAwIBA6KBqwSBqAmtzoq

aPnSxTmpP4bMtoOnE5toc8UoXTz0NhchBV9f/wkreGer7iiQUJSVkTH4TZXExnMVF9Qa8fRO32ZStMt0 3b6dLiTWizPucXBqsxU8U74E7hIbEpPRKuayMV2lqTpUIYLizSC1vJbS02D7AWPOcLeCswhzjXxJR

7gJiGmHE/d2S5tw9CpfJ32BZbejMG6b1J1wv5HtUl7eRyP/D/5Bc5Nv3WvdcZw==

java.lang.SecurityException: Configuration Error:

Line 5: expected [option key]

at com.sun.security.auth.login.ConfigFile.(Unknown Source)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at javax.security.auth.login.Configuration$3.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)

at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.LoginConfigImpl.(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :251)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:169)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.lang.Thread.run(Unknown Source)

Caused by: java.io.IOException: Configuration Error:

Line 5: expected [option key]

at com.sun.security.auth.login.ConfigFile.match(Unknown Source)

at com.sun.security.auth.login.ConfigFile.parseLoginEntry(Unknown Source)

at com.sun.security.auth.login.ConfigFile.readConfig(Unknown Source)

at com.sun.security.auth.login.ConfigFile.init(Unknown Source)

at com.sun.security.auth.login.ConfigFile.init(Unknown Source)

… 49 more

The user post at http://community.igniterealtime.org/thread/33330 seems to have had similar errors as above with no solution posted.

In Spark debug window we see the following:

Smack Info:

Installed IQ Providers:

