I am able to log in to openfire without SSO but when I try and use it I get this error in Spark.
On the server I get:
2012.03.29 09:53:31 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: jsmith
I have a Windows 2003 Domain and Openfire is installed on the PDC. I have made the registry changes and dropped in the krb5 file.
Any help?
speedy
March 29, 2012, 5:08pm
2
did you create the user mapping and great the keytab file? If not, you need to do that as well.
I created the keytab file for sure. Where/how do I create the user mapping?
Doesnt the fact that it currently works with AD credentials mean the user mapping is correct?
speedy
March 29, 2012, 7:02pm
5
I guess I meant to say you have to create the user mapping for the service principal (SPN). Then once you do that, you create your keytab file.
now…sso uses kerberos tickets to read login/password info from the OS and then passes that to the server. signing on using regular username and password is entered by the user and then authenticated against your ldap.
I followed the instructions here to map the SPN and create the keytabe file. http://community.igniterealtime.org/docs/DOC-1362
I used the recreated the keytab 2 times once using the windows utility and once using the java. no change.
Here is my gss.conf file:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“INCORPORATED.COM ”
principal="xmpp/SERVER1.INCORPORATED.COM@INCORPORATED.COM"
debug=true;
};
KRB5.ini:
[libdefaults]
default_realm = INCORPORATED.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
INCORPORATED.COM = {
kdc = SERVER1.incorporated.com
admin_server = SERVER1.incorporated.com
default_domain = incorporated.com
}
[domain_realms]
incorporated.com = INCORPORATED.COM
.incorporated.com = INCORPORATED.COM