hay guys, i am trying to implement SSO on our spark server.
i have the lastest version of spark and of openfire,
i have followed the SSO instructions and i keep getting please check your principal and server settings.
i have checked in my spark logs and this is what i have
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
One thing i noticed when i got it working was that i should force it to use a specific xmpp host in the config in spark before u login and that should be the same as the principal used in the gss.conf. In your case it should be “lonspk01.oyez_press.com” and then u can use the xmpp.domain address u have to connect to as address or whatever address to connect to your server but it should be the same as your “xmpp.domain” or “xmpp.fqdn”
I also found out that the krb5.ini works best with only rc4-hmac enctypes and skip the rest for some reason.
U need to have a user so the xmpp can auth for kerberos
Create a user named xmppauth (can be whatever) and set a password on it and remember it (in this example “xmpppass”
when you talk about teh host in the config of spark, i take it you mean the server box under username and pw on the client itself ? that is set o lonspk01.oyez_press.com
i have taken out all other encyrption type of my krb5 and jsut left rc4 in it.
i already have a user created for xmp authing, its called xmpp-openfire but i cannot logon manually with that account, maybe it didnt created correctly.
when running the KTPASS should i run that on my openfire server because i was running it on my primary BDC…
i will created a new folder structure and copy the keytab and gss into the new structure.
here are my gssapi settings, i think they are correct.
sasl.gssapi.debug
true
sasl.gssapi.useSubjectCredsOnly
false
in regards to teh srv records i take it they are placed under _tcp…
_jabber > lonspk01
_kereros > points to everyone of our BDC’s
_xmpp-clients > not sure where this should point to
_xmpp_server > not sure where this should point to either
sorry if it seems im asking alot of questions, i havent done much work with srv records
in the serverbox in the login dialog i use a dns alias to connect but the xmpp host is in the advance -> connection -> host
The logon thing is something i have not solved but it must be able to logon atleast on the openfire server machine because it want to auth in your AD and it must be allowed to logon on the server atleast…
i think the ktpass should be run on your AD server atleast
the _xmpp-client and _xmpp-server points at our dns alias that points on the openfire server basicly…
its very tricky and can break very easy i have noticed, also something i noticed was when i was upgrading to .3.7.0 server the SSO broke on both the old 3.6.4 and the new 3.7.0 and i have not figured it out yet…