SSO with windows clients and win2k8 server

We have installed openfire 3.7.1 on Centos and spark 2.6.3 in our environment. Everything works like charm and we are quite satisfied with the performance of openfire and spark. We wanted to implement SSO in our environment, our desktops are windows 7 and our domain controllers are running Win2K8. We have done the setup for SSO as per what was suggested in the official document for SSO http://community.igniterealtime.org/docs/DOC-1060

However we are unabble to implement SSO successfully. when we observe the logs in teh spark client we get the following errors -

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117)

at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanis m.java:86)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 319)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

On our domain controllers we get the following errors -

Has anyone faced similar problems? Can anyone suggest possible solutions. We have done our best in terms of searching our these errors and trying out possible options …but we seem to have hit a road block here.

While processing a TGS request for the target server xmpp/ssochat.domain.com, the account xxxxx@domain.com did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 1 3. The accounts available etypes were 23 -133 -128 18 17

Check these threads for ideas

http://community.igniterealtime.org/message/204098#204098

http://community.igniterealtime.org/message/222939#222939

Specially important to test the keytab against the DC using the command kinit (if the keytab is fine, the kinit command will be silent, if not you will get an error)

We have tried everything which is mentioned in the above two links. made changes to the registry in the clients,

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos*Parameters*

add DWORD

allowtgtsessionkey

value=1

Configured openfire.xml, gss.conf,

verified the the keytab file using kinit command but we get the same errors on our clients as well as the DC.

I’ve never had any luck getting openfire to work with SSO when installed on a linux server. You may want to check out this post though.

Looks to me like a problem with kerberos, try to change the encryption type

http://www.windowsitpro.com/article/kerberos/q-can-the-default-encryption-types- the-kerberos-authentication-protocol-uses-in-windows-7-and-windows-server-2008-r 2-cause-compatibility-problems-is-there-a-workaround-

We have enabled the suggested changes in the encryption type in the Win 2k8 domain controller and the win 7 clients. Now we seem to get a different error in the spark logs and are still unable to get SSO to work. We have tried the entire setup from scratch but still we get the below error-

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)

at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

However, the above suggestion was helpful as this seems to be a known issue -

http://support.microsoft.com/kb/977321

Not sure if Java 1.6 indeed has a bug to kill SSO authentication as mentioned in the suggested link. But I tend to agree that it is a lot more easier to get SSO working in a Windows environment. After weeks of struggling with SSO with Openfire on Linux environment, we setup Openfire on a windows servert -

http://community.igniterealtime.org/docs/DOC-1362

We followed the exact steps and we were up and running with SSO with win2k8 DC and win 7 clients in less than 30 minutes.