I have scoured the internet and have read almost every post about getting spark’s SSO feature to work and I must be close but I am not quite there. I am at the point where LDAP on the openfire server is working 100%, I can login with my windows user account credentials without SSO just fine. When I run spark as administrator, and only when I run it as administrator spark actually says it will attempt to connect using my windows credentials with SSO rather than “Spark is unable to find the principal to use for Single Sign-On. This will prevent SSO from working.” It seems that openfire is configured to use GSSAPI just fine as when I run spark as admin and try to connect I get an error after my client tries to send some sort of long key for GSSAPI. Here is what is in my smack debug window for Raw Sent Packets:
So apparently I am “not authorized”, not sure why this would be. It may also be worth pointing out that I am trying to log on with an account that is an admin on the server. In the openfire logs I get this error in Info: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
I’m not sure if anything else in the logs is relevant as nothing mentions anything of any errors or login failures. For reference I have provided the layout of what my krb5 file looks like:
Obviously, this is located in C:\Windows and I have made the changes to the registry on both the client machine and server. Please let me know if I was unclear about anything above, I will do my best to get you the information you require to help me in debugging this. Thanks in advance.
this is prob an issue with your keytab file. A few quick questions. what version of java are you using on both the client and openfire? and what is your domain level?
I am running Version 8 update 60 on both client and openfire server machines (both 32-bit). The server is running on windows server 2008 r2 but the domain level is 2003. Also, is there any way to test the keytab file after creation to ensure it worked?
which guide did you use for creating your key tab. if you are yous DES encryption type, this could be your problem, as java 8 disables the use of this by default. you can enable it by adding allow_weak_crypto=true to your krb5.ini file to allow DES
I have read mostly every guide I could find on here, the main one was:
But I also read yours as well as a few others. The current keytab file was created using the methods outlined in that link above, specifically with java. I am not using DES encryption but I did try and add allow_weak_crypto=true to both my client and openfire krb5 files to see if that works and it, unfortunately did not.
try downgrading java that openfire uses to 17u79 or lower. There was another issue with sso and java 8, but im unsure if the fix made it into the latest version.
Just replaced java with version 7 update 79 and restarted the server, is there any other configuration I would have to do to accommodate the different version of java? If not I am still not having any luck with sso, same errors in smack debug window.
the kdc is indeed the fqdn of my domain controller, sorry for the poor wording. Also something I want to point out is that I misspelled domain in my krb file when I posted this topic, that has since been fixed.
the next thing to do is to make sure you have your reverse dns (PTR) record setup correctly. An easy way to test this is to disable the reverse dns check by kerberos by adding
This should be added to libdefaults on both client and openfire krbb5? Everything is looking the same in the logs after I made this change. There is a chance my PTR record is not setup properly, I am working on this with a team and was not the one to do the ptr record.
If I remember correctly, it just as to be added on the client, but shouldn’t hurt if you add it to both client and server.
If that doesn’t work, then my next set would be to recreate your keytab file. If that fails, then I would delete the spn account used, and start from scratch. Try using the document I referenced. I’ve been able to get sso to working almost everytime I’ve implemented it. If you’re still having problems, send me a private message and I’ll see if I can’t help you figure it out.
Ive been having the same issues you reported in this post. Where you able to get the SSO working and did you find the solution to your issue?
The update would be much appreciated. I’m having an extremely difficult time setting up the SSO. I have followed the same pdf that you used for a “step by step”.
that PDF is outdated, and DES should not be used, as its considered a weak cipher. RC4 will prob be depreciated soon, but is required if still have windows 2003/XP. If you made the GPO changes referenced in the PDF, you may want to revert that to disable DES.
The author the PDF you referenced has created another great document. You could give that one a go.
28 Steps to Single Sign On for Openfire XMPP Server on Windows Server 2012 R2 with Spark
Unfortunately Michael, no I have not gotten SSO to work under any circumstances. At this point we may just deploy without it because we have spent a bit more time getting sso to work that we would have liked. I may give this pdf a read and try once more as I see it was posted just 2 days ago and most other methods I have tried are years old.