I’ve been wrestling with this ‘three-headed dog’ of an error for a few days now , I’ve been reading and searching but I haven’t found the answer yet.?
To the best of my knowledge, I have read and followed the directions written by slushpupie and Poppa Smurf.
I have added the registry value on the client, and the krb.ini is in place.
I used ktpass to generate the key table file but I have also tried the java utility from the openfire jre folder, and when I used that keytab it didnt seem to help.
I’ve looked at the logs in openfire for useful data but I don’t know what to look for there, I haven’t noticed anything in the openfire server logs that is helpful. When I enable SSO in Spark my username shows up but when I try to log in it gives me the error “Please check your principle and server settings” I know there are a lot of parts that need to be in place to get this to work, so here we go: (sorry about the formatting)
ERROR from Spark warn.log
Mar 10, 2008 10:35:42 AM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
krb5.ini
default_realm = MY.DOMAIN.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
MY.DOMAIN.COM = {
kdc = mydc.my.domain.com
admin_server = mydc.my.domain.com
default_domain = my.domain.com
}
my.domain.com= MY.DOMAIN.COM
.my.domain.com = MY.DOMAIN.COM
gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/chat.keytab”
doNotPrompt=true
useKeyTab=true
realm=“MY.DOMAIN.COM”
principal=“xmpp/chat.my.domain.com@MY.DOMAIN.COM”
debug=true;
};
openfire.xml
<sasl>
<mechs>GSSAPI</mechs>
<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->
<realm>MY.DOMAIN.COM</realm>
<gssapi>
<debug>true</debug>
<config>C:/Program Files/openfire/conf/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<provider>
<authorization>
<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>
</authorization>