SSO / Single Sign On (Windows) - working, some thoughts

Openfire Openfire Support
1

I’ve tried SSO before, spending a hours in the evening for several days and got nowhere. It was tremendously frustrating and I left it. It’s been nagging at me ever since and I came back to it yesterday with renewed determination.

I’ve just got it working and want to write some thoughts down while still fresh in mind. I know these are rather haphazard, but I hope they are of use to someone. If I can clarify anything or answer any questions, please ask sooner rather than later

SSO Configuration

http://www.igniterealtime.org/community/docs/DOC-1060 is a very good guide. If I’d found it and followed it first, it might have worked first time.

This setup is Server 2003 (Openfire on the domain controller), Vista client, Latest Openfire (3.5), latest Spark (2.5.8).

http://www.igniterealtime.org/community/docs/DOC-1060

For a while I was confused about naming, as a lot of the examples are in the form EXAMPLE.COM and SERVER.EXAMPLE.COM, but we run a domain with a subdomain SITE.EXAMPLE.COM and server of SERVER.SITE.EXAMPLE.COM. I wondered if I ought to leave out the SITE. part - the answer is no; I should keep it. In the krb5.ini file, in the ktpass command, everywhere.

Speaking of this, my server-side KRB5.ini looks like this:

[libdefaults]
default_realm = SITE.EXAMPLE.COM [realms]
SITE.EXAMPLE.COM = {
kdc = domaincontroller.site.example.com
admin_server = domaincontroller.site.example.com
default_domain = SITE.EXAMPLE.COM
}

I don’t seem to need a section.

I recommend the latest Openfire, Spark and Java versions. I couldn’t tell you precisely why, but a lot of searching while trying to make this work found people discussing odd problems with various kerberos/sso settings in Openfire/Wildfire 3.3, Java pre-5.9 and earlier Sparks.

Server side:

When you start Openfire, it reads the openfire.xml configuration and sees the GSSAPI authentication setting, but it will not try to read gss.conf until you try to authenticate with a client - so if you are watching with FileMon as I was, don’t worry.

  • In the Openfire console, I had added a system property xmpp.fqdn - it works without this. xmmpp.domain is set to the hostname of the server, short form.

  • The openfire server does not need to be running as any particular user account, e.g. the one you created for kerberos or LDAP connections.

  • SetSPN adds a ServicePrincipalName tag to a user or server account in ActiveDirectory. You can also see this, add it and remove it using ADSIEdit, look under the “Domain” option, not the “Configuration” or “Schema”, open the OU where the user is, and look at the properties of the user account.

  • Somewhere along the way I ended up with a servicePrincipalName attached to the kerberos user of xmpp/xmpp-openfire.site.example.com@SITE.EXAMPLE.COM - this is not the correct format. The @ and everything after it should not be there.

  • The kerberos user account does not have to be a domain admin

  • If you get the “Unable to obtain password for user” error in the Openfire logs, the keytab file is at fault.

  • If you get an error about it not being able to find a kdc for your domain, the KRB5.ini file is causing problems

  • If you get an error about pre-authentication being invalid, I think your keytab is causing problems. I think the solution is to recreate it with ktpass.exe, but also to add the extra option “-ptype KRB5_NT_PRINCIPAL” to the end of the command.

  • Error “Client not found in kerberos database (6)” is fixed by regenerating my keytab. I really don’t understand this one - if I run the ktpass.exe against the same kerberos user, but a new hostname, and output to a different keytab that openfire is not using, then restart openfire it breaks. This suggests that ktpass is doing something else behind the scenes apart from creating the keytab and adding the SPN.

Spark client side:

  • 401 Not Authorized error in warn.log - I thought meant the “allowtgtsessionkey” registry key was missing, but apparently that’s not necessarily true

  • Spark does not always give helpful errors, “Could not log on with SSO, check your server and principal name” comes up even if the server is not running.

  • Spark (2.5.8) does not, for me, need a krb5.ini file

  • If you have Spark set to use SSO, then change the server name, the login button becomes disabled. Go to the advanced options, remove SSO, OK, then go back and enable SSO and OK. The login button is available again.

  • If you write a server name longer than the textbox, then hover the mouse over the advancedbutton, the spark flame graphic becomes messed up and about 15 pixels tall. This is not related to SSO at all, but is very weird.

Still, if it’s any consolation (which it wont be), I’ve tried to migrate this setup to another server - one that is not a domain controller and which has two NICs and an aliased name, and I can’t make it work. Spark is giving me the “401 not authorized” warning, Openfire logs aren’t showing anything at all, but the spark logs show this error is coming from the server.