org.jivesoftware.phone.client.action.PhoneActionIQProvider

org.jivesoftware.smack.provider.PrivacyProvider

org.jivesoftware.smackx.PrivateDataManager$PrivateDataIQProvider

org.jivesoftware.smackx.bytestreams.ibb.provider.CloseIQProvider

org.jivesoftware.smackx.bytestreams.ibb.provider.DataPacketProvider

org.jivesoftware.smackx.bytestreams.ibb.provider.OpenIQProvider

org.jivesoftware.smackx.bytestreams.socks5.provider.BytestreamsProvider

org.jivesoftware.smackx.packet.LastActivity$Provider

org.jivesoftware.smackx.packet.OfflineMessageRequest$Provider

org.jivesoftware.smackx.packet.SharedGroupsInfo$Provider

org.jivesoftware.smackx.packet.Time

org.jivesoftware.smackx.packet.Version

org.jivesoftware.smackx.provider.AdHocCommandDataProvider

org.jivesoftware.smackx.provider.DiscoverInfoProvider

org.jivesoftware.smackx.provider.DiscoverItemsProvider

org.jivesoftware.smackx.provider.MUCAdminProvider

org.jivesoftware.smackx.provider.MUCOwnerProvider

org.jivesoftware.smackx.provider.StreamInitiationProvider

org.jivesoftware.smackx.provider.VCardProvider

org.jivesoftware.smackx.pubsub.provider.PubSubProvider

org.jivesoftware.smackx.pubsub.provider.PubSubProvider

org.jivesoftware.smackx.search.UserSearch$Provider

org.jivesoftware.smackx.workgroup.ext.forms.WorkgroupForm$InternalProvider

org.jivesoftware.smackx.workgroup.ext.history.AgentChatHistory$InternalProvider

org.jivesoftware.smackx.workgroup.ext.history.ChatMetadata$Provider

org.jivesoftware.smackx.workgroup.ext.macros.Macros$InternalProvider

org.jivesoftware.smackx.workgroup.ext.notes.ChatNotes$Provider

org.jivesoftware.smackx.workgroup.packet.AgentInfo$Provider

org.jivesoftware.smackx.workgroup.packet.AgentStatusRequest$Provider

org.jivesoftware.smackx.workgroup.packet.AgentWorkgroups$Provider

org.jivesoftware.smackx.workgroup.packet.MonitorPacket$InternalProvider

org.jivesoftware.smackx.workgroup.packet.OccupantsInfo$Provider

org.jivesoftware.smackx.workgroup.packet.OfferRequestProvider

org.jivesoftware.smackx.workgroup.packet.OfferRevokeProvider

org.jivesoftware.smackx.workgroup.packet.TranscriptProvider

org.jivesoftware.smackx.workgroup.packet.TranscriptSearch$Provider

org.jivesoftware.smackx.workgroup.packet.TranscriptsProvider

org.jivesoftware.smackx.workgroup.settings.ChatSettings$InternalProvider

org.jivesoftware.smackx.workgroup.settings.GenericSettings$InternalProvider

org.jivesoftware.smackx.workgroup.settings.OfflineSettings$InternalProvider

org.jivesoftware.smackx.workgroup.settings.SearchSettings$InternalProvider

org.jivesoftware.smackx.workgroup.settings.SoundSettings$InternalProvider

org.jivesoftware.smackx.workgroup.settings.WorkgroupProperties$InternalProvider

Installed Extension Providers:

org.jivesoftware.phone.client.event.PhoneEventPacketExtensionProvider

org.jivesoftware.smackx.GroupChatInvitation$Provider

org.jivesoftware.smackx.bytestreams.ibb.provider.DataPacketProvider

org.jivesoftware.smackx.packet.AttentionExtension$Provider

org.jivesoftware.smackx.packet.ChatStateExtension$Provider

org.jivesoftware.smackx.packet.ChatStateExtension$Provider

org.jivesoftware.smackx.packet.ChatStateExtension$Provider

org.jivesoftware.smackx.packet.ChatStateExtension$Provider

org.jivesoftware.smackx.packet.ChatStateExtension$Provider

org.jivesoftware.smackx.packet.Nick$Provider

org.jivesoftware.smackx.packet.OfflineMessageInfo$Provider

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadActionError

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadLocaleError

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadPayloadError

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$BadSessionIDError

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$MalformedActionError

org.jivesoftware.smackx.provider.AdHocCommandDataProvider$SessionExpiredError

org.jivesoftware.smackx.provider.DataFormProvider

org.jivesoftware.smackx.provider.DelayInfoProvider

org.jivesoftware.smackx.provider.DelayInformationProvider

org.jivesoftware.smackx.provider.HeaderProvider

org.jivesoftware.smackx.provider.HeadersProvider

org.jivesoftware.smackx.provider.MUCUserProvider

org.jivesoftware.smackx.provider.MessageEventProvider

org.jivesoftware.smackx.provider.MultipleAddressesProvider

org.jivesoftware.smackx.provider.RosterExchangeProvider

org.jivesoftware.smackx.provider.XHTMLExtensionProvider

org.jivesoftware.smackx.pubsub.provider.AffiliationProvider

org.jivesoftware.smackx.pubsub.provider.AffiliationsProvider

org.jivesoftware.smackx.pubsub.provider.ConfigEventProvider

org.jivesoftware.smackx.pubsub.provider.EventProvider

org.jivesoftware.smackx.pubsub.provider.FormNodeProvider

org.jivesoftware.smackx.pubsub.provider.FormNodeProvider

org.jivesoftware.smackx.pubsub.provider.FormNodeProvider

org.jivesoftware.smackx.pubsub.provider.FormNodeProvider

org.jivesoftware.smackx.pubsub.provider.ItemProvider

org.jivesoftware.smackx.pubsub.provider.ItemProvider

org.jivesoftware.smackx.pubsub.provider.ItemsProvider

org.jivesoftware.smackx.pubsub.provider.ItemsProvider

org.jivesoftware.smackx.pubsub.provider.RetractEventProvider

org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider

org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider

org.jivesoftware.smackx.pubsub.provider.SimpleNodeProvider

org.jivesoftware.smackx.pubsub.provider.SubscriptionProvider

org.jivesoftware.smackx.pubsub.provider.SubscriptionsProvider

org.jivesoftware.smackx.workgroup.packet.AgentStatus$Provider

org.jivesoftware.smackx.workgroup.packet.MetaDataProvider

org.jivesoftware.smackx.workgroup.packet.QueueDetails$Provider

org.jivesoftware.smackx.workgroup.packet.QueueOverview$Provider

org.jivesoftware.smackx.workgroup.packet.QueueUpdate$Provider

org.jivesoftware.smackx.workgroup.packet.RoomInvitation$Provider

org.jivesoftware.smackx.workgroup.packet.RoomTransfer$Provider

org.jivesoftware.smackx.workgroup.packet.SessionID$Provider

org.jivesoftware.smackx.workgroup.packet.UserID$Provider

org.jivesoftware.smackx.workgroup.packet.WorkgroupInformation$Provider

Connection_1:

