SSO Config Issues

Hello, I’ve spent many hours trying to get SSO working for us… We have AD (Server 2008) with our Openfire server on a separate server. I’ve followed multiple different “howto’s”, but never seem to get anywhere. It seems like it’s ALMOST working, but failing near the end. When running Spark I get the following:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]

I did some digging using FileMonNT, and found that neither the gss.conf file we created NOR the keytab are ever read by Openfire. I’ve tested this both when starting the application (either as an app or a service) and when trying to log in. It never attempts to read the files.

In openfire.xml: (I’ve tried using Program Files and progra~1)

GSSAPI SAU56.LOCAL true C:/progra~1/Openfire/conf/gss.conf false

In gss.conf:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/progra~1/Openfire/conf/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="SAU56.LOCAL"
principal="xmpp/openfire.sau56.local@SAU56.LOCAL"
debug=true;
};

Any thoughts? I’m completely lost. Attached is my full openfire.xml file.

Thanks much,

Chris Stone

SAU56 School District

Forgot to add… I also get no errors or warnings in the log files.

have you added the approprate registry keys for your clients to allow java to get a tgt key? I can’t find the link right off but if you haven’t done that then I will try to find it.

I have added the registry keys on both the server and on the clients I’ve tested.

Thanks for the reply,

Chris

you have one in quotes but you are using a shortened name for both. why not try the full path in quotes:

“C:/program files/Openfire/conf/gss.conf”

I’ve tried every combination I could think of: with or without quotes, with forward or backward slashes, short names or long names… And everything I do seems to give the same result, and every time filemonNT never once ports an attempt to access any “gss.conf” file. Have also tried the nightly build, same issue. >.<

Chris

Did you look at this: http://www.igniterealtime.org/community/docs/DOC-1554

Yep, I used that when I was configuring LDAP. Everything works perfect with LDAP/AD integration, all the users show up correctly and can log in using their AD username and password, but the SSO still doesn’t work. =/

I’m considering just scrapping the current install and trying via Linux. (It’s living on a VM anyways.)

Chris

I have some other guides I could provide but they are for windows openfire installs.

I have created this document based on what worked for me: http://www.igniterealtime.org/community/docs/DOC-1616