Desperately trying to get Windows SSO working with win2k8r2 and Win7

fried_chicken · February 12, 2014, 7:58pm

Hi all,

i know there has been a lot of threads about this in the past but lots of those are for old versions and may not be relevant.

i think i’m real close to cracking this now and i really want to write this up when i do get it working for everyone else to use.

my setup:

openfire 3.9.1 on a windows 2012 member server

kdc on a windows 2008r2 domain controller

spark 2.6.3.12555 (nightly build 642) on a windows 7 (64bit) client.

following speedy’s guide (http://community.igniterealtime.org/docs/DOC-2585) got me quite far.

keytab looks ok - kinit passes ok

the spark log says:

WARNING: Exception in Login:

SASL authentication GSSAPI failed: not-authorized:

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 342)

in the openfire info log:

2014.02.12 19:52:58 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. GSS initiate failed

can anyone please help or point me in the next place for me to look into?

fried_chicken · February 14, 2014, 9:01pm

looking at the spark debug i get this:

sent to server:

YIIHKAYJK{big string}AAs

received back:

so i assume its sending over the kerberos ticket ok

does that sound correct to you all?

Jonathan_Murch · March 25, 2014, 2:31pm

I have this same issue. Any resolution?

fried_chicken · March 25, 2014, 7:47pm

no sorry i haven’t. i’ve got as far as running wireshark now - i can see the kerberos conversation going back and forth between the client and the server. what i haven’t been able to capture or identify is the openfire server itself talking to to the DC…

i feel i’m soooooo close to cracking this which is why its so frustrating.

how far have you managed to get?

GrafvonTilly · March 26, 2014, 5:09pm

I’ve pretty much the same problem here.

Everything is set up according to the guide from speedy.

So, if you´re able to solve this, i would really appreciate it, if you could share your solution.

Im trying to figure it out by myself and as soon as i find a proper solution ill provide it here.

Jeffrey3 · March 26, 2014, 5:12pm

Have you tried on the client: right-click the shortcut and “Run As Administrator”?

GrafvonTilly · March 26, 2014, 5:15pm

It doesnt matter if you run spark as admin or not.

Only if UAC is enabled.

Edit: To answer your question: no, i havent tried this yet, but i was working with the admin user so far (isolated test domain)

Jeffrey3 · March 26, 2014, 5:19pm

right… just grasping at straws…

did you create your jabber.keytab file on your Domain Controler? (and not on the OpenFire server)

[I know the guide says the Openfire server, but try the DC]

Jeffrey3 · March 26, 2014, 5:22pm

also I didn’t install Openfire to the default C:\Program Files (x86)\Openfire\ directory but to C:\Openfire\

GrafvonTilly · March 26, 2014, 5:27pm

Yes, in the current setup Openfire is installed on the DC-Server.

krb5.ini is located in c:\windows\

gss.conf is located in \openfire\conf\

jabber.keytab is located in \openfire\resources\

Content is as the guide says. Of course customized to meet my needs.

Jeffrey3 · March 26, 2014, 5:31pm

would you mind posting your

krb5.ini and gss.conf ?

speedy · March 26, 2014, 5:54pm

Sorry to hear you guys are having some problems with my guide.

Maybe I can help. First verify its not an ldap issue…can you log in fine without using sso? just domain username and password?

fried_chicken · March 26, 2014, 8:01pm

Hi Speedy - thanks for taking the time to write the guide in the first place

the ldap all works fine and i’ve checked all the basic things.

i’ve even run some wireshark packet sniffing to try to watch what is going on - i can see the kerberos negotiation but i can’t tell at that level what the issue is. All i get in the logs are the errors i posted originally - i’m hoping someone can shed some light on what they mean? surely the spark debug log means that the negotiation has taken place, but something on the openfire server is not correct. is there no further logging that can be turned up on the openfire server?

my conf files are below but i dont think there is a problem with them…

i’d appreciate any comments!

gss.conf:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“MYDOMAIN.COM”

isInitiator=false

principal="xmpp/jabber.mydomain.com@MYDOMAIN.COM"

debug=true;

};

krb5.ini file contents:

[libdefaults]

default_realm = MYDOMAIN.COM

[realms]

SAXONWEALD.COM = {

kdc = srvdc02.mydomain.com

admin_server = srvdc02.mydomain.com

default_domain = mydomain.com

}

[domain_realms]

mydomain.com = MYDOMAIN.COM

.mydomain.com = MYDOMAIN.COM

speedy · March 26, 2014, 9:07pm

try creating a new keytab file. use this command on your dc. This keytab file will not pass the kinit java test…so don’t worry about it, however try it in your resource folder anyway.

ktpass -princ xmpp/server.domain.local@DOMAIN.LOCAL -mapuser keytab@domain.local -pass * -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly -out xmpp.keytab

fried_chicken · March 26, 2014, 10:54pm

speedy i think your my hero!

I found the problem here - once you have run the ktpass on the DC and set the password you then CANNOT log onto the domain as that account with the password you supplied in the ktpass command!

running:

*c:\kinit -k -t xmpp.keytab xmpp/jabber.mydomain.com@MYDOMAIN.COM *

works and provides the output:

New ticket is stored in c:\users\fred\krb5cc_fred

BUT if you run:

c:\kinit xmpp/jabber.mydomain.com@MYDOMAIN.COM

{input password you set with ktpass command earlier}

you get the error:

Exception: krb_error 0 Checksum failed No error

KrbException: Checksum failed…etc…

That originally made me think ok i’ll reset the password for the user account in AD (as i read that in another post). So i reset it back (to the password a choose for the ktpass command) and re-ran the above kinit command. The command now works! The trouble is by resetting the user account password AFTER you have run the ktpass command breaks the openfire authentication!! you then have to re-run the ktpass on the DC and copy back to the openfire server.

my test client is logging on like a charm - i’ll try this at work tomorrow to confirm all is now working as expected and report back… for those still struggling - don’t give up hope!

Jonathan_Murch · March 27, 2014, 7:32am

I have it working! As of yesturday! I will document how i did it with Windows 7 64-bit and Server 2008 R2 today and post back for everyone to see. It was a combination of Speedy’s and Slushpuppies guides as well as some of my own knowledge. I can see it is straight forward now but before I was lik st, fk, just work! Very happy!

Jonathan_Murch · March 27, 2014, 3:53pm

https://drive.google.com/file/d/0BwG5UzfMZQHjR1pJaEVnOW0xd0U/edit?usp=sharing

A link to some documentation on my success to get SSO working. Any comments please reply to me.

speedy · March 30, 2014, 9:37pm

Great job on the doc!

wroot · March 31, 2014, 7:19pm

Btw, i have posted your document here http://community.igniterealtime.org/docs/DOC-2706 I haven’t tried it, but it looks well written. Thanks for sharing. If you update your guide, you can change the attachment on that DOC.