powered by Jive Software

What am I doing wrong with SSO?

Hi Guys,

I’ve installed Openfire 3.6.4, I followed the instructions at…

http://www.igniterealtime.org/community/docs/DOC-1060#Verify%20Your%20Kerberos%2 0Setup

Using Spark 2.5.8 as client, when trying to login using SSO, I get the message “Unable to connect using Single Sign-On. Please check your principal and server settings.”

If I turn off SSO, I can login and connect correctly using my AD login details.

I’ve uninstalled and reinstalled both the server and client and double checked the settings. I’m not sure if the problem is on the server side, or on the client side.

On the client, the Raw sent packets are…

<stream:stream to=“server.domain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<stream:stream to=“server.domain.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>


adusername




adusername

spark

And the raw received packets are…

<?xml version='1.0' encoding='utf-8'?>

<stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“server.domain.com” id=“b066b6ac” xml:lang=“en” version=“1.0”>
stream:features


GSSAPI


zlib



</stream:features>

<?xml version='1.0' encoding='UTF-8'?>

<stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“server.domain.com” id=“b066b6ac” xml:lang=“en” version=“1.0”>
stream:features

GSSAPI


zlib



</stream:features>


adusername






adusername

spark




In the openfire debug log, I get…

2009.09.28 11:29:40 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2009.09.28 11:29:43 NIOConnection: startTLS: using c2s
2009.09.28 11:29:47 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Can someone tell me where I should start debugging?

I’ve also followed the instructions here…

http://www.igniterealtime.org/community/docs/DOC-1616

I deleted the original AD user, which was only a “domain user”

Created 2 new users, both now in the “Domain Admins” group. Hopefully they don’t need to be domain admins…

I used 1 user to create the Keytab, and used the other as administrator in the openfire LDAP setup.

Went through and double checked all the settings again, including:

registry entry on clients

krb5.ini on clients and server

gss.conf in conf folder

jabber.keytab in resources folder

sasl config in openfire.xml

Still having the same problem.

What else can I try?

And if this helps…

Clients are Vista SP2 + 2 Windows 7 RC

Openfire server is running on Windows 2003 R2

Turns out it’s a Vista issue.

Just tried it on XP, and SSO works perfectly.

I tried messing around with Kerberos Encryption, but it just made it worse. I tried both DES-CBC-CRC and DES-CBC-MD5, as suggested in this post

With the encryption changed, Spark couldn’t pick up the username to use for SSO.

Not sure what I changed, but now I can login using SSO if I right-click and run as administrator on Vista. But it still leaves it unusable on our network because users are not local admins.

Does anyone have SSO working on Vista? Or is this a dead end?

hey all i was getting the same problem and all it did was change the domain controller name eg domain.name.com to a ip address eg 192.168.10.1 and the SSO worked i don’t know what’s the cause but all the users can SSO and less problems for IT

It seems like a common problem with sso is that DNS is not set up correctly. You need to be sure that you have an A record (forward) and a PTR record (reverse).

Yes we have that setup public and private and still not working