I’m attempting to implement SSO in my environment but can’t seem to figure out what is wrong. Below are my configuration files.
Domain Name: Ad.McbrideAndSon.com
OpenFire Server Name: Pepper
OpenFire Version: 3.3.2
OpenFire Server OS: Windows 2003 Server
Spark Version: 2.5.5
Spark Client OS: WinXP SP2
Username I created in ADUC for Jabber: xmpp-jabber
Runing Klist.exe on client computer
C:\Program Files\Resource Kit>klist tgt
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: jeff.kackley
DomainName: AD.MCBRIDEANDSON.COM
TargetDomainName: AD.MCBRIDEANDSON.COM
AltTargetDomainName: MCBRIDEIDEANDSON.COM
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:8048
StartTime: 9/14/2007 8:04:56
EndTime: 9/14/2007 18:04:56
RenewUntil: 9/21/2007 8:04:56
TimeSkew: 9/21/2007 8:04:56-----
Running nslookup on the client machine
C:>nslookup pepper.ad.mcbrideandson.com
Server: dell-dc.ad.mcbrideandson.com
Address: 10.1.1.33
Name: pepper.ad.mcbrideandson.com
Address: 10.1.1.43
C:>nslookup 10.1.1.43
Server: dell-dc.ad.mcbrideandson.com
Address: 10.1.1.33
Name: pepper.ad.mcbrideandson.com
Address: 10.1.1.43
C:\Program Files\Openfire\resources\jabber.keytab was made by the following
C:\keytabs>Ktpass princ xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM ma
puser MCBRIDE\xmpp-jabber -pass passwordhere out xmpp.keytab -ptype KRB5_NT_PR
INCIPAL
Targeting domain controller: dell-dc.AD.McBrideandSon.com
Using legacy password setting method
Successfully mapped xmpp/jabber.ad.mcbrideandson.com to xmpp-jabber.
Key created.
Output keytab to xmpp.keytab:
Keytab version: 0x502
keysize 88 xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM ptype 1 (KRB5_N
T_PRINCIPAL) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x38ce8e2ddcd3bd78889988
713a7172fc)
C:\Program Files\Openfire\conf\gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/jabber.keytab”
doNotPrompt=true
useKeyTab=true
realm=“AD.MCBRIDEANDSON.COM”
principal=“xmpp/jabber.ad.mcbrideandson.com@AD.MCBRIDEANDSON.COM”
debug=true;
};
C:\Program Files\Openfire\conf\openfire.xml
<?xml version=“1.0” encoding=“UTF-8”?>
<!–
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: “prop.name.is.blah=value”
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
–>
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port>
<securePort>9091</securePort>
</adminConsole>
<admin>
<!-- Use this section to define users that will have admin privileges. Below,
you will find two ways to specify which users are admins. Admins will
have access to the admin console (only local users) and may have also access
to other functionalities like ad-hoc commands. -->
<!-- By default, only the user with the username “admin” can login
to the admin console. Alternatively, you can specify a comma-delimitted
list usernames that should be authorized to login to the admin console
by setting the <authorizedUsernames> field below. -->
<!-- <authorizedUsernames></authorizedUsernames> -->
<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local
or remote users. -->
<!-- <authorizedJIDs></authorizedJIDs> -->
<authorizedUsernames>usernameshere</authorizedUsernames>
</admin>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!–
<network>
<interface></interface>
</network>
–>
<connectionProvider>
<className>org.jivesoftware.database.EmbeddedConnectionProvider</classN ame>
</connectionProvider>
<ldap>
<host>dell-dc</host>
<port>389</port>
<baseDN>dc=ad,dc=mcbrideandson,dc=com</baseDN>
<adminDN>mcbride*adminunhere*</adminDN>
<adminPassword>passwordhere</adminPassword>
<connectionPoolEnabled>true</connectionPoolEnabled>
<sslEnabled>false</sslEnabled>
<ldapDebugEnabled>false</ldapDebugEnabled>
<autoFollowReferrals>false</autoFollowReferrals>
<usernameField>sAMAccountName</usernameField>
<searchFilter>(objectClass=organizationalPerson)</searchFilter>
<vcard-mapping><![CDATA[
<vCard xmlns=“vcard-temp”>
<N>
<GIVEN></GIVEN>
</N>
<EMAIL>
<INTERNET/>
<USERID></USERID>
</EMAIL>
<FN></FN>
<ADR>
<HOME/>
</ADR>
<ADR>
<WORK/>
<STREET></STREET>
<LOCALITY></LOCALITY>
<REGION></REGION>
<PCODE></PCODE>
<CTRY></CTRY>
</ADR>
<TEL>
<WORK/>
<VOICE/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<CELL/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<FAX/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<PAGER/>
<NUMBER></NUMBER>
</TEL>
<TITLE></TITLE>
<ORG>
<ORGUNIT></ORGUNIT>
</ORG>
</vCard>]]></vcard-mapping>
<nameField>cn</nameField>
<emailField>mail</emailField>
<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter>(objectClass=group)</groupSearchFilter>
</ldap>
<provider>
<vcard>
<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;
</vcard>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;
</group>
</provider>
<setup>true</setup>
<!-- sasl configuration -->
<sasl>
<!-- Include a comma-separated list of the authentication mechanisms
to advertise support for to clients. Make sure GSSAPI is listed,
and best if it’s listed first. The order of mechanisms is important;
clients should try to use the first mechanism they support
(although not all will). Some clients will try to use the most
secure first.
