For the sake of perspective, we had SSO working on Red Hat Linux. Due to some performance problems, we decided to switch to Windows (It’s a long story…). All told, the OpenFire Jabber service has been pretty solid right out of the box. Even with really high load and no connection manager (yet), it performs very well.
For the sake of paranoia, I’ve obfuscated a few values in the sections below.
domain.com == The Active Directory domain name. (lowercase)
DOMAIN.COM == The realm. (uppercase)
nerfherder == The sAMAccountName in the Active Directory domain.
Authentication via username/password for matching accounts in Active Directory works. Flip the bit for SSO via GSSAPI in Spark and a login error is generated. It should be noted that there are no errors or warnings in the server logs. I think
I’m hoping that the information below will provide a good jumping off point to determine the problem. Thank you very much in advance for anyone who has taken the time to review my configuration and help troubleshoot.
General Config
Server OS: Windows Server 2003 R2 Standard x64 SP2
OpenFire Version: 3.3.3
Spark Version: 2.5.7
JVM Version and Vendor: 1.6.0_01 Sun Microsystems Inc. – Java HotSpot™ Server VM
Database and Version: HSQL Database Engine 1.8.0
Directory Server (LDAP): Active Directory
Client registry settings: (set via group policy)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x00000001
Spark Client Debug:
IQ Sent:
<iq id="51cD7-0" type="get">
<query xmlns="jabber:iq:auth">
<username>nerfherder</username>
</query>
</iq> IQ Sent:
<iq id="51cD7-1" type="set">
<query xmlns="jabber:iq:auth">
<username>nerfherder</username>
<password></password>
<resource>spark</resource>
</query>
</iq> IQ Received:
<iq id="51cD7-0" type="result">
<query xmlns="jabber:iq:auth">
<username>nerfherder</username>
<password></password>
<resource></resource>
</query>
</iq> IQ Received:
<iq id="51cD7-1" to="domain.com/2a79ce33" type="error">
<query xmlns="jabber:iq:auth">
<username>nerfherder</username>
<password></password>
<resource>spark</resource>
</query>
<error code="401" type="AUTH">
<not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"></not-authorized>
</error>
</iq> Presence Sent:
<presence id="51cD7-2" type="unavailable"></presence>
Relevant Spark errors.log entry:
Oct 16, 2007 4:27:31 PM org.jivesoftware.spark.util.log.Log error
SEVERE: No response from the server.: at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryManager.java:457)
at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryManager.java:426)
at org.jivesoftware.spark.SessionManager.discoverItems(SessionManager.java:86)
at org.jivesoftware.spark.SessionManager.initializeSession(SessionManager.java:74)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:831)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Output for creating the SPN:
C:\>ktpass -princ XMPP/im-4101.domain.com@DOMAIN.COM -mapuser xmpp-im-4101@domain.com -out im-4101.keytab -pass *
Targeting domain controller: dc-1.domain.com
Successfully mapped XMPP/im-4101.domain.com to xmpp-im-4101.
Type the password for XMPP/im-4101.domain.com:
Type the password again to confirm:
Key created.
Output keytab to im-4101.keytab:
Keytab version: 0x502
keysize 69 XMPP/im-4101.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 20 etype 0x3 (DES-CBC-MD5) keylength 8 (0x89adec4ff897cefd)
Account xmpp-im-4101 has been set for DES-only encryption.
Verified that the SPN is in the directory:
C:\>setspn -L xmpp-im-4101
Registered ServicePrincipalNames for CN=xmpp-im-4101,OU=Service Accounts,DC=domain,DC=com:
XMPP/im-4101.domain.com
The contents of the gssapi.conf file on the server:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab="E:/Openfire/conf/im-4101.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.COM"
principal="XMPP/im-4101.domain.com@DOMAIN.COM"
debug=true;
};
Relevant bits of the openfire.xml file on the server:
<?xml version="1.0" encoding="UTF-8"?>
<jive>
...
<provider> <vcard> <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className> </vcard> <user> <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className> </user> <auth> <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className> </auth> <group> <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className> </group> <authorization> <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</classList> </authorization> </provider>
...
<sasl>
<mechs>GSSAPI,PLAIN</mechs> <realm>DOMAIN.COM</realm> <gssapi> <debug>true</debug> <config>E:/openfire/conf/gssapi.conf</config> <useSubjectCredsOnly>false</useSubjectCredsOnly> </gssapi> </sasl> </jive>
C:\WINDOWS\krb5.ini on the server:
[libdefaults]
default_realm = DOMAIN.COM
noaddresses = true [realms]
DOMAIN.COM = {
kdc = dc-1.domain.com
default_domain = domain.com
}