SSO help please - I'm out of ideas!

Hi everyone,

I have read over many post trying to figure out how to get SSO to work with no luck.

I have recreated jabber.keytab files, I’ve gone over the guides many times looking for somethign I might have missed.

Here is my setup

Windows Server 2003 domain

chatserver is running the current ver of openfire, the other machine is running the current version of spark

I’ve made the reg edits to both machines.

both machines have the same krb5.ini file

keytab file has been created with both windows tool and java tool

Anyways. here is my debug from spark

<?xml version='1.0' encoding='UTF-8'?>

stream:featuresGSSAPI</mechani sms>zlib</stream:features>

<?xml version='1.0' encoding='UTF-8'?>GSSAPIzlib

There isn’t much showing up in openfire.

2009.01.30 08:50:41 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2009.01.30 08:50:44 NIOConnection: startTLS: using c2s

krb5.ini

[libdefaults]
default_realm = DOMAIN.LOCAL
noaddresses = true

[realms]
DOMAIN.LOCAL = {
kdc = domaincontroller.domain.local
default_domain = domain.local
}

my gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="d:/Program Files/Openfire/resources/jabber.keytab"
doNotPrompt=true
useKeyTab=true
realm="DOMAIN.LOCAL"
principal="xmpp/servername.domain.local@DOMAIN.LOCAL"
debug=true;
};

Thanks for any help and insite you may be able to provide.

I too gave up on SSO - Here is what I found out in my testing.

When a user is prompted to ‘Sign in’ to the Spark client, if the user manually enters their credentials and connects, I can then ‘Log Out’ and enable ‘SSO’ for the user and it works.

I have never been able to get SSO to work immediately after installation. It always required a manual login, then I could enable SSO with no problems. It also continued to work after a Password Change occurred for the user.

This didnt help me out with deployment, because my thoughts were to setup an MSI with SSO enabled and the SSL configuration information. But, maybe you can test these steps and see if you get the same results.

I am researching SSO as well. Eventually, I’d like to integrate commercial Identity Management products into the mix… all of which use SAML 2.0 and will support an ‘unexpected user’ (unknown user from a trusted domain).

I have been heading down the path with SparkWeb (rather than an application) because the browser should support the ‘token’ exchange… but requires the SAML exchange to provide ‘subject’ data… including attributes.

This is a great topic… I also have been looking through threads to find information to no avail.

Wall,

Thanks for the tip. I did what you said, and sso worked for my test user, but I tried it with another user, no joy. I hate to scrap SSO, but it looks like it might be more trouble than what its worth.

spamcatcher

That is not SSO that is spark remembering the previous login settings. SSO should work without ever doing that. There is no one way to do this. Every network config is different. here are the basic guides:

  • Make sure your Openfire server is named the same as the domain name of the server box (i.e. chatserver.domain.info)
  • Make sure your xmpp.domain matches the server name
  • Make sure the openfire server certs match the settings above
  • Follow the directions for setting up SSO, start with creating a new user to use for keytab generation.

yeah…ive gone through all that many many times. oh well. I’m about to give up on SSO

SUCCESS!! I know have this working. Turned out to be two issues.

I had registered the xmpp/server.domain.local@DOMAIN.COM to more than one account. removed the spn from the account I accidently left it on.

The other was with the keytab…and this was how I fixed it

forget using the windows ktpass

use ktap (java app)

ktab -k xmpp.keytab -a xmpp/servername.domain.com@DOMAIN.COM

Once you do that, use kinit on your new keytab file (located in openfire\jre\bin)

kinit -k -t xmpp.keytab xmpp/servername.domain.com@DOMAIN.COM “password”

If it runs without any errors, you’re file is good. If it gives you errors, then go back into AD and reset the password (use the same password as before) on the user that you used to map xmpp/servername.domain.com@REALM.COM

Run kinit again

If all is good, place the file in your resources folder, restart openfire. I hope this helps some of you as this is what worked for me.