powered by Jive Software

SSO Setup Issues - SASL Authentication Failed

I’ve been wrestling with this ‘three-headed dog’ of an error for a few days now , I’ve been reading and searching but I haven’t found the answer yet.?:expressionless:

To the best of my knowledge, I have read and followed the directions written by slushpupie and Poppa Smurf.

I have added the registry value on the client, and the krb.ini is in place.

I used ktpass to generate the key table file but I have also tried the java utility from the openfire jre folder, and when I used that keytab it didnt seem to help.

I’ve looked at the logs in openfire for useful data but I don’t know what to look for there, I haven’t noticed anything in the openfire server logs that is helpful. When I enable SSO in Spark my username shows up but when I try to log in it gives me the error “Please check your principle and server settings” I know there are a lot of parts that need to be in place to get this to work, so here we go: (sorry about the formatting)

ERROR from Spark warn.log

Mar 10, 2008 10:35:42 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)


default_realm = MY.DOMAIN.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5


kdc = mydc.my.domain.com

admin_server = mydc.my.domain.com

default_domain = my.domain.com


my.domain.com= MY.DOMAIN.COM

.my.domain.com = MY.DOMAIN.COM


com.sun.security.jgss.accept {




keyTab=“C:/Program Files/Openfire/resources/chat.keytab”














<config>C:/Program Files/openfire/conf/gss.conf</config>






<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>


Did you enable the registry setting on the clients?

Yes, I added that value into the client registry.

I caught a typo yesterday in my krb5.ini file, but I’m still getting the same error after fixing the file.

For some reason the windows ktpass utility genearated a bad keytab. After I fixed the issues in my krb5.ini file, I tried generating the keytab file with the Java ktab utility and now it is finally working.