I have Openfire 3.7.1 w/JRE running on a Windows 2008 domain controller so my KDC is my Openfire server. I have configured everything exactly as stated in this HOWTO: http://community.igniterealtime.org/docs/DOC-1362
(I just changed the server name, domain name, and realm name to match my environment where appropriate. In this post I’ve changed my username, server name, domain name and realm back to generic terms for security purposes.)
On my client workstation I have Spark 2.5.8 and JRE 1.6 Update 27. I added the required registry entry for
AllowTGTSessionKey. When I configure Spark for SSO I see username@REALM.COM next to Account.
Each time I attempt to login from Spark I get this in stdout.log:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/server.domain.com@REALM.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/server.domain.com@REALM.COM
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D6 3E 64 3E 5B 4C C8 34
Added server’s keyKerberos Principal xmpp/server.domain.com@REALM.COMKey Version 11key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: D6 3E 64 3E 5B 4C C8 34
[Krb5LoginModule] added Krb5Principal xmpp/server.domain.com@REALM.COM to Subject
And this in info.log:
org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
I’ve gone over the instructions over and over again. I’ve tried creating the keytab file with ktpass and ktab with the same results. The one I’m using now was created with this command:
ktpass -princ xmpp/server.domain.com@REALM.COM -mapuser email@example.com -pass * -ptype KRB5_NT_PRINCIPAL
I can run klist tgt on the server and the workstation and I get what I expected.
So what did I do wrong? Are there commands I can run to see if certain parts of my setup are wrong? Maybe a Java command to verify Kerberos from the workstation or the server?
Any help would be greatly appreciated.