Raw Sent Packets:

<stream:stream to=“chat.mydomain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“chat.mydomain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<auth mechanism=“GSSAPI” xmlns="urn:ietf:params:xml:ns:xmpp-

sasl">YIIFQwYJKoZIhvcSAQICAQBuggUyMIIFLqADAgEFoQMCAQ6iBwMFACAAAACjggReYYIEWjCCBF agAwIBBaELGwlDQVZDTy5DT02iITAfoAMCAQChGDAWGwR4bXBwGw5jaGF0LmNhdmNvLmNvbaOCBB0

wggQZoAMCARehAwIBBKKCBAsEggQHrfLY2dZxUeJZUgR

+eAbw1Hqy5vmrR0wABWpK0afc8GWLgbzT0uhZVTyZBsAIBadCMAoZdMl8I0D0eDjmcDjU8PhCLNNw3db SFZLJ8D4j4SCusfMC/mdojb0Txcq4e6Ln1G5KWwlFRZWthjEJxK5hWNbBDndIXzkgvrv8EmDPbU92

dVOOiAh8pwpr8ZRFZ4MI8YehPEUbXGG+6UZVw0a1b1D3nI0MRLffC1kQMxaoJjG4Mku/jkoWJOGLa2Yz JrezmeMLnS1rkYAWNSS0o7JsedJXJ6Eddy7YCk8ZDHL8o3UsfCihFP

+ggnKPhE9l5PJtpf9acMqg0PJ27l7nZneo8mMM5N3FCqwOHF58JPvsnK5bnAg8Jfg3VMTo7c7zEi6trH C4um7WutqtmDCLqkAAXGHpIYAIVy695tX1jZbgBIC30iTAGCBOZLyqb2ejjK4msadC

+ag87/dJdlqks//RZk1TP5isFFwiQZ98onPt26ePLYpb0njCD82yUYOA2qeknflDjLbathhhVTReYNr6 yixzvCZ/v35VGG+Xd8Fj1bG2XEUvBOkpIeyLBrEp9sAnlMpldhT8FyjCBH

+EwxvaAqMuQMuKl1eMk95Yc/gFpQQCjWYClSm/cX9Ln6NSPcnwUzhEnUmtfnpP3P2f2cJykfJYqjr+z2 TXc5Q6P2s5x2ogeDC+CCzzNuJtnWWWTIF4YURqF3Z4aBNATl9dlYVDB2EhVWHXlyO3smm

+9xyljCYDBXO6sst06rJPbv9MvelA9ZAiQRNSL03DVUAvySdH6+iPiLwDd/kiy4Gl9ynjyZIfvm3ZIKj 7pMUjrFmatEXPlJkg5yoWYjkeGXosKhm8RVZ3UGaaa8NYUKRbBzOY4zaf3k9IIIRmLrIP1rA30Gh/

LhqmBKE/8xOXu62FX0m6vX3a2kYhizrOwCqRXoctKM6MWfjK7iCwgvyKhrlThKw4ArYIrjbICyhcieuH Q2Wk4l88cb

+Wep27razgE8rXVEkfOn54TJHvJLF7sPSfW5NTm9AHr0pViPKnJxn6wz4JekEBsd/xdYch8q

+hTdoSb6t0gPkbp3bGCv5cNNJI/CRFQRqMqfFf4j7qH2uYAMNO3C6zeRr5Oum5qKKnJ/9crdw/n869lg 9WH/C9j6eHtUbUA0fT6hMOzyXwO/L7T4H5evhPjkxGsQXdbwiDfDOVsKMTEr5WLyKxJ8PX2Iutux6

XxSNg9XUrTK8/FdCPJZpajU7/3rEgAg80LONXhg75uIuM4UiLAsgdPS+ckGzKcGnKrqLx5JwhGUvpaG+ lM2bS4Dw/NTl2tBI00/CgG8UDPVsDnTbeJ6exdPk5cFhCwU4QvrN9zn2hHL26OWVfT

