SSO Help Please

tornadough · October 12, 2007, 6:08pm

So I have Openfire working with Spark and active directory integration. All users can login fine and they get a couple of propogated groups.

I’ve followed the SSO documentation but SSO doesn’t appear to be working. I’ve double/triple checked all the settings. I don’t see any typos.

I think the problem may be during the keytab generation/prinicipal/server mapping. I get some strange output during that phase of the setup.

2 warnings:

WARNING: Unable to SPN mapping data.

WARNING: PType and account type do not match. This might cause problems.

They keytab outputs fine though.

When I turn on Spark debugging it’s using IQ Auth.

<resource>spark</resource>

</query>

<not-authorized xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/>

</error>

</iq>

Any thoughts for how to track this down? Thanks in advance for your help.

tornadough · October 12, 2007, 6:13pm

Should have probably mentioned OpenFire 3.3.3, Spark 2.5.7.

NO_MESSAGES_OR_FRIEN · October 12, 2007, 6:44pm

did you make the krb5.ini file on the server and client?

did you add the registry edits on the server and client?

did you make the gss.conf file?

can you verify your keytab settings?

tornadough · October 12, 2007, 7:03pm

did you make the krb5.ini file on the server and client?

I hadn’t realized this had to be done on both client/server. (Server only, copied file to the client.)

did you add the registry edits on the server and client?

I hadn’t realized this had to be done on both client/server. (Client only, made the change to the server as well.)

did you make the gss.conf file?Yes

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files/Openfire/resources/jabber.keytab"
doNotPrompt=true
useKeyTab=true
realm="GICRE.LOCAL"
principal="sfo2jabber@GICRE.LOCAL"
debug=true;
};

can you verify your keytab settings?

How do I do this? It was created with:

C:>ktpass -princ sfo2jabber@GICRE.LOCAL -mapuser sfo2jabber@GICRE.LOCAL -pass XXXXXXXX -out jabber.keytab

Targeting domain controller: sfo2dc01.gicre.local

Using legacy password setting method

Failed to set property “servicePrincipalName” to “sfo2jabber” on Dn "CN=sfo2 jab

ber,OU=Special,OU=Network Operations,DC=gicre,DC=local": 0x13.

WARNING: Unable to set SPN mapping data.

If sfo2jabber already has an SPN mapping installed for sfo2jabber, this is no

cause for concern.

WARNING: pType and account type do not match. This might cause problems.

Key created.

Output keytab to jabber.keytab:

Keytab version: 0x502

keysize 56 sfo2jabber@GICRE.LOCAL ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC

4-HMAC) keylength 16 (0x57abc7a9edadd5dc3f02b11c8fea9044)

After making the recommened changes above I rebooted both the client/server and SSO still doesn’t work.

I don’t really see anything useful in the server logs.

Thanks for the prompt reply. Any idea what I should check for the next step?

NO_MESSAGES_OR_FRIEN · October 12, 2007, 8:06pm

your keytab code is wrong. it needs to follow this structure:

ktpass -princ xmpp/zeus.example.com@EXAMPLE.COM -mapuser xmpp-zeus.example.com -pass password -out jabber.keytab

or for your setting specifically

ktpass -princ xmpp/sfo2jabber@GICRE.LOCAL -mapuser sfo2jabber@GICRE.LOCAL -pass XXXXXXXXXX -out jabber.keytab

``


The second sfo2jabber@GICRE.LOCAL should be a username of a user that already exists in your AD system. You may have to delete this user and recreate it if you have already assigned a bad keytab to them. I had to do this myself

``

``

``

tornadough · October 12, 2007, 10:08pm

Ok, i think I have the keytab straightened out at least.

However, it still doesn’t work. The same errors …

Spark complains with “Unable to connect using Single Sign-On. Please check your principal and server settings.”

Manual password entry works fine however. Any other ideas?

Jay · October 13, 2007, 9:34pm

Look at the debugging output from Spark again- is the server advertising the GSSAPI sasl mechanism? If not, double check your openfire.xml

Oh, and the registry setting only needs to be done on the client, it will have no impact on the server (unless you want to run the client on the server to test)

tornadough · October 15, 2007, 3:53pm

Thanks everybody who responded. Got this working this morning.

Not entirely sure what the fix was, but I think it was the keytab.

Rebooted the VMWare box this morning and everything started working.