Ok, So i followed the SSO Howto, and i Still cannot get SSO to work.
Here is what ive Done so far.
-
Installed on Server2003, MYSQL on a linux box.
-
Active DIrectory LDAP working Properly with groups/users/prepopulation
-
Created krb5.ini placed it on the server and on the client.
-
added the sso user
-
created the keytab using both methods.
-
added the proper lines to openfire.xml
-
xmpp.fqdn is correct
I did a nslookup on the server IP and it came back correctly. however when i did a nslookup on the hostname the domain name came back in caps.
ex. server.domain.com and server.DOMAIN.COM.
Here are My Configs…
openfire.xml
<?xml version=“1.0” encoding=“UTF-8”?>
<!–
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: “prop.name.is.blah=value”
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
–>
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port>
<securePort>9091</securePort>
</adminConsole>
<admin>
<!-- Use this section to define users that will have admin privileges. Below,
you will find two ways to specify which users are admins. Admins will
have access to the admin console (only local users) and may have also access
to other functionalities like ad-hoc commands. -->
<!-- By default, only the user with the username “admin” can login
to the admin console. Alternatively, you can specify a comma-delimitted
list usernames that should be authorized to login to the admin console
by setting the <authorizedUsernames> field below. -->
<!-- <authorizedUsernames></authorizedUsernames> -->
<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local
or remote users. -->
<!-- <authorizedJIDs></authorizedJIDs> -->
<authorizedUsernames>mfiorentini,pmullally</authorizedUsernames>
</admin>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!–
<network>
<interface></interface>
</network>
–>
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</classNa me>
</connectionProvider>
<!-- sasl configuration -->
<sasl>
<mechs>GSSAPI</mechs>
<!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. -->
<realm>LANDMETRO.COM</realm>
<gssapi>
<!-- You can set this to false once you have everything working. -->
<debug>true</debug>
<!-- Set this to the location of your gss.conf file created earlier -->
<!-- “/” is used in the path here not “” even though this is on Windows. -->
<config>C:/Program Files/Openfire/conf/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://****.landmetro.com:3306/openfire</serverURL>
<username>****</username>
<password>****</password>
<minConnections>5</minConnections>
<maxConnections>15</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<ldap>
<host>localhost</host>
<port>389</port>
<baseDN>DC=landmetro,DC=com</baseDN>
<adminDN>CN=openfireadmin,CN=Users,DC=landmetro,DC=com</adminDN>
<adminPassword>****</adminPassword>
<connectionPoolEnabled>true</connectionPoolEnabled>
<sslEnabled>false</sslEnabled>
<ldapDebugEnabled>false</ldapDebugEnabled>
<autoFollowReferrals>false</autoFollowReferrals>
<usernameField>sAMAccountName</usernameField>
<searchFilter>(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))(memberOF=CN=messaging,OU=GROUPS,DC=LANDMETRO,DC=com)))</sea rchFilter>
<vcard-mapping><![CDATA[
<vCard xmlns=“vcard-temp”>
<N>
<GIVEN></GIVEN>
</N>
<EMAIL>
<INTERNET/>
<USERID></USERID>
</EMAIL>
<FN></FN>
<ADR>
<HOME/>
<STREET></STREET>
<PCODE></PCODE>
<CTRY></CTRY>
</ADR> <ADR>
<WORK/> <STREET></STREET> <LOCALITY></LOCALITY> <REGION></REGION> <PCODE></PCODE> <CTRY></CTRY>
</ADR>
<TEL>
<HOME/>
<VOICE/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<HOME/>
<CELL/>
<NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <VOICE/> <NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <CELL/> <NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<FAX/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<PAGER/>
<NUMBER></NUMBER>
</TEL>
<TITLE></TITLE>
<ORG>
<ORGUNIT></ORGUNIT>
</ORG>
</vCard>]]></vcard-mapping>
<nameField>cn</nameField>
<emailField>mail</emailField>
<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter>(&(objectClass=group)(memberOF=CN=messaging,OU=GROUPS,D C=LANDMETRO,DC=com))</groupSearchFilter>
</ldap>
<provider>
<vcard>
<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;
</vcard>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;
</group>
</provider>
<authorization>
<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</c lassList>
</authorization>
<setup>true</setup>
<log>
<debug>
<enabled>true</enabled>
</debug>
</log>
</jive>
gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”
doNotPrompt=true
useKeyTab=true
realm=“LANDMETRO.COM”
principal=“xmpp/mill-serv.landmetro.com@LANDMETRO.COM”
debug=true;
};
krb5.ini
default_realm = LANEMETRO.COM
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
LANDMETRO.COM = {
kdc = mill-serv.landmetro.com
admin_server = mill-serv.landmetro.com
default_domain = landmetro.com
}
.domain.com = LANDMETRO.COM
Here Are my error messages.
