SSO Config Issues

Chris_Stone2 · August 21, 2008, 2:10pm

Hello, I’ve spent many hours trying to get SSO working for us… We have AD (Server 2008) with our Openfire server on a separate server. I’ve followed multiple different “howto’s”, but never seem to get anywhere. It seems like it’s ALMOST working, but failing near the end. When running Spark I get the following:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

I did some digging using FileMonNT, and found that neither the gss.conf file we created NOR the keytab are ever read by Openfire. I’ve tested this both when starting the application (either as an app or a service) and when trying to log in. It never attempts to read the files.

In openfire.xml: (I’ve tried using Program Files and progra~1)

GSSAPI SAU56.LOCAL true C:/progra~1/Openfire/conf/gss.conf false

In gss.conf:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/progra~1/Openfire/conf/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="SAU56.LOCAL"
principal="xmpp/openfire.sau56.local@SAU56.LOCAL"
debug=true;
};

Any thoughts? I’m completely lost. Attached is my full openfire.xml file.

Thanks much,

Chris Stone

SAU56 School District

Chris_Stone2 · August 21, 2008, 2:12pm

Forgot to add… I also get no errors or warnings in the log files.

Jason_L · August 21, 2008, 5:46pm

have you added the approprate registry keys for your clients to allow java to get a tgt key? I can’t find the link right off but if you haven’t done that then I will try to find it.

Chris_Stone2 · August 21, 2008, 5:47pm

I have added the registry keys on both the server and on the clients I’ve tested.

Thanks for the reply,

Chris

Jason_L · August 21, 2008, 7:48pm

you have one in quotes but you are using a shortened name for both. why not try the full path in quotes:

“C:/program files/Openfire/conf/gss.conf”

Chris_Stone2 · August 21, 2008, 8:33pm

I’ve tried every combination I could think of: with or without quotes, with forward or backward slashes, short names or long names… And everything I do seems to give the same result, and every time filemonNT never once ports an attempt to access any “gss.conf” file. Have also tried the nightly build, same issue. >.<

Chris

NO_MESSAGES_OR_FRIEN · August 21, 2008, 8:58pm

Did you look at this: http://www.igniterealtime.org/community/docs/DOC-1554

Chris_Stone2 · August 21, 2008, 9:01pm

Yep, I used that when I was configuring LDAP. Everything works perfect with LDAP/AD integration, all the users show up correctly and can log in using their AD username and password, but the SSO still doesn’t work. =/

I’m considering just scrapping the current install and trying via Linux. (It’s living on a VM anyways.)

Chris

NO_MESSAGES_OR_FRIEN · August 21, 2008, 10:23pm

I have some other guides I could provide but they are for windows openfire installs.

NO_MESSAGES_OR_FRIEN · August 22, 2008, 1:22pm

I have created this document based on what worked for me: http://www.igniterealtime.org/community/docs/DOC-1616