SSO Windows 2008 SBS Server - not working?!

I really spent a lot of time trying to get SSO working in a small business environment.

We have a Windows Small Business Server 2008 (Windows 2008 x64) and Windows XP SP3 Clients. I tried the following documents many times:

http://www.igniterealtime.org/community/docs/DOC-1060

http://www.igniterealtime.org/community/docs/DOC-1362

http://www.igniterealtime.org/community/docs/DOC-1616

But I always get the same Spark Error:

“Unable to connect using Single Sign-On. Please check principal and server settings.”

And the warn.log shows:

30.01.2009 02:26:17 org.jivesoftware.spark.util.log.Log warning

WARNUNG: Exception in Login:

not-authorized(401)

        at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication .java:94)

        at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 227)

        at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)

        at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)

        at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)

        at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)

        at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)

        at java.lang.Thread.run(Unknown Source)

and the Debug:

<username>userx</username>

<password/>

<resource>spark</resource>
<not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/>

On the server the debug.log and error.log are empty and in the warning.log I can find the following:

2009.01.29 20:11:50 Autocreating jiveID row for type ‘25’

Is there a special port necessary which should be opened? Because the Win 08 server has a new firewall (the normal Spark login works correct).

Is it correct, that the … part must be insert in the part of the openfire.xml?

My server is also the Gateway to the Internet, so he has a second Lan Card, but in a different Network. Hopefully that´s no problem.

If anybody has any suggestions or experiences, that would be really great!

Thanks Lukas

I fought with this problem for a couple of months, but finally got my SSO working consistently today. Our domain controllers are running on Windows Server 2008 Standard, with Vista and Server 2008 clients, and our Openfire server is running on Debian Etch. I was getting the 401 not-authorized in the Smack debug trace like you, with nothing useful in the standard logs. I was running into trouble pulling a Kerberos TGT on the Openfire server, saying that my client wasn’t found in the Kerberos database, when I knew full well that the account existed, I had the SPN configured properly and I had generated the keytab file successfully, so the password I used had to be right. Turned out there was a bug in the Kerberos implementation in Server 2008 (see http://support.microsoft.com/kb/951191), which prevented third-party Kerberos clients/APIs from successfully retrieving a ticket granting ticket. In the SSO tutorials that I had been following, I was setting the xmpp SPN for my Openfire chat server in one command, and generating the keytab with ktpass in a separate step. Once I applied the hotfix to both DC’s and rebooted, I deleted the SPN for my Openfire server, then generated the keytab using this command, logged in using THE domain administrator account (I could have used my account, which is in the Domain Admin container, but using the Administrator account rules out a possibly mucky keytab due to any potentially unseen limited permissions):

ktpass /princ xmpp/myopenfireserver.mydomain.local@MYDOMAIN.LOCAL /mapuser myopenfire-user /pass * /ptype KRB5_NT_PRINCIPAL /out C:\xmpp.keytab

Once I entered the password for myopenfire-user, this should have created and bound the SPN to my domain user account that I created for Openfire to authenticate against the domain with, and generated the corresponding keytab. I then moved the xmpp.keytab file to my Openfire/resources folder, then changed ownership to the openfire user account on my Debian install to make sure it could be accessed. I then used the kinit utility in the java/bin folder to get a TGT, and once I typed in the password, I was able to authenticate successfully. I verified that it received the ticket for my Openfire’s SPN using klist, which it did. Everything worked fine at that point.

I’m assuming of course that your Server 2008 x64 machine is the domain controller, and that your Openfire server is installed on it. Hope that helps.