Like alot of people here I’m tring to get SSO to work.
Background information:
2003 domain controler: omnidc08
Domain: corp.omniamerican.org
2008r2 x64 Openfire Server: wso-chat-01
XPsp3 Client using spark
service users are domain admins: srv_OMNICHAT_LDAP & srv_OMNICHAT_KEYTAB
install directory: c:\Program Files (x86)\Openfire
however I also made a c:\Program Files\openfire\conf directory with gss.conf and openfire.xml
These are the commands I ran in the Domain controler:
C:>setspn -A xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG@CORP.OMNIAMERICAN.ORG SRV_O
MNICHAT_KEYTAB
Registering ServicePrincipalNames for CN=srv_OMNICHAT_keytab,OU=Service Accounts
,OU=Information Technology,OU=Back Office,DC=corp,DC=omniamerican,DC=org
xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG@CORP.OMNIAMERICAN.ORG
Updated object
C:>KTPASS -princ xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG@CORP.OMNIAMERICAN.ORG -
mapuser srv_omnichat_keytab@CORP.OMNIAMERICAN.ORG -pass * -ptype KRB5_NT_PRINCIP
AL
Targeting domain controller: OMNIDC08.corp.omniamerican.org
Using legacy password setting method
Successfully mapped xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG to srv_OMNICHAT_keyta
b.
Type the password for xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG:
Type the password again to confirm:
Key created.
On my openfire server(wso-chat-01), I can run a clean:
kinit -k -t jabber.keypab xmpp/wso-chat-01.corp.omniamerican.org@CORP.OMNIAMERICAN.ORG P@ssWord123
attached are my configuration docs
I’ve also added the krb5.ini files to both the openfire server and workstation in the c:\windows directory
and the regestry entry for allowtgtsessionkey = 1 in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
on the xp workstation and just
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
on the wso-chat-01 server
and have rebooted both many times.
log on my openfire screen:
Openfire 3.8.2 [Feb 24, 2014 3:11:12 PM]
Admin console listening at:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files (x86)/Openfire/resources/jabber.keytab refreshKrb5Config is false principal is xmpp/WSO-CHAT-01.CORP.OMNIAMERICAN.ORG@CORP.OMNIAMERICAN.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm CORP.OMNIAMERICAN.ORG
and LDAP is working, I can sign in with my windows username and password. but I cannot get SSO to work, the client does so my username@corp.omniamerican.org
openfire server is being “RUN AS” administrator
**[PLEASE NOTE: only PASSWORDS have been changed in the config files and above documentation]
**