I seem to have encountered a bit of trouble while getting the SSO to work with Active Directory. I have gotten the LDAP integration piece setup on the openfire side - however, it seems that along the way something may have broken with the spark client authentication with AD.
On my machine, I am able to connect my user - without any trouble. On another machine, I am also able to connect under my profile, provided I copy over the spark.properties file into my users profile\Spark directory.
My ability to successfully create further spark.properties files which connect using SSO seems limited. That is, if I edit the file and remove the password=ENCRYPTEDSTUFFHERE entry, then I will no longer be able to use SSO.
It’s as if the ablility for the spark client to connect and re-create this information has been disabled.
True. I was able to enable SSO (I did the openfire setup part too) prior to attempting the LDAP integration. It did work.
However, since I have rerun the setup to get the LDAP piece working, it seems to have lost the ability to authenticate using SSO. If I give it my password, all is well. I’m just not sure where to look to get the SSO going again.
Turns out the very first logon must be provided by the user. I was thinking it could grab the information from the current windows session…but it cannot.
not true at all. The first login can be via SSO if it is working correctly. All my machines are configure to have spark login via SSO regardless of who logs into the computer. If a new user logs in it still uses SSO because the spark settings for that are in the default user’s profile.
I have been completely unable to get SSO to work at all with providing the initial logon. See here for details:
Once I did provide the initial logon, and toggled the SSO on, I then logged off, changed my password on the DC, logged in with new password - and authenticated with SSO, just fine.
So - the question I have is…if SSO is broken on my setup, how did Spark learn about the password change?
And the follow up to that is…if my SSO is gimpy (which it appears to be) what do the 401 errors indicate, and how do I fix it?
And finally, what do I need to provide in the default users profile to allow SSO to work for new users?
It seems to work for me. I haven’t messed with it too much lately. I was waiting to see if there was more information about the particular requirements to get a machine to work via the Default User settings - before I got back to this.
Also, I need to verify the Registry settings for WinXP SP3 machines - to allow the SSO.
When I removed the cached password from the spark.propterties file, my SSO is very broken. Which is to say, I don’t think it is really working at all.
Still get 401 errors.
Updated openfire to 3.6.4 this morning. Cleared out logs on server and my machine.
Logon attempt is barely noticed in the server logs, only reporting in the debug log:
2009.05.04 08:21:13 000776 (01/05/00) - Connection #5 tested: OK
2009.05.04 08:21:13 000777 (01/05/00) - Connection #5 tested: OK
Locally, my spark debug log provides a litte more information:
May 4, 2009 8:21:13 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
This is pretty much where I’ve been for a week or so. This is also where I am confused about ‘Single’ sign-on vs. ‘No’ sign-on. That is, if I give my client a chance to cache the password - then change my password on the server…logon and off my machine…I do not have to update Spark. But I have not been able to logon with the SSO checkbox checked - without providing at least 1 valid logon attempt to Spark. Otherwise, it’s all about the 401 error above.
I’d love to figure this one out. Thanks for any help anyone can provide.