SSO - What did I do wrong?

Nathan_Browning · October 20, 2011, 7:29pm

I have Openfire 3.7.1 w/JRE running on a Windows 2008 domain controller so my KDC is my Openfire server. I have configured everything exactly as stated in this HOWTO: http://community.igniterealtime.org/docs/DOC-1362

(I just changed the server name, domain name, and realm name to match my environment where appropriate. In this post I’ve changed my username, server name, domain name and realm back to generic terms for security purposes.)

On my client workstation I have Spark 2.5.8 and JRE 1.6 Update 27. I added the required registry entry for AllowTGTSessionKey. When I configure Spark for SSO I see username@REALM.COM next to Account.

Each time I attempt to login from Spark I get this in stdout.log:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/server.domain.com@REALM.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/server.domain.com@REALM.COM

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D6 3E 64 3E 5B 4C C8 34

Added server’s keyKerberos Principal xmpp/server.domain.com@REALM.COMKey Version 11key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: D6 3E 64 3E 5B 4C C8 34

    [Krb5LoginModule] added Krb5Principal  xmpp/server.domain.com@REALM.COM to Subject

Commit Succeeded

And this in info.log:

org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

I’ve gone over the instructions over and over again. I’ve tried creating the keytab file with ktpass and ktab with the same results. The one I’m using now was created with this command:

ktpass -princ xmpp/server.domain.com@REALM.COM -mapuser xmpp-openfire@domain.com -pass * -ptype KRB5_NT_PRINCIPAL

I can run klist tgt on the server and the workstation and I get what I expected.

So what did I do wrong? Are there commands I can run to see if certain parts of my setup are wrong? Maybe a Java command to verify Kerberos from the workstation or the server?

Any help would be greatly appreciated.

Thanks,

Nathan

Rob_Mellentine · December 18, 2012, 9:29pm

I have the same problem. Did you ever have any luch?

Nathan_Browning · December 19, 2012, 3:28pm

No, I never got a response and eventually quit trying. We are still on the old version with NTLM authentication using Pandion as our client.