Here is my SSO method:
Bind server to AD with desired name to get a FQDN you can use (alias won’t work)
Install Openfire (do not configure yet)
Create 2 AD domain admin users: 1 to tie the keytab to and one to be the LDAP bind
Configure server now for AD LDAP
Use the LDAP bind user in the LDAP settings
AdminDN can be LDAPbindusername@domain.com
Do not start server yet
Generate the keytab on domain controller openfire will look at:
C:>ktpass /princ xmpp/fqdn.of.chat.server@YOUR.DOMAIN.COM /mapuser xmpp-user@your.domain.com /pass * /out jabber.keytab
Copy keytab to c:\Program Files\Openfire\resources
Create gss.conf and copy to openfire server at c:\program files\openfire\conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:/Program Files/Openfire/resources/jabber.keytab"
doNotPrompt=true
useKeyTab=true
realm="YOUR.DOMAIN.COM"
principal="xmpp/fqdn.of.server@YOUR.DOMAIN.COM"
debug=true;
};
Create krb5.ini and copy to root of windows directory of every machine:
[libdefaults]
default_realm = YOUR.DOMAIN.COM
noaddresses = true
[realms]
DOMAIN.COM = {
kdc = fqdn.of.domain.controller
default_domain = your.domain.com
}
Add the following to your openfire.xml:
After :
<!-- Include a comma-separated list of the authentication mechanisms
to advertise support for to clients. Make sure GSSAPI is listed,
and best if it’s listed first. The order of mechanisms is important;
clients should try to use the first mechanism they support
(although not all will). Some clients will try to use the most
secure first.
You can add other mechanisms in order to support non-GSSAPI clients,
or clients who cannot authenticate to the realm (like Windows 9X,
off-site, and so on). Keep in mind that by allowing other mechanisms
you are compromising the security of your realm. Be sure to talk
to the Security Officer/Directory/Manager/Administrator about any
policies your organization might have before enabling less secure
mechanisms. By removing PLAIN and ANONYMOUS from the list, you will
also disable non-SASL authentications.
Keep in mind that a mechanism listed here might not actually be
advertised, such as when the authProvider can't support the mechanism.
PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication
(the old style XMPP auth), so removing them from this list will
disallow non-SASL authentication. -->
<mechs>GSSAPI </mechs>
<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->
<!-- Specify the realm you used when you created the service principal
and keytab.-->
<realm>YOUR.DOMAIN.COM</realm>
<!-- Mechanism-specific configuration here -->
<gssapi>
<!-- Use true to turn on debugging information. This adds a lot
of noise to your log files, but it can help you spot problems
sooner in the initial setup. -->
<debug>true</debug>
<!-- Specify the location of the GSSAPI configuration file you edited. -->
<config>C:\Program Files\Openfire\conf\gss.conf</config>
<!-- Sets the system property with the same name. You'll probably want
"false" here (the default). For more details, see
[http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html] -->
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
Within add:
org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
Add this to all XP SP2 machines registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Start the Openfire server
Try to connect via SSO