powered by Jive Software

SSO configuration for Windows 2003 and Active Directory

For the sake of perspective, we had SSO working on Red Hat Linux. Due to some performance problems, we decided to switch to Windows (It’s a long story…). All told, the OpenFire Jabber service has been pretty solid right out of the box. Even with really high load and no connection manager (yet), it performs very well.

For the sake of paranoia, I’ve obfuscated a few values in the sections below.
domain.com == The Active Directory domain name. (lowercase)
DOMAIN.COM == The realm. (uppercase)
nerfherder == The sAMAccountName in the Active Directory domain.

Authentication via username/password for matching accounts in Active Directory works. Flip the bit for SSO via GSSAPI in Spark and a login error is generated. It should be noted that there are no errors or warnings in the server logs. I think

I’m hoping that the information below will provide a good jumping off point to determine the problem. Thank you very much in advance for anyone who has taken the time to review my configuration and help troubleshoot.

General Config

Server OS: Windows Server 2003 R2 Standard x64 SP2

OpenFire Version: 3.3.3

Spark Version: 2.5.7

JVM Version and Vendor: 1.6.0_01 Sun Microsystems Inc. – Java HotSpot™ Server VM

Database and Version: HSQL Database Engine 1.8.0

Directory Server (LDAP): Active Directory

Client registry settings: (set via group policy)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x00000001

Spark Client Debug:

IQ Sent:
<iq id="51cD7-0" type="get">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
  </query>
</iq> IQ Sent:
<iq id="51cD7-1" type="set">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource>spark</resource>
  </query>
</iq> IQ Received:
<iq id="51cD7-0" type="result">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource></resource>
  </query>
</iq> IQ Received:
<iq id="51cD7-1" to="domain.com/2a79ce33" type="error">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource>spark</resource>
  </query>
  <error code="401" type="AUTH">
    <not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"></not-authorized>
  </error>
</iq> Presence Sent:
<presence id="51cD7-2" type="unavailable"></presence>

Relevant Spark errors.log entry:

Oct 16, 2007 4:27:31 PM org.jivesoftware.spark.util.log.Log error
SEVERE: No response from the server.:      at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryManager.java:457)
     at org.jivesoftware.smackx.ServiceDiscoveryManager.discoverItems(ServiceDiscoveryManager.java:426)
     at org.jivesoftware.spark.SessionManager.discoverItems(SessionManager.java:86)
     at org.jivesoftware.spark.SessionManager.initializeSession(SessionManager.java:74)
     at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:831)
     at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
     at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
     at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
     at java.lang.Thread.run(Unknown Source)

Output for creating the SPN:

C:\>ktpass -princ XMPP/im-4101.domain.com@DOMAIN.COM -mapuser xmpp-im-4101@domain.com -out im-4101.keytab -pass *
Targeting domain controller: dc-1.domain.com
Successfully mapped XMPP/im-4101.domain.com to xmpp-im-4101.
Type the password for XMPP/im-4101.domain.com:
Type the password again to confirm:
Key created.
Output keytab to im-4101.keytab:
Keytab version: 0x502
keysize 69 XMPP/im-4101.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 20 etype 0x3 (DES-CBC-MD5) keylength 8 (0x89adec4ff897cefd)
Account xmpp-im-4101 has been set for DES-only encryption.

Verified that the SPN is in the directory:

C:\>setspn -L xmpp-im-4101
Registered ServicePrincipalNames for CN=xmpp-im-4101,OU=Service Accounts,DC=domain,DC=com:
    XMPP/im-4101.domain.com

The contents of the gssapi.conf file on the server:

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    keyTab="E:/Openfire/conf/im-4101.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="DOMAIN.COM"
    principal="XMPP/im-4101.domain.com@DOMAIN.COM"
    debug=true;
};

Relevant bits of the openfire.xml file on the server:

<?xml version="1.0" encoding="UTF-8"?>
<jive>
...
  <provider>     <vcard>       <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className>     </vcard>      <user>       <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>     </user>      <auth>       <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>     </auth>      <group>       <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>     </group>      <authorization>       <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</classList>      </authorization>   </provider>
...
  <sasl>
    <mechs>GSSAPI,PLAIN</mechs>      <realm>DOMAIN.COM</realm>      <gssapi>       <debug>true</debug>        <config>E:/openfire/conf/gssapi.conf</config>        <useSubjectCredsOnly>false</useSubjectCredsOnly>     </gssapi>   </sasl> </jive>

C:\WINDOWS\krb5.ini on the server:

[libdefaults]
default_realm = DOMAIN.COM
noaddresses = true [realms]
DOMAIN.COM = {
     kdc = dc-1.domain.com
     default_domain = domain.com
}

It looks like you have things set up correctly. In the Spark debug you skipped the first few bits from the server, which advertise with sasl mechanisims are allowed. Spark went ahead with an IQ auth, which means it dosnt think any of the advertised sasl mechs can be used. Since you have PLAIN in the list in the server config, Im not sure the server is advertising things correctly. Can you double check that?

