HELP OpenFire Debian Server SSO in Server 2008R2 domain

Ok, I have banging my head against the wall for a few days on this and have been reading through many posts like the following:

SSO Configuration

https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux

SSO: An easier way to join your CentOS 5 Openfire server to an AD Domain

Re: Spark / OpenFire SSO failure

SSO for Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 + Spark 2.6.3 + AD W2k8 (not R2)

I have openfire server configured and set up on Debian 8 Jessie 64 bit.

Currently I can sign in manually with my AD credentials and everything works fine in that department.

The problem is I keep getting this error in my spark log when trying to use SSO:

Dec 03, 2015 3:22:12 PM org.jivesoftware.spark.util.log.Log warning

WARNING: Exception in Login:

SASL authentication failed:

– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Nested Exception:

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)

at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)

at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)

at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)

at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)

at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)

at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)

at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)

… 10 more

Caused by: KrbException: Server not found in Kerberos database (7)

at sun.security.krb5.KrbTgsRep.(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

… 13 more

Caused by: KrbException: Identifier doesn’t match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.init(Unknown Source)

at sun.security.krb5.internal.TGSRep.(Unknown Source)

… 19 more

I have created two AD users, one for openfire to use when enumerating AD users and the other for the keytab that has Kerberos pre-authentication disabled and aes 128 bit authentication enabled.

I can use kinit -V -k -t krb5.xmpp.keytab xmpp/openfire-server.domain.local@DOMAIN.LOCAL from the openfire server to confirm keytab file authentication with Kerberos.

I have actually tried importing the keytab a couple different ways from the KDC per suggested methods in the above links as well as generating it on the openfire Debian server itself to no avail.

I have checked the system properties for xmpp.domain and xmpp.fqdn which are both set to openfire-server.domain.local.

My /etc/hosts file and nsswittch.conf files appear to be correct as well as /usr/share/openfire/resource/conf/gss.conf and /etc/krb5.conf files.

At this point I have reloaded the server from scratch twice now just to be sure I wasn’t missing anything.

Can anyone post any pointers or at the very least suggest a better Linux chat server solution with SSO for a Server 2008 R2 domain?

Start from scratch (deleting and recreating your ad accounts), and give this guide a go.

How to Setup SSO on Windows Server 2008r2/2012r2 with a Domain level of 2008r2/2012r2

I am configuring openfire server on Debian Linux.

Noticed useKeyTab says false in ignite debug, should this be set to true?

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Acquire TGT from Cache

Principal is USER@DOMAIN.LOCAL

Commit Succeeded

the guide should still work…just change the file directories and paths a bit.