Hello,
I am trying to setup SSO using Openfire and Spark. I setup LDAP through Openfire and it works fine with Spark. Now I am having problems with SSO working even from the server. I have used the following link, among others, to setup and troubleshoot the SSO:
http://community.igniterealtime.org/docs/DOC-1362
I appeared to have no problems setting up the Kerberos XMPP SPN nor the keytab. No warnings or error messages appeared. Looking at the Spark error.log whenever someone tries to connect using SSO it shows the following:
WARNING: Exception in Login:
SASL authentication GSSAPI failed: not-authorized: at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:337)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
I have attached all Openfire logs. Nothing showed in the debug.log nor the stderr.log so I did not attach it. If you look at the info.log you will also see similar lines like this:
org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
Attached is also the gss.conf and the openfire.xml files. However, since Openfire is now importing settings into the database the openfire.xml file may not contain all the System Properties information, so here it is:
admin.authorizedJIDs administrator@saturn,remote@saturn,openfirexmpp@saturn ldap.adminDN cn=administrator,cn=users,dc=galaxy,dc=local ldap.adminPassword hidden ldap.autoFollowAliasReferrals true ldap.autoFollowReferrals false ldap.baseDN dc=galaxy,dc=local ldap.connectionPoolEnabled true ldap.debugEnabled false ldap.emailField mail ldap.encloseDNs true ldap.groupDescriptionField description ldap.groupMemberField member ldap.groupNameField cn ldap.groupSearchFilter (&(objectClass=group)(CN=Spark)) ldap.host saturn ldap.ldapDebugEnabled false ldap.nameField cn ldap.override.avatar false ldap.port 389 ldap.posixMode false ldap.searchFilter (&(objectClass=organizationalPerson)(memberOf=CN=Spark,CN=Users,DC=galaxy,DC=local)) ldap.sslEnabled false ldap.usernameField sAMAccountName provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider sasl.gssapi.config C:/Program Files/Openfire/conf/gss.conf sasl.gssapi.debug true sasl.gssapi.useSubjectCredsOnly false sasl.mechs GSSAPI sasl.realm GALAXY.LOCAL update.lastCheck 1319564853478 xmpp.auth.anonymous true xmpp.domain saturn xmpp.session.conflict-limit 0 xmpp.socket.ssl.active true
Here is also my krb5.ini file:
[libdefaults]
default_realm = GALAXY.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 [realms]
REALM.COM = {
kdc = saturn.galaxy.local
admin_server = saturn.galaxy.local
default_domain = galaxy.local
} [domain_realms]
galaxy.local = GALAXY.LOCAL
.galaxy.local = GALAXY.LOCAL
And I have entered the following registery keys for the workstation and server:
Server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1 Workstation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: AllowTGTSessionKey
Value Type: REG_DWORD
Value: 1
So, can anyone take a look at this and tell me why it would not be authenticating or what I could possibly be missing? The only thing I could think of is that is has something to do with the provider and authorization lines in my XML file. That somehow it’s not using the correct class to authenticate.
Please let me know what suggestions you guys may have.
Thanks!
-Chris
error.log.zip (2628 Bytes)
info.log.zip (3043 Bytes)
warn.log.zip (672 Bytes)
gss.conf.zip (340 Bytes)
openfire.xml (2049 Bytes)