+GsF97adfdrAEukgbYwgbOgAwIBA6KBqwSBqAmtzoqaPnSxTmpP4bMtoOnE5toc8UoXTz0NhchBV9f/w kreGer7iiQUJSVkTH4TZXExnMVF9Qa8fRO32ZStMt03b6dLiTWizPucXBqsxU8U74E7hIbEpPRKua

yMV2lqTpUIYLizSC1vJbS02D7AWPOcLeCswhzjXxJR7gJiGmHE/d2S5tw9CpfJ32BZbejMG6b1J1wv5H tUl7eRyP/D/5Bc5Nv3WvdcZw==

</stream:stream>

Raw Received Packets:

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="[http://etherx.jabber.org/streams](http://etherx.jabber.org/streams)" xmlns="jabber:client" from="chat.mydomain.com"

id=“fb0d09c4” xml:lang=“en” version=“1.0”>

stream:features<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-

sasl">GSSAPIzlib<auth

xmlns=“http://jabber.org/features/iq-auth”/></stream:features>

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="[http://etherx.jabber.org/streams](http://etherx.jabber.org/streams)" xmlns="jabber:client" from="chat.mydomain.com"

id=“fb0d09c4” xml:lang=“en” version=“1.0”>stream:features<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-

sasl">GSSAPIzlib<auth

xmlns=“http://jabber.org/features/iq-auth”/></stream:features>

</stream:stream>

To sum up: Openfire works, Spark works, Authentication via AD works, SSO does not work. What am I doing wrong?

Thanks in advance!

Going through the forum posts it seems there are quite a few unanswered SSO threads for this type of setup. Rather than asking you to point out what’s wrong with my attempt, could someone with a similar working setup (Windows AD, OpenFire server on Linux, Spark clients on Windows XP/7) post exactly what steps they went through to get SSO working? The site documents I linked were written in 2007 and perhaps some part of the process outlined may need to be tweaked for changes that have been made since then.

Thanks

I have the same problem but with Openfire 3.6.3 on Server 2003 with Spark 2.6.0 on XP and Windows 7. http://community.igniterealtime.org/thread/44984

Everything was working fine with SSO enabled until I started to test Spark 2.6.0 with Windows 7. At first I thought the problem as Win 7 related but we get the same “check your principle and server” error with 2.6.0 on XP. The only difference I can identify is that 2.5.8 reports the Desktop Account as “USERNAME” in the clients Advanced - SSO tab where as 2.6.0 reports the Desktop Account as “USERNAME@DOMAIN_NAME.LOCAL”.

“Unable to connect using Single Sign-On. Please check your principal and server settings.”

Hello all. I am running into this same issue. After hours of troubleshooting… Bummer too, the Openfire setup and MySQL install with LDAP integration was done in less than 30 minutes. Here are my setup details, I know it is an old post, but if anyone has insight I would appreciate hearing back.

My setup:

-OpenFire server 3.9.3 running on Ubuntu 14.04

  • MySQL 5.6.19

-Authenticating via Kerberos against AD domain at Windows 2008 R2 level. (Forest and Domain are set to 2008 R2)

-KDC is Windows 2012 R2 domain controller

-Spark 2.6.3 running on Windows 7 x64

-Server Java:

java version “1.7.0_65”

OpenJDK Runtime Environment (IcedTea 2.5.3) (7u71-2.5.3-0ubuntu0.14.04.1)

OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

Here are the articles and blog posts I am following to complete setup:

Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks

SSO Configuration

Install Spark XMPP client and deploy its settings (inc.SSO) with a group policy - Spiceworks

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

Initial Kerberos testing checks out on the Ubuntu sever. I am able to see cached tickets.