Here are the raw sent/received results of the Spark client debug. The advertised SASL mechanisms (GSSAPI and PLAIN) do come through in the received packets.

In the Smack debug window, the All Packets tab only lists IQ messages I previously posted. There is nothing in the Ad-hoc message or Information tabs. Perhaps Spark is configured incorrectly?

Raw Sent Packets:

<stream:stream to="im-4101.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls>
<stream:stream to="domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="W6BT5-0" type="get"><query xmlns="jabber:iq:auth"><username>nerfherder</username></query></iq>
<iq id="W6BT5-1" type="set"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource>spark</resource></query></iq>

Raw Received Packets:

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="d2145458" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
<required></required></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"></proceed>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="d2145458" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"></auth></stream:features>
<iq type="result" id="W6BT5-0"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource></resource></query></iq>
<iq type="error" id="W6BT5-1" to="domain.com/d2145458"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource>spark</resource></query><error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"></not-authorized></error></iq>

I have experienced intermitant issues w/ SSO and Spark 2.5.7. Have you tried using SSO on previous versions of Spark? Try 2.5.6 if not and see if that works for you. I do have Win 2k3 w/ AD setup on openfire 3.3.1 and I know it can work without any issues.

On what client computer operating system are you using? I wonder if it is not a domain joined windows box that it won’t work.

IIRC the Spark 2.5.6 client msi has a corrupt cab file included.

The client computer is WinXP Professional SP2. Also, all of the computers involved are joined to the same domain.

I’ve tried the previously known good 2.5.5 client and get the same error code. There are no errors in the Spark errors.log. Here is the information from the Spark 2.5.5 Smack debug window:

Spark Client Debug:

IQ Sent:
<iq id="IUX9z-0" type="get">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
  </query>
</iq> IQ Sent:
<iq id="IUX9z-1" type="set">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource>spark</resource>
  </query>
</iq> IQ Received:
<iq id="IUX9z-0" type="result">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource></resource>
  </query>
</iq> IQ Received:
<iq id="IUX9z-1" to="domain.com/d61fc0b0" type="error">
  <query xmlns="jabber:iq:auth">
    <username>nerfherder</username>
    <password></password>
    <resource>spark</resource>
  </query>
  <error code="401" type="AUTH">
    <not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"></not-authorized>
  </error>
</iq> Raw Sent Packets:
<stream:stream to="im-4101.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls>
<stream:stream to="domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="IUX9z-0" type="get"><query xmlns="jabber:iq:auth"><username>nerfherder</username></query></iq>
<iq id="IUX9z-1" type="set"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource>spark</resource></query></iq> Raw Received Packets:
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="d61fc0b0" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
<required></required></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"></proceed>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="d61fc0b0" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"></auth></stream:features>
<iq type="result" id="IUX9z-0"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource></resource></query></iq>
<iq type="error" id="IUX9z-1" to="domain.com/d61fc0b0"><query xmlns="jabber:iq:auth"><username>nerfherder</username><password></password><resource>spark</resource></query><error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"></not-authorized></error></iq>

I’ve done some packet traces between Spark v2.5.7 and Openfire v3.4.1. After turning off SSL and looking at port 88, I found that Spark and the Openfire server are communicating via XML. However, the server ultimately responds with “not-authorized”. I’ve included the XML traffic in the packet trace and (new for v3.4.1?) warn.log exception error.

I’ve gone through the Configuring Openfire for Use with Kerberos doc troubleshooting steps and verified that the SPN matches DNS. Also the name and IP in DNS work for forward and reverse lookups.

What else can I look at to further debug the issue?

Again, I’ve obfuscated the domain and auth string. The auth string is the same length as the original and was sent across 2 packets. This is all ostensibly what is in the Smack debug window for raw sent/received packets.

