I’ve read and made many tests before that post… So I really hope to find some help.
I have 1 Domain controler dccommundev1 for my test domain COMMUNDEV1.FR (w2k3 standard with JRE 6 upd12 ) and 1 Win 2003 hosting Openfire v3.6.2 with JRE 6 upd11 named openfire1.
I have configured SSO on the servers according to the following tutorials :
I am able to make SSO works ONLY if I check the box “Remember password” on spark logon windows and activate SSO after. For me it is not real SSO… Because for a “new” client if I don’t save the password and directly activate the SSO I get the error "Unable to connect using Single Sign-On. Please check your principal and server settings (attached file).
I can’t make Spark work without the credential cache… Is it possible ? How ?
I’ve attached the krb5.ini, the gss.conf and my openfire SASL config. I’ve generated the keytab with both Java and windows tool with no success…
I did not activated the LDAPS or TLS. I don’t force the use of SSL between client/openfire and openfire/Active Directory
So if someone have an idea and can help me ? I would be in heaven ! gss.conf (272 Bytes) krb5.ini (309 Bytes)
I’m in the same boat. The documentation is pretty inconsitant and unclear. This doesn’t appear to be correct. Also, KRB5.ini is not needed for new installations (purely windows environment)…at least that’s my understanding from here.
Can anyone else confirm this?
Also, where is the debug information for all of this go because it is not in the openfire server logs.
The krb5.ini file is needed by windows clients. The problem is every install of AD is different. Different security, different settings, etc. THere is no concrete step by step because this is windows after all. No two machines are ever alike even when cloned.
Setup of W2k3 AD, 2 domain controllers (1 PDC, 1 BDC), Openfire 3.6.3 on Linux, Spark on Terminal Servers through Citrix.
If I do not “save the password” (and from what I can see, that’s sooooooooo worryingly unsecure, saving it in plain text format, encrypted with the key that’s available from the source code, or am I wrong in that?) and the entries:
passwordSaved=true
password=
are not in the spark.properties file, then Single Sign On does not work. When I change my passwd on the AD system, I then have to re-enter my new password on the spark sign-in window and resave it.
Any progress/ideas/diagnosis suggestions on this, much-more-learned then me peeps?
If you followed his post, then the problem is likely your keytab file. the windows ktpass is hit or miss…mostly miss
create a new keytab file using java’s KTAP
ktab -k xmpp.keytab -a xmpp/servername.domain.com@DOMAIN.COM
Once you do that, use kinit on your new keytab file (located in openfire\jre\bin)
kinit -k -t xmpp.keytab xmpp/servername.domain.com@DOMAIN.COM “password” (replace password with the password you used and without the quotes)
If it runs without any errors, you’re file is good. If it gives you errors, then go back into AD and reset the password (use the same password as before) on the user that you used to map xmpp/servername.domain.com@REALM.COM
Run kinit again
If all is good, place the file in your resources folder, restart openfire.
hmnmm…I don’t know. I did this from scratch today and didn’t have any problems. I’ll try to write something up in the next day or two on the steps I took. Maybe you’ve over looked something.
Plus, what’s really weird now is that “Account” in spark for SSO says “xmpp/openfiretest.openfire.local”. WTH?
I’ve seen the " “xmpp/openfiretest.openfire.local” when I tried to use SSO from the domain controller. Try from another pc and let me know what happens. as far as the xml, don’t worry about it. the settings have been moved to the database. If you pull up the webgui, you should now see the gssapi settings.
