Hi,
I have a server running openfire. spark works fine. Now I am trying to deploy the spark software with Thinapp.
I have the client configured to do SSO. It reads the correct username. username@domain.local
However it only works when I disable SSO and enter a password.
the error I get is
Unable to connect using single sign on. Please check your principal and server settings.
what Am i doing wrong? I checked DNS under advanced settings in the SSO menu but this also doesn’t work
help!
seting up sso is a bit more complicated than that! There are alot of post on it. Here is a document that I wrote up, but there are many more.
Hi speedy,
I followed your document thanks for that.
I followerd all steps but I havent got it working yet.
Couple of questions. How do I confugure the client?
SSO via DNS, KRB5.ini of specify below?
What should the content be of the krb5.ini file?
only this? :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
allowtgtsessionkey reg-dword value 1
no…thats a registry edit. I’m surprised you didn’t get an error when you created or tested your keytab file if your krb5.ini wasnt set correctly.
your krb5.ini file should look something like this. (this is a basic example)
`[libdefaults]
default_realm = INTRANET.COM
[realms]
INTRANET.COM = {
kdc = dc1.intranet.com
admin_server = dc1.intranet.com
default_domain = intranet.com
}
[domain_realms]
intranet.com = INTRANET.COM
.intranet.com = INTRANET.COM`
and your gss.conf file should look like this
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=**true** keyTab="C:/Program Files/Openfire/resources/xmpp.keytab" doNotPrompt=**true** useKeyTab=**true** realm="INTRANET.COM" principal="xmpp/servername.domain.com@INTRANET.COM" debug=**true**; };
Hi Speedy,
thanks! I had it going for about 5 minutes. then my account got locked.
It still reads my username correct but I receive “Unable to connect using single sign on. Please check your principal and server settings.”
Any directions to check what is going on? I tried to connect on IP and hostname both same effect.
I tried to test my keytab file again:
C:\Program Files (x86)\Openfire Chat Server\jre\bin>kinit -k -t jabber.k
mpp/vmw2ks155.domain.local@DOMAIN.LOCAL
Exception: krb_error 0 Cannot get kdc for realm DOMAIN.LOCAL No e
KrbException: Cannot get kdc for realm DOMAIN.LOCAL
at sun.security.krb5.KrbKdcReq.send(Unknown Source)
at sun.security.krb5.KrbKdcReq.send(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown S
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
this is my krb5.ini on sever and client
[libdefaults]
default_realm = DOMAINNAME.LOCAL
noaddresses = true
[realms]
DOMAINNAME.LOCAL = {
kdc = VMW2KS155.domainname.local
default_domain = domainname.local
}
this is my gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:\Program Files (x86)\Openfire Chat Server\resources\jabber.keytab”
doNotPrompt=true
useKeyTab=true
realm=“DOMAINNAME.LOCAL”
principal=“xmpp/vmw2ks155.domainname.local@DOMAINNAME.LOCAL”
debug=true;
};
So the version of Java 1.6.0_26 has a bug that kills SSO authentication. Make sure you are not using that version.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7077640
I was running Linux, but upgrading to Java 1.7.0_147 fixed my install.
I have tried a java update. no effect.
just for the record:
xmpp/lab2.lab.local where lab2 is the openfire server right?
admin_server is my openfire server?
There is a PTR record in my DNS pointing to the openfire server.
please see attached. w2ks61 is my openfire server
my kdc is vmw2ks155
my realm is ACHMEAVASTGOED.LOCAL
gss.conf.zip (379 Bytes)
jabber.keytab.zip (314 Bytes)
krb5.ini.zip (264 Bytes)
openfire.xml (3423 Bytes)