[CLIENT -> SERVER]
<stream:stream to="im-4101.domain.com" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="e228b990" xml:lang="en" version="1.0"> [SERVER -> CLIENT]
<stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"></auth></stream:features> [CLIENT -> SERVER]
<auth mechanism="GSSAPI" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [CLIENT -> SERVER]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</auth> [SERVER -> CLIENT]
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized></not-authorized></failure>

Here is a (new for v3.4.1?) entry in the Openfire warn.log (nothing new in the error.log) for the SSO attempt:

2007.11.05 08:48:40 SaslException
javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)]
     at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
     at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
     at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
     at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:211)
     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)
     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:570)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:58)
     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:162)
     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:240)
     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:284)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
     at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
     at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
     at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
     ... 20 more

Here is the relevant bit from the Spark warn.log (nothing new in the error.log) for the SSO attempt:

Nov 5, 2007 8:48:43 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:      at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:209)
     at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
     at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
     at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
     at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
     at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
     at java.lang.Thread.run(Unknown Source)

It looks like the client is all good. Its sending a GSSAPI token to the server, it just appears that the server dosn’t quite know how to handle things. Is there anything in the stdout log for Openfire? Java’s Kerberos debug output goes in there, it might give some more clues.

I restarted the service to get a fresh stdout.log and attempted an SSO authentication via Spark v2.5.7. Here are the contents of the file:

Openfire 3.4.1 [Nov 8, 2007 7:47:05 AM]
Admin console listening at:
  http://domain.com:9090
  https://domain.com:9091
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is E:/Openfire/conf/xmpp-im-4101.domain.com.keytab refreshKrb5Config is false principal is xmpp/im-4101.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/im-4101.domain.com@DOMAIN.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 6D 1D AE AB 04 2B 37 1A   D5 A1 A9 D3 8A F0 36 D9  m....+7.......6. EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B6 E0 B6 1C 52 26 BC DF   EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B6 E0 B6 1C 52 26 BC DF   Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 6D 1D AE AB 04 2B 37 1A   D5 A1 A9 D3 8A F0 36 D9  m....+7.......6.           [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: B6 E0 B6 1C 52 26 BC DF             [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: B6 E0 B6 1C 52 26 BC DF             [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Commit Succeeded

FYI, this was ultimately traced to a DNS problem. Forward and reverse DNS must agree for the server running OpenFire. Needless to say, DNS at my company is complicated. The only real difference with the server is it’s running 3.4.1 and built fresh from the ground up following the Installation Guide and SSO Configuration documents. The only minor deviation was creating the service principal in Active Directory and associated keytab file. These deviations were minor, specific to our environment, and not germane to the way Kerberos works.

Below is an example from the logs of a successful SSO authentication. There are no new entries in the Spark logs. Also, the only new entry in the OpenFire logs is the stdout.log.

Spark Debugger - Raw Sent Packets:

<stream:stream to="im-4101.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls>
<stream:stream to="domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<auth mechanism="GSSAPI" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</auth>
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</response>
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">YDsGCSqGSIb3EgECAgIBAAD/////zQJnssNpw5guibAX+KQvF+H9bXiWa6v5AQEAAGNocmlzaAYGBgYGBg==</response>
<stream:stream to="domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
<iq id="RWR72-0" type="set"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><resource>spark</resource></bind></iq>
<iq id="RWR72-1" type="set"><session xmlns="urn:ietf:params:xml:ns:xmpp-session"></session></iq>
<iq id="RWR72-2" type="get"><query xmlns="jabber:iq:roster"></query></iq>
<iq id="RWR72-3" to="domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#items"></query></iq>
<iq id="RWR72-4" from="nerfherder@domain.com/spark" type="get"><vCard xmlns='vcard-temp'></vCard>
</iq>
<iq id="RWR72-5" type="get"><sharedgroup xmlns="http://www.jivesoftware.org/protocol/sharedgroup"></sharedgroup></iq>
<presence id="RWR72-6"><status>Available</status><priority>1</priority><x xmlns="vcard-temp:x:update"><photo>da39a3ee5e6b4b0d3255bfef95601890afd80709</photo></x><x xmlns="jabber:x:avatar"><hash>da39a3ee5e6b4b0d3255bfef95601890afd80709</hash></x></presence>
<iq id="RWR72-7" type="get"><query xmlns="jabber:iq:private"><storage xmlns="storage:bookmarks"></storage></query></iq>
<iq id="RWR72-8" to="pubsub.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-9" type="get"><query xmlns="jabber:iq:private"><storage xmlns="storage:bookmarks"></storage></query></iq>
<iq id="RWR72-10" to="proxy.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-11" to="conference.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-12" to="search.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-13" to="domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#items"></query></iq>
<iq id="RWR72-14" to="pubsub.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-15" to="proxy.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-16" to="conference.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-17" to="search.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-18" to="domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#items"></query></iq>
<iq id="RWR72-19" to="domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#items"></query></iq>
<iq id="RWR72-20" to="pubsub.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-21" to="proxy.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-22" to="conference.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-23" to="search.domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#info"></query></iq>
<iq id="RWR72-24" to="domain.com" type="get"><query xmlns="http://jabber.org/protocol/disco#items"></query></iq>
<iq id="RWR72-25" type="get"><query xmlns="jabber:iq:private"><gateway-settings xmlns="http://www.jivesoftware.org/spark"></gateway-settings></query></iq>
<iq id="RWR72-26" type="get"><query xmlns="jabber:iq:private"><scratchpad xmlns="scratchpad:tasks"></scratchpad></query></iq>

