powered by Jive Software

SSO Setup Issues - SASL Authentication Failed

I’ve been wrestling with this ‘three-headed dog’ of an error for a few days now , I’ve been reading and searching but I haven’t found the answer yet.?:expressionless:

To the best of my knowledge, I have read and followed the directions written by slushpupie and Poppa Smurf.

I have added the registry value on the client, and the krb.ini is in place.

I used ktpass to generate the key table file but I have also tried the java utility from the openfire jre folder, and when I used that keytab it didnt seem to help.

I’ve looked at the logs in openfire for useful data but I don’t know what to look for there, I haven’t noticed anything in the openfire server logs that is helpful. When I enable SSO in Spark my username shows up but when I try to log in it gives me the error “Please check your principle and server settings” I know there are a lot of parts that need to be in place to get this to work, so here we go: (sorry about the formatting)


ERROR from Spark warn.log

Mar 10, 2008 10:35:42 AM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

at java.lang.Thread.run(Unknown Source)


krb5.ini

default_realm = MY.DOMAIN.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

MY.DOMAIN.COM = {

kdc = mydc.my.domain.com

admin_server = mydc.my.domain.com

default_domain = my.domain.com

}

my.domain.com= MY.DOMAIN.COM

.my.domain.com = MY.DOMAIN.COM


gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/chat.keytab”

doNotPrompt=true

useKeyTab=true

realm=“MY.DOMAIN.COM

principal=“xmpp/chat.my.domain.com@MY.DOMAIN.COM”

debug=true;

};


openfire.xml

<sasl>

<mechs>GSSAPI</mechs>

<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->

<realm>MY.DOMAIN.COM</realm>

<gssapi>

<debug>true</debug>

<config>C:/Program Files/openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<provider>

<authorization>

<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>

</authorization>

Did you enable the registry setting on the clients?

Yes, I added that value into the client registry.

I caught a typo yesterday in my krb5.ini file, but I’m still getting the same error after fixing the file.

For some reason the windows ktpass utility genearated a bad keytab. After I fixed the issues in my krb5.ini file, I tried generating the keytab file with the Java ktab utility and now it is finally working.