I am in desperate need of getting an Openfire/Spark installation working with SSO. Despite carefully trying to follow all of the various guides I could locate, I can’t quite get it to go. I was wondering if any one might be willing to help - I would pay you for your time.
I’m running Openfire 4.1.3 and Spark 2.8.3. Everything works without SSO. When I change the SASL.Mechs property to GSSAPI, I can no longer login in with or without SSO. Error from the Spark log is “org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized”. I’m guessing it’s something very simple with the keytab file, gss.conf file, or similar but this is really not my area of expertise and I need this working just as fast as humanly possible.
Please contact me if you would be willing to help - I would greatly appreciate it.
Which guide did you follow? That might help with your troubleshooting? Since there are a lot of moving parts with SSO, it could be multiple things. a common issues is that the SPN and xmpp.domain don’t match as they should. If youre using SRV records, than that adds another layer, and you may need to set xmpp.fqdn as well.
also, sasl.mechs can use multiple types (comma delimited), so you can set it to PLAIN,GSSAPI and it will accept both.
I’m pretty busy this morning, but should be avail after 2pm est. to help.
Thanks for your offer to help! Another member of the community already contacted me and is going to try and help out in about an hour. If he is unsuccessful or I need further help, I will definitely reach out to you. Thanks again.
Any luck with this Cameron? If so, could you share your solution? I have the same issue as you after upgrading from Openfire 3.10.3 and Spark 2.73 to Openfire 4.1.5 and Spark 2.8.3. I have not been able to come up with a solution. I can login with SSO turned off, but with it turned on, I receive “org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized” in the spark client log after completing the upgrade to the latest versions in a test environment. I have also created PTR records for the server that appear to be correct. PTR records also exist for the client. I might need to get speedy to remote into my server again like he did a few years ago if you do not have a solution Cameron lol… spent 2 days on this so far, no luck
Added two SPN’s for the SRV record domain name and recreated the keytab file but it doesn’t appear to have helped. Still getting the same not-authorized error.
from the looks of it, you may not have needed to add the extra spn…I’m guessing you have an A record for chat.company.com since that is also your xmpp.domain
So speedy remote assisted me and it turns out I had to yet again recreate the keytab file (speedy told me that every time you make any kind of change to the AD xmpp keytab account that you should recreate the keytab file, and I believe I may have changed some flags/attributes on the account during my testing) and also my krb5.ini was restricting the crypto that was allowed so that may have been an issue as well.