Spark Debugger - Raw Received Packets:

<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="28ef62aa" xml:lang="en" version="1.0">
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"></auth><register xmlns="http://jabber.org/features/iq-register"></register></stream:features>
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"></proceed>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="28ef62aa" xml:lang="en" version="1.0"><stream:features>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression>
<auth xmlns="http://jabber.org/features/iq-auth"></auth><register xmlns="http://jabber.org/features/iq-register"></register></stream:features>
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</challenge>
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
YDMGCSqGSIb3EgECAgIBAAD/////oH9Oz2cBAUGWcev6hEW8X1TsUVFaYJcpAQEAAAQEBAQ=</challenge>
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"></success>
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="domain.com" id="28ef62aa" xml:lang="en" version="1.0"><stream:features><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"></bind><session xmlns="urn:ietf:params:xml:ns:xmpp-session"></session></stream:features>
<iq type="result" id="RWR72-0" to="domain.com/28ef62aa"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><jid>nerfherder@domain.com/spark</jid></bind></iq>
<iq type="result" id="RWR72-1" to="nerfherder@domain.com/spark"><session xmlns="urn:ietf:params:xml:ns:xmpp-session"></session></iq>
<iq type="result" id="RWR72-2" to="nerfherder@domain.com/spark"><query xmlns="jabber:iq:roster"></query></iq>
<iq type="result" id="RWR72-3" from="domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#items"><item jid="pubsub.domain.com" name="Publish-Subscribe service"></item><item jid="proxy.domain.com" name="Socks 5 Bytestreams Proxy"></item><item jid="conference.domain.com" name="Public Chatrooms"></item><item jid="search.domain.com" name="User Search"></item></query></iq>
<iq type="result" id="RWR72-4" to="nerfherder@domain.com/spark"><vCard xmlns="vcard-temp"> <N> <GIVEN>nerfherder</GIVEN> </N> <EMAIL> <INTERNET></INTERNET> <USERID>nerfherder@domain.com</USERID> </EMAIL> <FN>Hultberg, Chris</FN> <PHOTO> <TYPE>image/jpeg</TYPE> <BINVAL></BINVAL> </PHOTO> <ADR> <HOME></HOME> <STREET></STREET> <PCODE></PCODE> <CTRY></CTRY> </ADR> <ADR> <WORK></WORK> <STREET></STREET> <LOCALITY></LOCALITY> <REGION></REGION> <PCODE></PCODE> <CTRY></CTRY> </ADR> <TEL> <HOME></HOME> <VOICE></VOICE> <NUMBER> </NUMBER> </TEL> <TEL> <HOME></HOME> <CELL></CELL> <NUMBER> 1-425-273-6750</NUMBER> </TEL> <TEL> <WORK></WORK> <VOICE></VOICE> <NUMBER>206-266-6666</NUMBER> </TEL> <TEL> <WORK></WORK> <CELL></CELL> <NUMBER> 1-425-273-6750</NUMBER> </TEL> <TEL> <WORK></WORK> <FAX></FAX> <NUMBER>None</NUMBER> </TEL> <TEL> <WORK></WORK> <PAGER></PAGER> <NUMBER>877-513-1852</NUMBER> </TEL> <TITLE>System Admin/Engr</TITLE> <ORG> <ORGUNIT>Corporate Systems (7403)</ORGUNIT> </ORG> </vCard></iq>
<iq type="result" id="RWR72-5" to="nerfherder@domain.com/spark"><sharedgroup xmlns="http://www.jivesoftware.org/protocol/sharedgroup"></sharedgroup></iq>
<iq type="result" id="RWR72-7" to="nerfherder@domain.com/spark"><query xmlns="jabber:iq:private"><storage xmlns="storage:bookmarks"></storage></query></iq>
<iq type="result" id="RWR72-8" from="pubsub.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="pubsub" name="Publish-Subscribe service" type="service"></identity><feature var="http://jabber.org/protocol/pubsub"></feature><feature var="http://jabber.org/protocol/pubsub#collections"></feature><feature var="http://jabber.org/protocol/pubsub#config-node"></feature><feature var="http://jabber.org/protocol/pubsub#create-and-configure"></feature><feature var="http://jabber.org/protocol/pubsub#create-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#delete-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#get-pending"></feature><feature var="http://jabber.org/protocol/pubsub#instant-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#item-ids"></feature><feature var="http://jabber.org/protocol/pubsub#meta-data"></feature><feature var="http://jabber.org/protocol/pubsub#modify-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#manage-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#multi-subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#outcast-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#persistent-items"></feature><feature var="http://jabber.org/protocol/pubsub#presence-notifications"></feature><feature var="http://jabber.org/protocol/pubsub#publish"></feature><feature var="http://jabber.org/protocol/pubsub#publisher-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#purge-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#retract-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-default"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#subscription-options"></feature><feature var="http://jabber.org/protocol/pubsub#default_access_model_open"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-9" to="nerfherder@domain.com/spark"><query xmlns="jabber:iq:private"><storage xmlns="storage:bookmarks"></storage></query></iq>