You can add other mechanisms in order to support non-GSSAPI clients,
or clients who cannot authenticate to the realm (like Windows 9X,
off-site, and so on). Keep in mind that by allowing other mechanisms
you are compromising the security of your realm. Be sure to talk
to the Security Officer/Directory/Manager/Administrator about any
policies your organization might have before enabling less secure
mechanisms. By removing PLAIN and ANONYMOUS from the list, you will
also disable non-SASL authentications.
Keep in mind that a mechanism listed here might not actually be
advertised, such as when the authProvider can’t support the mechanism.
PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication
(the old style XMPP auth), so removing them from this list will
disallow non-SASL authentication. -->
<mechs>GSSAPI</mechs>
<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->
<!-- Specify the realm you used when you created the service principal
and keytab.–>
<realm>AD.MCBRIDEANDSON.COM</realm>
<!-- Mechanism-specific configuration here -->
<gssapi>
<!-- Use true to turn on debugging information. This adds a lot
of noise to your log files, but it can help you spot problems
sooner in the initial setup. -->
<debug>true</debug>
<!-- Specify the location of the GSSAPI configuration file you edited. -->
<config>C:\Program Files\Openfire\conf\gss.conf</config>
<!-- Sets the system property with the same name. You’ll probably want
“false” here (the default). For more details, see
http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html -->
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<provider>
<authorization>
<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationProvider org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider org.jivesoftware.openfire.ldap.LdapAuthorizationProvider</classList>
<!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy–>
</authorization>
</provider>
</jive>
Registry Entry on th XP SP2 Client
<code>HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberos Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01</code>
Error Log on OpenFire
2007.09.14 15:58:03 [org.jivesoftware.database.ConnectionPool.<init>(ConnectionPool.java:111)
] Failed to create new connections on startup. Attempt 0 of 3
java.sql.SQLException:
The database is already in use by another process:
org.hsqldb.persist.NIOLockFile@f7cf94a6[file =C:\Program
Files\Openfire\embedded-db\openfire.lck, exists=true, locked=false,
valid=false, fl =null]: java.lang.Exception: checkHeartbeat(): lock
file C:\Program Files\Openfire\embedded-db\openfire.lck is presumably
locked by another process.
at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
at org.hsqldb.jdbc.jdbcConnection.<init>(Unknown Source)
at org.hsqldb.jdbcDriver.getConnection(Unknown Source)
at org.hsqldb.jdbcDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at org.jivesoftware.database.ConnectionPool.createCon(ConnectionPool.java:443)
at org.jivesoftware.database.ConnectionPool.<init>(ConnectionPool.java:88)
at org.jivesoftware.database.EmbeddedConnectionProvider.start(EmbeddedConnectionPr ovider.java:75)
at org.jivesoftware.database.DbConnectionManager.setConnectionProvider(DbConnectio nManager.java:459)
at org.jivesoftware.database.DbConnectionManager.getConnection(DbConnectionManager .java:77)
at org.jivesoftware.util.JiveProperties.loadProperties(JiveProperties.java:271)
at org.jivesoftware.util.JiveProperties.init(JiveProperties.java:70)
at org.jivesoftware.util.JiveProperties.<init>(JiveProperties.java:52)
at org.jivesoftware.util.JiveProperties.getInstance(JiveProperties.java:46)
at org.jivesoftware.util.JiveGlobals.getProperty(JiveGlobals.java:524)
at org.jivesoftware.openfire.XMPPServer.initialize(XMPPServer.java:286)
at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:383)
at org.jivesoftware.openfire.XMPPServer.<init>(XMPPServer.java:148)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:93)
at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:49)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)
at com.exe4j.runtime.WinLauncher.main(Unknown Source)
2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)
] Groups () include non-existent username (usernamehere)
2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)
] Groups () include non-existent username (usernamehere)
2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)
] Groups () include non-existent username (usernamehere)
2007.09.14 15:58:33 [org.jivesoftware.openfire.roster.Roster.<init>(Roster.java:165)
] Groups () include non-existent username (usernamehere
)
OpenFire’s Warn Log
007.09.14 16:00:39 SaslException
javax.security.sasl.SaslException:
Failure to initialize security context [Caused by GSSException: Invalid
name provided (Mechanism level: Could not load configuration file
C:\WINDOWS\krb5.ini (The system cannot find the file specified))]
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused
by: GSSException: Invalid name provided (Mechanism level: Could not
load configuration file C:\WINDOWS\krb5.ini (The system cannot find the
file specified))
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getNameElement(Unknown Source)
at sun.security.jgss.GSSNameImpl.getElement(Unknown Source)
at sun.security.jgss.GSSNameImpl.init(Unknown Source)
at sun.security.jgss.GSSNameImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createName(Unknown Source)
… 20 more
After configuring Spark to use SSO it recogonizes the logged in username and the loading circle goes around a few times before prompting the message box "Unable to connect using Single Sign-On. Please check your principal and server settings.