SSO with Openfire 4.0.2 on ubuntu 14.04 and AD 2008R2

Hi to all.

I followed some guide on this forum, but i can’t get SSO working with the following configuration:

  • Openfire 4.0.2 on ubuntu 14.04 with JDK 1.8.0_77

  • Active Directory on a Win2008R2 server with 2008 compatibility

  • Miranda Client on a Win10 64bit

I started with this

Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks

and readed on and on througout this forum.

Those are my configuration files:

# cat /etc/krb5.conf

[libdefaults]        default_realm = TSDN.AD        dsn_lookup_realm = true        dns_lookup_kdc = true        rdns = false  [logging]         default = FILE:/var/log/krb5libs.log         kdc = FILE:/var/log/krb5kdc.log         admin_server = FILE:/var/log/kadmind.log  [appdefaults]         pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    validate = true
}

# cat /etc/samba/smb.conf

[global]
workgroup = TSDN
security = ads
realm = TSDN.AD
kerberos method = secrets and keytab
password server = win2k8.tsdn.ad

# cat /etc/openfire/gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/etc/openfire/krb5.xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="TSDN.AD"
principal="xmpp/vm-gestsdn.tsdn.ad@TSDN.AD"
debug=true
isInitiator=false;
};

Content of /etc/openfire/krb5.xmpp.keytab

ktutil:  rkt /etc/openfire/krb5.xmpp.keytab ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD
   2    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD
   3    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD
   4    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD
   5    3          xmpp/vm-gestsdn.tsdn.ad@TSDN.AD

On Active Directory Server :

C:\>setspn -l tsdnservices
Registered ServicePrincipalNames for CN=TSDN Services,CN=Users,DC=tsdn,DC=ad:
       xmpp/vm-gestsdn.tsdn.ad

If i try to login with username and password from a linux desktop (using pidgin) there’s no problem.

Then i try with Miranda, the client I use in my office, on a Win10 machine.

If I try to connect with username and password, no problem.
Then I configured it with :

Use Domain Login: checked Domain / Server: vm-gestsdn.tsdn.ad

And it doesn’t work.

I can see in XML Console that miranda try GSSAPI auth:

<auth mechanism="GSSAPI">SOME VERY LONG STRING</auth>

but the server respond with a

This is the log on the server:

2016.04.14 17:15:46 INFO  [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context

Where i have to break my head to try to solve this problem?

I think it’s Kerberos that doesn’t work, but how can i proceed?

Thanks a lot to everyone!

Updated style and syntax highlight

Communication with Windows 2008 R2 and Windows 7 or higher most likely requires signing.

 See https://blogs.oracle.com/blogbypuneeth/entry/configure_kerberos_with_weblogic_se rver

Add these lines to your /etc/krb5.conf

      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Add these lines to your /etc/samba/smb.conf

      client signing = auto

      server signing = auto

Here is a quick guide I put together a while ago.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2

my guess with you problem might be either encryption level, your xmpp domain and spn don’t, so your have duplicate spn’s.