<iq type="result" id="RWR72-10" from="proxy.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="proxy" name="SOCKS5 Bytestreams Service" type="bytestreams"></identity><feature var="http://jabber.org/protocol/bytestreams"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-11" from="conference.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="conference" name="Public Chatrooms" type="text"></identity><identity category="directory" name="Public Chatroom Search" type="chatroom"></identity><feature var="http://jabber.org/protocol/muc"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/disco#items"></feature><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-12" from="search.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="directory" type="user" name="User Search"></identity><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-13" from="domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#items"><item jid="pubsub.domain.com" name="Publish-Subscribe service"></item><item jid="proxy.domain.com" name="Socks 5 Bytestreams Proxy"></item><item jid="conference.domain.com" name="Public Chatrooms"></item><item jid="search.domain.com" name="User Search"></item></query></iq>
<iq type="result" id="RWR72-14" from="pubsub.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="pubsub" name="Publish-Subscribe service" type="service"></identity><feature var="http://jabber.org/protocol/pubsub"></feature><feature var="http://jabber.org/protocol/pubsub#collections"></feature><feature var="http://jabber.org/protocol/pubsub#config-node"></feature><feature var="http://jabber.org/protocol/pubsub#create-and-configure"></feature><feature var="http://jabber.org/protocol/pubsub#create-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#delete-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#get-pending"></feature><feature var="http://jabber.org/protocol/pubsub#instant-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#item-ids"></feature><feature var="http://jabber.org/protocol/pubsub#meta-data"></feature><feature var="http://jabber.org/protocol/pubsub#modify-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#manage-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#multi-subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#outcast-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#persistent-items"></feature><feature var="http://jabber.org/protocol/pubsub#presence-notifications"></feature><feature var="http://jabber.org/protocol/pubsub#publish"></feature><feature var="http://jabber.org/protocol/pubsub#publisher-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#purge-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#retract-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-default"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#subscription-options"></feature>
<feature var="http://jabber.org/protocol/pubsub#default_access_model_open"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-15" from="proxy.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="proxy" name="SOCKS5 Bytestreams Service" type="bytestreams"></identity><feature var="http://jabber.org/protocol/bytestreams"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-16" from="conference.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="conference" name="Public Chatrooms" type="text"></identity><identity category="directory" name="Public Chatroom Search" type="chatroom"></identity><feature var="http://jabber.org/protocol/muc"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/disco#items"></feature><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-17" from="search.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="directory" type="user" name="User Search"></identity><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-18" from="domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#items"><item jid="pubsub.domain.com" name="Publish-Subscribe service"></item><item jid="proxy.domain.com" name="Socks 5 Bytestreams Proxy"></item><item jid="conference.domain.com" name="Public Chatrooms"></item><item jid="search.domain.com" name="User Search"></item></query></iq>
<iq type="result" id="RWR72-19" from="domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#items"><item jid="pubsub.domain.com" name="Publish-Subscribe service"></item><item jid="proxy.domain.com" name="Socks 5 Bytestreams Proxy"></item><item jid="conference.domain.com" name="Public Chatrooms"></item><item jid="search.domain.com" name="User Search"></item></query></iq>
