9 Replies Latest reply on Jul 19, 2017 1:53 PM by speedy

    SSO - Need Help

    Cameron Hill

      All:

       

      I am in desperate need of getting an Openfire/Spark installation working with SSO.  Despite carefully trying to follow all of the various guides I could locate, I can't quite get it to go.  I was wondering if any one might be willing to help - I would pay you for your time.

       

      I'm running Openfire 4.1.3 and Spark 2.8.3.  Everything works without SSO.  When I change the SASL.Mechs property to GSSAPI, I can no longer login in with or without SSO.  Error from the Spark log is "org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized".  I'm guessing it's something very simple with the keytab file, gss.conf file, or similar but this is really not my area of expertise and I need this working just as fast as humanly possible.

       

      Please contact me if you would be willing to help - I would greatly appreciate it.

       

      Cameron

        • Re: SSO - Need Help
          speedy

          Which guide did you follow? That might help with your troubleshooting? Since there are a lot of moving parts with SSO, it could be multiple things. a common issues is that the SPN and xmpp.domain don't match as they should.  If youre using SRV records, than that adds another layer, and you may need to set xmpp.fqdn as well.

           

          also, sasl.mechs can use multiple types (comma delimited), so you can set it to PLAIN,GSSAPI and it will accept both.

           

          I'm pretty busy this morning, but should be avail after 2pm est. to help.

            • Re: SSO - Need Help
              Cameron Hill

              Thanks for your offer to help!  Another member of the community already contacted me and is going to try and help out in about an hour.  If he is unsuccessful or I need further help, I will definitely reach out to you.  Thanks again.

               

              Cameron

            • Re: SSO - Need Help
              trafsta

              Any luck with this Cameron? If so, could you share your solution? I have the same issue as you after upgrading from Openfire 3.10.3 and Spark 2.73 to Openfire 4.1.5 and Spark 2.8.3. I have not been able to come up with a solution. I can login with SSO turned off, but with it turned on, I receive "org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized" in the spark client log after completing the upgrade to the latest versions in a test environment. I have also created PTR records for the server that appear to be correct. PTR records also exist for the client. I might need to get speedy to remote into my server again like he did a few years ago if you do not have a solution Cameron lol... spent 2 days on this so far, no luck

              • Re: SSO - Need Help
                speedy

                you may need to add the xmpp.fqdn

                  • Re: SSO - Need Help
                    trafsta

                    These are what I have already:

                    setspn -L openfire.xmpp
                    Registered ServicePrincipalNames for CN=openfire.xmpp,OU=Service Accounts,OU=MyOU,DC=ad,DC=company,DC=com:
                            xmpp/chat.company.com
                            xmpp/s-apps2.ad.company.com
                            xmpp/s-apps2.ad.company.com@AD.COMPANY.COM
                            xmpp/chat.company.com@AD.COMPANY.COM
                    

                    xmpp.fqdn = s-apps2.ad.company.com

                    xmpp.domain = chat.company.com

                      • Re: SSO - Need Help
                        speedy

                        from the looks of it, you may not have needed to add the extra spn...I'm guessing you have an A record for chat.company.com since that is also your xmpp.domain

                         

                        so Id suggest setting xmpp.fqdn to chat.company.com as well

                         

                        let me know if that doesn't work.  PM me if you'd like to so a screen share. I should have some time available to help out tomorrow. (7/20).