SSO issues, wont work...help?

Stuart_Arndt · February 22, 2008, 12:23am

I have a Windows 2003 AD environment using openfire 3.4.5 and spark 2.5.8, I’ve followed all instructions here about 4-5 times now:

http://www.igniterealtime.org/community/docs/DOC-1362

and I just cant get the damn thing to work. Logins without SSO work fine (i.e. full credentials used)

I’m only getting two errors to list:

Spark:

Feb 21, 2008 3:42:56 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

not-authorized(401)

at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)

Openfire debug (all other logs have not updated after clearing them):

2008.02.21 16:20:53 ConnectionHandler:

java.io.IOException: An existing connection was forcibly closed by the remote host

at sun.nio.ch.SocketDispatcher.read0(Native Method)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

2008.02.21 16:20:59 NIOConnection: startTLS: using c2s

I end up getting the common ‘Unable to connect using Single Sign-On. Please check your principal and server settings.’

Yes, I have a krb5.ini file and the propper registry edit.

Any help would be appreciated.

-Stuart

NO_MESSAGES_OR_FRIEN · February 22, 2008, 2:39pm

Were ther any errors when creating the keytab?

Stuart_Arndt · February 22, 2008, 3:58pm

not that I saw, but I’ll regenerate the file and capture the text responses to post when I get to work.

Stuart_Arndt · February 22, 2008, 6:01pm

Here’s my Keytab output:

C:\Documents and Settings\user>ktpass -princ xmpp/im01-sfo.fibertower.com@FIB

ERTOWER.COM -mapuser xmpp-openfire@fibertower.com -pass ******* -ptype KRB5_

NT_PRINCIPAL -out xmpp.keytab

Targeting domain controller: fiber2kbkup.fibertower.com

Successfully mapped xmpp/im01-sfo.fibertower.com to xmpp-openfire.

Key created.

Output keytab to xmpp.keytab:

Keytab version: 0x502

keysize 78 xmpp/im01-sfo.fibertower.com@FIBERTOWER.COM ptype 1 (KRB5_NT_PRINCIPA

L) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0x63450ca96831be7d98ce520c63445985)

-Stuart

NO_MESSAGES_OR_FRIEN · February 22, 2008, 6:17pm

You say that you run an 2003 AD environment, but not what the actual openfire server runs on. I have attached the steps that i have used to setup 3 servers so far that work with SSO and AD 2003. The openfire servers were running on a mix of windows XP and server 2003.

Stuart_Arndt · February 22, 2008, 6:56pm

Thanks, I’ll go through this over the weekend and let you know my results.

Stuart_Arndt · February 27, 2008, 6:37pm

I notice you dont set a server principal name or specify the kerberos type in your config, any reason for that?

-Stuart

NO_MESSAGES_OR_FRIEN · February 27, 2008, 7:04pm

Because I did not have to get SSO to work back in the days of Wildfire server and still do not with the new openfire versions.

Stuart_Arndt · February 27, 2008, 9:01pm

still a no go and I have no idea why, it doesnt even seem like the authentication attempt is even leaving the server, I see no pass/fail in the DC security log for the DC I’ve specified as the kdc.

Stuart_Arndt · February 27, 2008, 10:27pm

spark posts this in the log:

<username>username</username>

<resource>spark</resource>

</query>

<not-authorized xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/>

</error>

</iq>

Stuart_Arndt · February 29, 2008, 12:17am

when running ksetup it says my realm name is all lowercase, is this normal? should I change my configs for the realm to be all lower case as well then?