warn.log
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :211)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:173)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
… 21 more
Server Output
Openfire 3.4.3
Admin console listening at:
http://mill-serv.landmetro.com:9090
https://mill-serv.landmetro.com:9091
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/mill-serv.landmetro.com@LANDMETRO.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/mill-serv.landmetro.com@LANDMETRO.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C0 BB 68 C4 ED 19 57 D6 6F D5 7B 1B FB E5 A7 B5 …h…W.o…
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 58 A4 FD 45 0B 49 E5 7A 26 4F 5D F2 AB BA 80 8A X…E.I.z&O]…
0010: BA 15 32 FB E6 5D BC 57
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 9E F7 B6 04 13 C7 89 13
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 9E F7 B6 04 13 C7 89 13
Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C0 BB 68 C4 ED 19 57 D6 6F D5 7B 1B FB E5 A7 B5 …h…W.o…
added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject
Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 58 A4 FD 45 0B 49 E5 7A 26 4F 5D F2 AB BA 80 8A X…E.I.z&O]…
0010: BA 15 32 FB E6 5D BC 57
added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject
Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 9E F7 B6 04 13 C7 89 13
added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject
Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 9E F7 B6 04 13 C7 89 13
added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject
Commit Succeeded
Raw Sent Packets
<stream:stream to=“mill-serv” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
<starttls xmlns=“urn:ietf:params:xml:ns:xmpp-tls”/>
<stream:stream to=“mill-serv.landmetro.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>
<auth mechanism=“GSSAPI” xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>YIIFDwYJKoZIhvcSAQICAQBuggTMIIEqADAgEFoQMCAQ6iBwMFAAAAAACjggQiYYIEHjCCBBqgAwIBBaEPGw1MQU5ETUVUUk8uQ09NoiowKKADA gEAoSEwHxsEeG1wcBsXbWlsbC1zZXJ2LmxhbmRtZXRyby5jb22jggPUMIID0KADAgEXoQMCAQqiggPCB IIDvnhgfphnBYzg6wyGq9WFVfebEptXrJ1AcoPhMgKYaLSMcxrg1igmfBsxA4YQjH8vFbxSIIwcu3vdH3czqzDklPMdHDAzHT89d1AOo14wx6UieOso9xCHxp5i37XT0eOacSNz/FQugzR7N8Z/xuRDrVbIcZneHONdZup4MMJLbgPnQK7H O1XMIkOd18fvrkLKiJ8239JcyVmKnfcd2kBFIIWS2HgmrglztIBW/hQAYAfUNeooDn7rp4nZyATerxGoAIsLW7KIIY0poiXzaMKJd99Td 