SSO Setup Problems for Openfire and Spark

Openfire Openfire Support
1

Hello,

I am trying to setup SSO using Openfire and Spark. I setup LDAP through Openfire and it works fine with Spark. Now I am having problems with SSO working even from the server. I have used the following link, among others, to setup and troubleshoot the SSO:

http://community.igniterealtime.org/docs/DOC-1362

I appeared to have no problems setting up the Kerberos XMPP SPN nor the keytab. No warnings or error messages appeared. Looking at the Spark error.log whenever someone tries to connect using SSO it shows the following:

WARNING: Exception in Login:
SASL authentication GSSAPI failed: not-authorized:           at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:337)
          at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
          at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
          at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
          at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
          at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
          at java.lang.Thread.run(Unknown Source)

I have attached all Openfire logs. Nothing showed in the debug.log nor the stderr.log so I did not attach it. If you look at the info.log you will also see similar lines like this:

org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

Attached is also the gss.conf and the openfire.xml files. However, since Openfire is now importing settings into the database the openfire.xml file may not contain all the System Properties information, so here it is:

admin.authorizedJIDs  administrator@saturn,remote@saturn,openfirexmpp@saturn      ldap.adminDN  cn=administrator,cn=users,dc=galaxy,dc=local      ldap.adminPassword  hidden      ldap.autoFollowAliasReferrals  true      ldap.autoFollowReferrals  false      ldap.baseDN  dc=galaxy,dc=local      ldap.connectionPoolEnabled  true      ldap.debugEnabled  false      ldap.emailField  mail      ldap.encloseDNs  true      ldap.groupDescriptionField  description      ldap.groupMemberField  member      ldap.groupNameField  cn      ldap.groupSearchFilter  (&(objectClass=group)(CN=Spark))      ldap.host  saturn      ldap.ldapDebugEnabled  false      ldap.nameField  cn      ldap.override.avatar  false      ldap.port  389      ldap.posixMode  false      ldap.searchFilter  (&(objectClass=organizationalPerson)(memberOf=CN=Spark,CN=Users,DC=galaxy,DC=local))      ldap.sslEnabled  false      ldap.usernameField  sAMAccountName  provider.auth.className  org.jivesoftware.openfire.ldap.LdapAuthProvider      provider.group.className  org.jivesoftware.openfire.ldap.LdapGroupProvider      provider.user.className  org.jivesoftware.openfire.ldap.LdapUserProvider      provider.vcard.className  org.jivesoftware.openfire.ldap.LdapVCardProvider      sasl.gssapi.config  C:/Program Files/Openfire/conf/gss.conf      sasl.gssapi.debug  true      sasl.gssapi.useSubjectCredsOnly  false      sasl.mechs  GSSAPI      sasl.realm  GALAXY.LOCAL      update.lastCheck  1319564853478      xmpp.auth.anonymous  true      xmpp.domain  saturn      xmpp.session.conflict-limit  0      xmpp.socket.ssl.active  true

Here is also my krb5.ini file:

[libdefaults]
    default_realm = GALAXY.LOCAL
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
    REALM.COM = {
        kdc = saturn.galaxy.local
        admin_server = saturn.galaxy.local
        default_domain = galaxy.local
    } [domain_realms]
    galaxy.local = GALAXY.LOCAL
    .galaxy.local = GALAXY.LOCAL

And I have entered the following registery keys for the workstation and server:

Server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1 Workstation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1

So, can anyone take a look at this and tell me why it would not be authenticating or what I could possibly be missing? The only thing I could think of is that is has something to do with the provider and authorization lines in my XML file. That somehow it’s not using the correct class to authenticate.

Please let me know what suggestions you guys may have.

Thanks!

-Chris
error.log.zip (2628 Bytes)
info.log.zip (3043 Bytes)
warn.log.zip (672 Bytes)
gss.conf.zip (340 Bytes)
openfire.xml (2049 Bytes)

2

is openfire running on a windows machine or linux?

3

Windows Server 2003 Standard. I also discovered that this program may use Reverse DNS Lookup and that needs to be setup on the server before SSO will work. Do you know if this is true?

4

yes, you need to have dns setup to include a ptr record. Is your workstation windows 7 or xp?

5

I believe the issue was in fact Reverse Lookup not being setup on this server. I thought I read they were planning on having this fixed in later versions. Do you know what they are planning on doing or what the reason is for needing Reverse Lookup setup?

I am using Windows XP machines.

6

is your windows server joined to the domain?

7

Yes it is

8

Here are my notes. I’ve been 100% on getting sso to work in a windows environment.

Make sure the server you are using to host openfire is joined to your domain

Make sure your DNS records are correct, which includes a PTR record

Download and installed windows resource tools and windows support tools

Created your krb5.ini file *note - everything is case sensitive in this file.

Created two AD accounts.
examples

ldap - used for ldap lookups

keytab - used for keytab file and mappings -set password not to expire and user can’t change password.

*Note - all the commands below are case sensitive

WARNING. You can only map this to one user account. If it gets mapped to more than one user, SSO will not work!

Service Princapal Mapping

setspn -A xmpp/fqdn_of_openfire_server@AD-DOMAIN keytab

ktpass -princ xmpp/fqdn_of_openfire_server@AD-DOMAIN -mapuser keytab -pass * -ptype KRB5_NT_PRINCIPAL

*note You will be prompt for a password, use the same password used when you created the “keytab” user account

Create the keytab file

from the /openfire/jre/bin or from /java/jre/bin

ktab -k jabber.keytab -a xmpp/fqdn_of_openfire_server@AD-DOMAIN

Test Jabber.keytab (keytab file)

kinit -k -t jabber.keytab xmpp/fqdn_of_openfire_server@AD-DOMAIN “password”

If nothing is returned and you receive no errors, your keytab file should be good to go.

If you get errors, reset keytab user account’s password in AD using the same password as before and retest

copy japper.keytab to openfire server \Program Files\Openfire\resources

create gss.conf and copy it c:\program files\openfire\conf

Make sure the following are in your openfire system properties Copy your krb5.ini to workstations

sasl.gssapi.config C:\Program Files\Openfire\conf\gss.conf (location of your gss.conf)

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm AD.DOMAIN

xmpp.domain server1.AD.DOMAIN (or whatever your xmpp domain is)

xmpp.fqdn server1.AD.DOMAIN

Copy your krb5.ini to your workstations

Make the required regestry edits.

9

Thanks a bunch for all the info! Looks like my issue was the Reverse Lookup not being setup on the server. So I was 99% there before posting this discussion. Thanks again!

10

I am having this same issue but I have no DNS issue. If anyone has any ideas I would be grateful.

1 Like
11

I am having the same issue, solved by sync the time with ntp server

it was 7 minute differs between openfire server and a domain controller