Ok, I have banging my head against the wall for a few days on this and have been reading through many posts like the following:
https://community.spiceworks.com/how_to/13930-openfire-enable-single-sign-on-sso -on-linux
SSO: An easier way to join your CentOS 5 Openfire server to an AD Domain
Re: Spark / OpenFire SSO failure
SSO for Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 + Spark 2.6.3 + AD W2k8 (not R2)
I have openfire server configured and set up on Debian 8 Jessie 64 bit.
Currently I can sign in manually with my AD credentials and everything works fine in that department.
The problem is I keep getting this error in my spark log when trying to use SSO:
Dec 03, 2015 3:22:12 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication failed:
– caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:196)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Nested Exception:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:192)
at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:152)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 324)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:243)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1079)
at org.jivesoftware.LoginDialog$LoginPanel.access$1400(LoginDialog.java:307)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:841)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
… 10 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
… 13 more
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.(Unknown Source)
… 19 more
I have created two AD users, one for openfire to use when enumerating AD users and the other for the keytab that has Kerberos pre-authentication disabled and aes 128 bit authentication enabled.
I can use kinit -V -k -t krb5.xmpp.keytab xmpp/openfire-server.domain.local@DOMAIN.LOCAL from the openfire server to confirm keytab file authentication with Kerberos.
I have actually tried importing the keytab a couple different ways from the KDC per suggested methods in the above links as well as generating it on the openfire Debian server itself to no avail.
I have checked the system properties for xmpp.domain and xmpp.fqdn which are both set to openfire-server.domain.local.
My /etc/hosts file and nsswittch.conf files appear to be correct as well as /usr/share/openfire/resource/conf/gss.conf and /etc/krb5.conf files.
At this point I have reloaded the server from scratch twice now just to be sure I wasn’t missing anything.
Can anyone post any pointers or at the very least suggest a better Linux chat server solution with SSO for a Server 2008 R2 domain?