SSO when xmpp-domain name different from server name

Roman12 · April 17, 2013, 4:57am

Hi everyone.

I’m using Openfire 3.8.1 on Windows Server 2008 R2 with name “SRV-1C”, and i have working SSO with xmpp-domain called “srv-1c”. What should i do if i want to call xmpp-domain, for example “spark”?
I tried to do it, but i’m having problem

I’m added dns record type (A), at same ip address, and received two (PTR) records (srv-1c.domain.com, spark.domain.com) on one IP. I think it is wrong.
When i try to connect with Openfire server, DNS server registers records:

17.04.2013 10:26:05 0E80 PACKET 0000000003879D30 UDP Rcv 192.168.42.201 4d16 Q [0001 D NOERROR] PTR (1)8(2)42(3)168(3)192(7)in-addr(4)arpa(0) 17.04.2013 10:26:05 0E80 PACKET 0000000003879D30 UDP Snd 192.168.42.201 4d16 R Q [8085 A DR NOERROR] PTR (1)8(2)42(3)168(3)192(7)in-addr(4)arpa(0) 17.04.2013 10:26:05 0E80 PACKET 00000000066A1D70 UDP Rcv 192.168.42.201 cc7a Q [0001 D NOERROR] A (6)srv-1c(5)domain(2)com(0) 17.04.2013 10:26:05 0E80 PACKET 00000000066A1D70 UDP Snd 192.168.42.201 cc7a R Q [8085 A DR NOERROR] A (6)srv-1c(5)domain(2)com(0)

and Spark-client could not connect to server.

If i’ll add record (192.168.42.8 spark.domain.com) at C:\Windows\System32\drivers\etc\host file on windows client and on server “SRV-1C”, it will work.
But i don’t want edit host file. Is there any other way to do it?

Sorry for my bad English.

M_Tejera · April 17, 2013, 7:35am

As far as i know, you need to change the parameter xmpp.domain on the server to the new domain and create a new keytab with the new name.

Roman12 · April 17, 2013, 8:45am

i’m already changed name my openfire server, and I generated a new keytab. SSO works fine. I have another problem: my client (Spark) doesn’t see server (Openfire), if i use SSO. Now i’m using xmpp.domain with named “spark” on computer named “srv-1c”.

M_Tejera · April 17, 2013, 8:49am

It sounds to me that the problem is not your setup, but your DNS server reporting the wrong name.

Instead of creating two PTR records, try to create just one PTR record with the FQDN name and an ALIAS with the xmpp domain name pointing to the real FQDN of the server. I have it like that and it works fine.

Roman12 · April 18, 2013, 3:39am

DNS server reported correct name, because ip 192.168.42.8 is SRV-1C.

But the program (Spark client) wants to see server name looks like “spark.domain.com” on this IP.

I’m tried use “hosts” file instead of DNS and it’s working. But I’m searching alternate way to say the Spark what 192.168.42.8 = spark.domain.com.

I’m changed type record for “Spark” on CNAME and set the real FQDN as srv-1c.domain.com. DNS responses are not changed.

18.04.2013 8:33:43 0AC0 PACKET 000000000BBA8020 UDP Rcv 192.168.42.201 7b09 Q [0001 D NOERROR] A (5)spark(5)DOMAIN(2)COM(0) 18.04.2013 8:33:43 0AC0 PACKET 000000000BBA8020 UDP Snd 192.168.42.201 7b09 R Q [8085 A DR NOERROR] A (5)spark(5)DOMAIN(2)COM(0) 18.04.2013 8:33:44 0AC0 PACKET 00000000050CE4E0 UDP Rcv 192.168.42.201 c31c Q [0001 D NOERROR] PTR (1)8(2)42(3)168(3)192(7)in-addr(4)arpa(0) 18.04.2013 8:33:44 0AC0 PACKET 00000000050CE4E0 UDP Snd 192.168.42.201 c31c R Q [8085 A DR NOERROR] PTR (1)8(2)42(3)168(3)192(7)in-addr(4)arpa(0) 18.04.2013 8:33:44 0AC0 PACKET 00000000071F5FF0 UDP Rcv 192.168.42.201 a85a Q [0001 D NOERROR] A (6)srv-1c(5)domain(2)com(0) 18.04.2013 8:33:44 0AC0 PACKET 00000000071F5FF0 UDP Snd 192.168.42.201 a85a R Q [8085 A DR NOERROR] A (6)srv-1c(5)domain(2)com(0)

Spark-client also could not connect to server.

kishor_jadhav · April 18, 2013, 6:53am

Hello friend,

which dns server your using local dns server or any third partly dns server ?

this issue will be solve if you will use live static ip by using third partly dns server

Roman12 · April 18, 2013, 9:18am

I’m using Microsoft DNS role on Win2008R2. Also server “srv-1c” is configured to use static ip address.

“live static ip” - What it mean? Can you give me link about it?

kishor_jadhav · April 18, 2013, 10:19am

Hello Roman,

live static ip means wan ip or public ip which normally we can recived from our ISP for more information

link is below :

http://www.debianadmin.com/private-and-public-ip-addresses-explained.html

after that you need to use third party dns server example zoneedit.com

Roman12 · April 19, 2013, 9:22am

Hello Kishor, thank you for explanation. I knew this expression (“live static ip”) as “white ip”.

I solved my problem. The reason was in the servicePrincipalName. When I changed the parameter xmpp.domain of my server, I also changed SPN of “xmpp-openfire” account and set it - xmpp/spark.domain.com. When Spak-client resolved IP to the FQDN he recieved “srv-1” name. And this name he uses to find the SPN in Active Directory.

I’ve changed the properties of “xmpp-openfire” account using adsiedit.exe and set the parameters “servicePrincipalName” and “userPrincipalName” like xmpp/srv-1c… and I created a new xmpp.keytab file.

Now it works. Thanks to all of you for the help.