I have spent two days attempting to get SSO working and its gotten very frustrating so I am hoping someone here can shed some light.
I am running Openfire 3.4.1 on Windows 2003 Server joined to our AD domain with Windows XP SP2 clients running Spark 2.5.8
I have generated my keytab file using the following:
ktpass -princ xmpp/ellington.intranet.com@INTRANET.COM -mapuser "openfireserver@INTRANET.COM" -pass * -ptype KRB5_NT_PRINCIPAL -out ellington.keytab
Got the keytab file with no errors and moved it to the openfire server in the resources folder and generated the gss.conf file as follows:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/PROGRA~2/Openfire/resources/ellington.keytab”
doNotPrompt=true
useKeyTab=true
realm=“INTRANET.COM”
principal=“xmpp/ellington.intranet.com@INTRANET.COM”
debug=true;
};
I have modified my openfire.xml as follows:
<!-- sasl configuration -->
<sasl>
<mechs>GSSAPI</mechs>
<realm>INTRANET.COM</realm>
<gssapi>
<debug>true</debug>
<config>C:/PROGRA~2/Openfire/conf/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<!-- provider configuration -->
<provider>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;
</group>
<vcard>
<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;
</vcard>
<authorization>
<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy</cla ssList>
</authorization>
</provider>
I have copied the following krb5.ini file to both client and server in C:\WINDOWS directory:
default_realm = INTRANET.COM
INTRANET.COM = {
kdc = dc2.intranet.com
kdc = dc1.intranet.com
admin_server = dc2.intranet.com
default_domain = intranet.com
}
.intranet.com = INTRANET.COM
I have also made the registry changes on both the XP client and 2003 Server.
I still have failed to connect. I get the following message from Spark:
“Unable to connect using Single Sign-On. Please check your principal and server settings.”
This is whats in my openfire warn.log:
2007.11.20 14:22:44 SaslException
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :211)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:162)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :240)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:284)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
… 20 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getKeys(Unknown Source)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
… 26 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
… 42 more
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
… 46 more
If anybody has any ideas. I am open to them. I have tried EVERYTHING I can think of to make this work. I may be missing something but i have gone through all the documentation and messages I can find on the subject in the forums.
Thank you
Poppa