<iq type="result" id="RWR72-20" from="pubsub.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="pubsub" name="Publish-Subscribe service" type="service"></identity><feature var="http://jabber.org/protocol/pubsub"></feature><feature var="http://jabber.org/protocol/pubsub#collections"></feature><feature var="http://jabber.org/protocol/pubsub#config-node"></feature><feature var="http://jabber.org/protocol/pubsub#create-and-configure"></feature><feature var="http://jabber.org/protocol/pubsub#create-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#delete-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#get-pending"></feature><feature var="http://jabber.org/protocol/pubsub#instant-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#item-ids"></feature><feature var="http://jabber.org/protocol/pubsub#meta-data"></feature><feature var="http://jabber.org/protocol/pubsub#modify-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#manage-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#multi-subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#outcast-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#persistent-items"></feature><feature var="http://jabber.org/protocol/pubsub#presence-notifications"></feature><feature var="http://jabber.org/protocol/pubsub#publish"></feature><feature var="http://jabber.org/protocol/pubsub#publisher-affiliation"></feature><feature var="http://jabber.org/protocol/pubsub#purge-nodes"></feature><feature var="http://jabber.org/protocol/pubsub#retract-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-affiliations"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-default"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-items"></feature><feature var="http://jabber.org/protocol/pubsub#retrieve-subscriptions"></feature><feature var="http://jabber.org/protocol/pubsub#subscribe"></feature><feature var="http://jabber.org/protocol/pubsub#subscription-options"></feature><feature var="http://jabber.org/protocol/pubsub#default_access_model_open"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-21" from="proxy.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="proxy" name="SOCKS5 Bytestreams Service" type="bytestreams"></identity><feature var="http://jabber.org/protocol/bytestreams"></feature><feature var="http://jabber.org/protocol/disco#info"></feature></query></iq>
<iq type="result" id="RWR72-22" from="conference.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="conference" name="Public Chatrooms" type="text"></identity><identity category="directory" name="Public Chatroom Search" type="chatroom"></identity><feature var="http://jabber.org/protocol/muc"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/disco#items"></feature><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-23" from="search.domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#info"><identity category="directory" type="user" name="User Search"></identity><feature var="jabber:iq:search"></feature><feature var="http://jabber.org/protocol/disco#info"></feature><feature var="http://jabber.org/protocol/rsm"></feature></query></iq>
<iq type="result" id="RWR72-24" from="domain.com" to="nerfherder@domain.com/spark"><query xmlns="http://jabber.org/protocol/disco#items"><item jid="pubsub.domain.com" name="Publish-Subscribe service"></item><item jid="proxy.domain.com" name="Socks 5 Bytestreams Proxy"></item><item jid="conference.domain.com" name="Public Chatrooms"></item><item jid="search.domain.com" name="User Search"></item></query></iq>
<iq type="result" id="RWR72-25" to="nerfherder@domain.com/spark"><query xmlns="jabber:iq:private"><gateway-settings xmlns="http://www.jivesoftware.org/spark"></gateway-settings></query></iq>
<iq type="result" id="RWR72-26" to="nerfherder@domain.com/spark"><query xmlns="jabber:iq:private"><scratchpad xmlns="scratchpad:tasks"></scratchpad></query></iq>

stdout.log

Openfire 3.4.1 [Nov 27, 2007 1:59:33 PM]
Admin console listening at:
  http://domain.com:9090
  https://domain.com:9091
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is E:/Openfire/conf/xmpp-im-4101.keytab refreshKrb5Config is false principal is xmpp/im-4101.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/im-4101.domain.com@DOMAIN.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 6F DE 6F 54 73 33 3D C9   D6 41 71 59 DC 40 1E B8  o.oTs3=..AqY.@.. EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 79 E9 64 7F 51 D0 58 E0   EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 79 E9 64 7F 51 D0 58 E0   Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 6F DE 6F 54 73 33 3D C9   D6 41 71 59 DC 40 1E B8  o.oTs3=..AqY.@..           [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 79 E9 64 7F 51 D0 58 E0             [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Added server's keyKerberos Principal xmpp/im-4101.domain.com@DOMAIN.COMKey Version 2key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 79 E9 64 7F 51 D0 58 E0             [Krb5LoginModule] added Krb5Principal  xmpp/im-4101.domain.com@DOMAIN.COM to Subject
Commit Succeeded