I mapped the spn using ktpass from the domain controller, but also used it to export the keytab file:

ktpass -princ xmpp/openfireserver.domain.local@INTERNALDOMAIN.LOCAL -mapuser xmpp-openfire@DOMAIN.LOCAL -pass * -ptype KRB5_NT_PRINCIPAL -out c:\xmpp.keytab -crypto all

After copying the keytab file to the ubuntu server I used the following command to test it:

kinit -k -t xmpp.keytab xmpp/openfireserver.domain.local@INTERNALDOMAIN.LOCAL

I am suspicious of the domain functional level and supported authentication mechanisms by Openfire server… However the documentation around the SSO configuration doesn’t seem to mention it. There are multiple blog posts that mention Openfire supports only “older” authentication encryption methods and you might see this break after server 2003 functional level… However the kind sir that started this post seems to be running 2003.

Anyhow, I’m about to give up after about 16 hours of trying. A shame… The new vCenter appliance has a “wizard” for SSO… You manually create the SPN, but after completing the wizard it is up and running in just a few minutes. Put it on the openfire server development request list I guess.

Ps… After downloading the Java jce_policy-6 files and moving local_policy.jar and US_export_policy.jar to the …\Spark\jre\lib\security folder I had the same error. But when I tried the jce_policy-7 and jce_policy-8 files during troubleshooting the error would never come up. Authentication would just hang until Spark was closed with Task Manager.

Adam Tyler

atyler@lifeflight.org

maybe this can help u…

Spark SSO Configuration

if your domain level is 2008r2 or higher, then try this

ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser keytab@domain.local -pass * -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly -out jabber.keytab

This will prob fail the kinit test, but thats ok. try it in your resource folder anyway.

Spark, thanks for your link. I did run across this myself while troubleshooting, but running with elevated rights didn’t seem to help me. The English in the posts is pretty broken and lacking detail, but from what I could gather all that was recommended was to right click Spark and choose run as administrator.

speedy, thanks for your reply! Cool to know there are others out there looking at this stuff. I will try issuing the keytab file in this alternative method. I will say that using the “ktutil” utility to “list” the current keytab file, I get the following output:

1 5 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

2 5 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

3 5 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

4 5 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

5 5 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

I will post the ktutil output and results after trying your suggestion. I’m a total noob at this, thanks for your help.

Ok, so the keytab file got creating using your suggested command. Here was the output:


Targeting domain controller: DC01.domain.local

Using legacy password setting method

Successfully mapped xmpp/lfnopenfire.domain.local to xmpp-openfire.

Type the password for xmpp/lfnopenfire.domain.local:

Type the password again to confirm:

Key created.

Output keytab to c:\xmpp.keytab:

Keytab version: 0x502

keysize 77 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL ptype 1 (KRB5_NT_P

RINCIPAL) vno 6 etype 0x3 (DES-CBC-MD5) keylength 8 (0x40f7b32908fe8670)

Account xmpp-openfire has been set for DES-only encryption.

ktutil output:

1 6 xmpp/lfnopenfire.domain.local@DOMAIN.LOCAL

Unfortunately I seem to be getting the same behavior / error. I will keep playing with it and let you know if anything changes.

you may try switching from openjdk to Oracle Java. All my experience is with a full windows environment.

speedy, thanks for the reply. Yes, I am on a different platform Ubuntu Server. Looks like the version of Java I am using is:

java version “1.7.0_65”

OpenJDK Runtime Environment (IcedTea 2.5.3) (7u71-2.5.3-0ubuntu0.14.04.1)

OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

I’m actually a total noob at Linux and have a stronger windows background. I installed Java with a simple apt-get command, but based on the version info it looks like I already have the OpenJDK build?

with linux, I don’t think I’ll be much help. maybe someone will be able to jump in and give you some guidance.

My configuration is Openfire (UBUNTU), AD (W2008R2), Spark (W7Pro in ‘company.local’ domain) and have experienced the same issue with SSO logon. After many hours I was really close to give up, then I have set an openfire system parameter {xmpp.domain} to the same value as kerberos realm ‘company.local’ and {xmpp.fqdn} to jabber.company.com (provided in DNS SRV and PTR records) that was enough to fix a SSO logon issues.

If you are not able to logon to admin console after parameters change followed by openfire reload, then you might have repeat an openfire setup with correct values (XMPP Domain and FQDN) set as described above.

In my setup I have not attached Linux (openfire) server to AD domain, only transferred keytab file from KDC (W2008R2) to Linux host.

Did you find a solution to your problem?
I´ve the same and can´t get my error.

SSO Spark login non-authorized(401)