SSO - Need Help

All:

I am in desperate need of getting an Openfire/Spark installation working with SSO. Despite carefully trying to follow all of the various guides I could locate, I can’t quite get it to go. I was wondering if any one might be willing to help - I would pay you for your time.

I’m running Openfire 4.1.3 and Spark 2.8.3. Everything works without SSO. When I change the SASL.Mechs property to GSSAPI, I can no longer login in with or without SSO. Error from the Spark log is “org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized”. I’m guessing it’s something very simple with the keytab file, gss.conf file, or similar but this is really not my area of expertise and I need this working just as fast as humanly possible.

Please contact me if you would be willing to help - I would greatly appreciate it.

Cameron

Which guide did you follow? That might help with your troubleshooting? Since there are a lot of moving parts with SSO, it could be multiple things. a common issues is that the SPN and xmpp.domain don’t match as they should. If youre using SRV records, than that adds another layer, and you may need to set xmpp.fqdn as well.

also, sasl.mechs can use multiple types (comma delimited), so you can set it to PLAIN,GSSAPI and it will accept both.

I’m pretty busy this morning, but should be avail after 2pm est. to help.

Thanks for your offer to help! Another member of the community already contacted me and is going to try and help out in about an hour. If he is unsuccessful or I need further help, I will definitely reach out to you. Thanks again.

Cameron

Any luck with this Cameron? If so, could you share your solution? I have the same issue as you after upgrading from Openfire 3.10.3 and Spark 2.73 to Openfire 4.1.5 and Spark 2.8.3. I have not been able to come up with a solution. I can login with SSO turned off, but with it turned on, I receive “org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized” in the spark client log after completing the upgrade to the latest versions in a test environment. I have also created PTR records for the server that appear to be correct. PTR records also exist for the client. I might need to get speedy to remote into my server again like he did a few years ago if you do not have a solution Cameron lol… spent 2 days on this so far, no luck

you may want to start here.

SSO (Single Sign On) configuration changes since Spark 2.8.0

Cool thanks speedy. I had not seen that article. I will try later this morning and report back.

Added two SPN’s for the SRV record domain name and recreated the keytab file but it doesn’t appear to have helped. Still getting the same not-authorized error.

you may need to add the xmpp.fqdn

These are what I have already:

setspn -L openfire.xmpp
Registered ServicePrincipalNames for CN=openfire.xmpp,OU=Service Accounts,OU=MyOU,DC=ad,DC=company,DC=com:
        xmpp/chat.company.com
        xmpp/s-apps2.ad.company.com
        xmpp/s-apps2.ad.company.com@AD.COMPANY.COM
        xmpp/chat.company.com@AD.COMPANY.COM

xmpp.fqdn = s-apps2.ad.company.com

xmpp.domain = chat.company.com

from the looks of it, you may not have needed to add the extra spn…I’m guessing you have an A record for chat.company.com since that is also your xmpp.domain

so Id suggest setting xmpp.fqdn to chat.company.com as well

let me know if that doesn’t work. PM me if you’d like to so a screen share. I should have some time available to help out tomorrow. (7/20).

So speedy remote assisted me and it turns out I had to yet again recreate the keytab file (speedy told me that every time you make any kind of change to the AD xmpp keytab account that you should recreate the keytab file, and I believe I may have changed some flags/attributes on the account during my testing) and also my krb5.ini was restricting the crypto that was allowed so that may have been an issue as well.

Thanks speedy!