Hello,
I am trying to setup SSO using Openfire and Spark. I setup LDAP through Openfire and it works fine with Spark. Now I am having problems with SSO working even from the server. I have used the following link, among others, to setup and troubleshoot the SSO:
http://community.igniterealtime.org/docs/DOC-1362
I appeared to have no problems setting up the Kerberos XMPP SPN nor the keytab. No warnings or error messages appeared. Looking at the Spark error.log whenever someone tries to connect using SSO it shows the following:
WARNING: Exception in Login: SASL authentication GSSAPI failed: not-authorized: at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:337) at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203) at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014) at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219) at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730) at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141) at java.lang.Thread.run(Unknown Source)
I have attached all Openfire logs. Nothing showed in the debug.log nor the stderr.log so I did not attach it. If you look at the info.log you will also see similar lines like this:
org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. Failure to initialize security context
Attached is also the gss.conf and the openfire.xml files. However, since Openfire is now importing settings into the database the openfire.xml file may not contain all the System Properties information, so here it is:
admin.authorizedJIDs administrator@saturn,remote@saturn,openfirexmpp@saturn ldap.adminDN cn=administrator,cn=users,dc=galaxy,dc=local ldap.adminPassword hidden ldap.autoFollowAliasReferrals true ldap.autoFollowReferrals false ldap.baseDN dc=galaxy,dc=local ldap.connectionPoolEnabled true ldap.debugEnabled false ldap.emailField mail ldap.encloseDNs true ldap.groupDescriptionField description ldap.groupMemberField member ldap.groupNameField cn ldap.groupSearchFilter (&(objectClass=group)(CN=Spark)) ldap.host saturn ldap.ldapDebugEnabled false ldap.nameField cn ldap.override.avatar false ldap.port 389 ldap.posixMode false ldap.searchFilter (&(objectClass=organizationalPerson)(memberOf=CN=Spark,CN=Users,DC=galaxy,DC=local)) ldap.sslEnabled false ldap.usernameField sAMAccountName provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider sasl.gssapi.config C:/Program Files/Openfire/conf/gss.conf sasl.gssapi.debug true sasl.gssapi.useSubjectCredsOnly false sasl.mechs GSSAPI sasl.realm GALAXY.LOCAL update.lastCheck 1319564853478 xmpp.auth.anonymous true xmpp.domain saturn xmpp.session.conflict-limit 0 xmpp.socket.ssl.active true
Here is also my krb5.ini file:
[libdefaults] default_realm = GALAXY.LOCAL default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
REALM.COM = { kdc = saturn.galaxy.local admin_server = saturn.galaxy.local default_domain = galaxy.local }
[domain_realms]
galaxy.local = GALAXY.LOCAL .galaxy.local = GALAXY.LOCAL
And I have entered the following registery keys for the workstation and server:
Server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Name: AllowTGTSessionKey Value Type: REG_DWORD Value: 1 Workstation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos Value Name: AllowTGTSessionKey Value Type: REG_DWORD Value: 1
So, can anyone take a look at this and tell me why it would not be authenticating or what I could possibly be missing? The only thing I could think of is that is has something to do with the provider and authorization lines in my XML file. That somehow it's not using the correct class to authenticate.
Please let me know what suggestions you guys may have.
Thanks!
-Chris