2tljzIWxNkpUQhH2X0QlnkEY5G6HaiTVPJOsK1ZJuYlPbEmX0kTC2vfHuXQgSHfl1U1cw7X7y9iD61tOAg04g2h2rySEwDv9jpHaGLpax9izFE1Kle/tgFuk94gXBD264P6LrCDTOtuvaYqbMlj3eU6fw48IV8Svr54MTu33wd4Mm50XpJda452QSfheiVkUQfnbm8ca1MltOliZDEoHTSTZXWVOz4lJCO8Z5WI8cIxYttrwtdY6/eDc6i8pzbX5WzpzObrTx/u9wh I0aA1aWUBBwk4HwflbJdN8kR9zAqzZGnWIHWzxs6uWjnzI94XV5GkkC2892Yryph6ps/CG/JIIBL48ZV dYYoBPOkPAXbWOhDWoft3Q5uUMkyp5p1Kwd6kT9SmQqmESM24BEJvkJzhVUY6dU9N7QfKP0aiVBzFW1J 7o62RS4ptaMT9HZwGgU7yUMZ8QUWMxFZYxgwAs7wBX6A7W7zWDZbVrby2O2RYbqXY3EUD/ApFeZQ6T0D RH3Qy1wIcii6bt2A06aRPXFN5RJ0v/FTguqA3Or3NsXf9aztvmCCUi5PkUVFNWrNv52sRuKcPEqbzJAXAf2POYTcT7U5oiJedXz3xlipAghzRUo2QNA/ym9wvCcu*/sRGVFO/zHfikbjjxj4pPiQzDQzqXvQ4erE/QeEnVzthVCUPtT7vbbVO5D5ytLKluIsuPtFVMMQknvghCf5OsOpYfuYvUjaSvlHrg2P8nrg/juGCdhE19WHHO9RHjXZiaofAZaRcbU4iZCUhEMzI2zYXBS7SigT0Jriidvevu6 JItwyqAWq46Q4eIoySdbUwfiAW4OcuaVK8HRt47Lf1iDUY0R2dMjgcY7mebmxLHRe7KlaENkABDE9wNH2HRkQdhZgBcJShqnJ2g1LojvQl2W/VC4uVtcdX7LEbSub7YP9cwxfylapz1knqQ 9VmntCL1K0RFWlzFiRxd/kdE6nNAZukgb4wgbugAwIBA6KBswSBsA56ag1hgmvSeIUERWpuA5fOaZu7Q33lfLZ9NzqH7SXE8zc9xSASdAu44bkAIgTEeL4WnGF3we82xRSDMdl1fY7GtBqb3lxsLRDo/WwkdF lBD4s/hUZXF3gtyzSHG8UJoNz4bP*upplBZJsqFhnHV9J4Gjjv/JrzREdU1d6A9sd5z3AHtpS7uDZH/0JDFle/g+1ac8m56wEmmRQE0yUUCTM eJXFqQQ/5x67eCpzC26</auth>
<presence id=“70Hxy-1” type=“unavailable”></presence>
Raw Receieved Packets
<?xml version=‘1.0’ encoding=‘UTF-8’?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“mill-serv.landmetro.com” id=“d08d0200” xml:lang=“en” version=“1.0”>
<stream:features><starttls xmlns=“urn:ietf:params:xml:ns:xmpp-tls”></starttls><mechanisms xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><mechanism>GSSAPI</mechani sm></mechanisms><compression xmlns=“http://jabber.org/features/compress”><method>zlib</method></compression><auth xmlns=“http://jabber.org/features/iq-auth”/><register xmlns=“http://jabber.org/features/iq-register”/></stream:features>
<proceed xmlns=“urn:ietf:params:xml:ns:xmpp-tls”/>
<?xml version=‘1.0’ encoding=‘UTF-8’?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“mill-serv.landmetro.com” id=“d08d0200” xml:lang=“en” version=“1.0”><stream:features><mechanisms xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><mechanism>GSSAPI</mechani sm></mechanisms><compression xmlns=“http://jabber.org/features/compress”><method>zlib</method></compression><auth xmlns=“http://jabber.org/features/iq-auth”/><register xmlns=“http://jabber.org/features/iq-register”/></stream:features>
<failure xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><not-authorized/></failure >