Single Signon - SSO With Windows Server 2003 and Spark 2.5.8

Ok, So i followed the SSO Howto, and i Still cannot get SSO to work.

Here is what ive Done so far.

  1. Installed on Server2003, MYSQL on a linux box.

  2. Active DIrectory LDAP working Properly with groups/users/prepopulation

  3. Created krb5.ini placed it on the server and on the client.

  4. added the sso user

  5. created the keytab using both methods.

  6. added the proper lines to openfire.xml

  7. xmpp.fqdn is correct

I did a nslookup on the server IP and it came back correctly. however when i did a nslookup on the hostname the domain name came back in caps.

ex. server.domain.com and server.DOMAIN.COM.

Here are My Configs…

openfire.xml


<?xml version=“1.0” encoding=“UTF-8”?>

<!–

This file stores bootstrap properties needed by Openfire.

Property names must be in the format: “prop.name.is.blah=value”

That will be stored as:

<prop>

<name>

<is>

<blah>value</blah>

</is>

</name>

</prop>

Most properties are stored in the Openfire database. A

property viewer and editor is included in the admin console.

–>

<!-- root element, all properties must be under this element -->

<jive>

<adminConsole>

<!-- Disable either port by setting the value to -1 -->

<port>9090</port>

<securePort>9091</securePort>

</adminConsole>

<admin>

<!-- Use this section to define users that will have admin privileges. Below,

you will find two ways to specify which users are admins. Admins will

have access to the admin console (only local users) and may have also access

to other functionalities like ad-hoc commands. -->

<!-- By default, only the user with the username “admin” can login

to the admin console. Alternatively, you can specify a comma-delimitted

list usernames that should be authorized to login to the admin console

by setting the <authorizedUsernames> field below. -->

<!-- <authorizedUsernames></authorizedUsernames> -->

<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local

or remote users. -->

<!-- <authorizedJIDs></authorizedJIDs> -->

<authorizedUsernames>mfiorentini,pmullally</authorizedUsernames>

</admin>

<locale>en</locale>

<!-- Network settings. By default, Openfire will bind to all network interfaces.

Alternatively, you can specify a specific network interfaces that the server

will listen on. For example, 127.0.0.1. This setting is generally only useful

on multi-homed servers. -->

<!–

<network>

<interface></interface>

</network>

–>

<connectionProvider>

<className>org.jivesoftware.database.DefaultConnectionProvider</classNa me>

</connectionProvider>

<!-- sasl configuration -->

<sasl>

<mechs>GSSAPI</mechs>

<!-- Set this to your Keberos realm name which is usually your AD domain name in all caps. -->

<realm>LANDMETRO.COM</realm>

<gssapi>

<!-- You can set this to false once you have everything working. -->

<debug>true</debug>

<!-- Set this to the location of your gss.conf file created earlier -->

<!-- “/” is used in the path here not “” even though this is on Windows. -->

<config>C:/Program Files/Openfire/conf/gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<database>

<defaultProvider>

<driver>com.mysql.jdbc.Driver</driver>

<serverURL>jdbc:mysql://****.landmetro.com:3306/openfire</serverURL>

<username>****</username>

<password>****</password>

<minConnections>5</minConnections>

<maxConnections>15</maxConnections>

<connectionTimeout>1.0</connectionTimeout>

</defaultProvider>

</database>

<ldap>

<host>localhost</host>

<port>389</port>

<baseDN>DC=landmetro,DC=com</baseDN>

<adminDN>CN=openfireadmin,CN=Users,DC=landmetro,DC=com</adminDN>

<adminPassword>****</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<autoFollowReferrals>false</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))(memberOF=CN=messaging,OU=GROUPS,DC=LANDMETRO,DC=com)))</sea rchFilter>

<vcard-mapping><![CDATA[

<vCard xmlns=“vcard-temp”>

<N>

<GIVEN></GIVEN>

</N>

<EMAIL>

<INTERNET/>

<USERID></USERID>

</EMAIL>

<FN></FN>

<ADR>

<HOME/>

<STREET></STREET>

<PCODE></PCODE>

<CTRY></CTRY>
</ADR> <ADR>
<WORK/> <STREET></STREET> <LOCALITY></LOCALITY> <REGION></REGION> <PCODE></PCODE> <CTRY></CTRY>

</ADR>

<TEL>

<HOME/>

<VOICE/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<HOME/>

<CELL/>

<NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <VOICE/> <NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <CELL/> <NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<FAX/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<PAGER/>

<NUMBER></NUMBER>

</TEL>

<TITLE></TITLE>

<ORG>

<ORGUNIT></ORGUNIT>

</ORG>

</vCard>]]></vcard-mapping>

<nameField>cn</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(&(objectClass=group)(memberOF=CN=messaging,OU=GROUPS,D C=LANDMETRO,DC=com))</groupSearchFilter>

</ldap>

<provider>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;

</group>

</provider>

<authorization>

<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</c lassList>

</authorization>

<setup>true</setup>

<log>

<debug>

<enabled>true</enabled>

</debug>

</log>

</jive>


gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=“C:/Program Files/Openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=“LANDMETRO.COM

principal=“xmpp/mill-serv.landmetro.com@LANDMETRO.COM”

debug=true;

};


krb5.ini

default_realm = LANEMETRO.COM

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

LANDMETRO.COM = {

kdc = mill-serv.landmetro.com

admin_server = mill-serv.landmetro.com

default_domain = landmetro.com

}

domain.com = LANDMETRO.COM

.domain.com = LANDMETRO.COM

Here Are my error messages.


warn.log

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :211)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:173)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.lang.Thread.run(Unknown Source)

Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

… 21 more


Server Output

Openfire 3.4.3

Admin console listening at:

http://mill-serv.landmetro.com:9090

https://mill-serv.landmetro.com:9091

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Openfire/resources/xmpp.keytab refreshKrb5Config is false principal is xmpp/mill-serv.landmetro.com@LANDMETRO.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal’s key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/mill-serv.landmetro.com@LANDMETRO.COM

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C0 BB 68 C4 ED 19 57 D6 6F D5 7B 1B FB E5 A7 B5 …h…W.o…

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 58 A4 FD 45 0B 49 E5 7A 26 4F 5D F2 AB BA 80 8A X…E.I.z&O]…

0010: BA 15 32 FB E6 5D BC 57

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 9E F7 B6 04 13 C7 89 13

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 9E F7 B6 04 13 C7 89 13

Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=23 keyBytes (hex dump)=

0000: C0 BB 68 C4 ED 19 57 D6 6F D5 7B 1B FB E5 A7 B5 …h…W.o…

added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject

Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=16 keyBytes (hex dump)=

0000: 58 A4 FD 45 0B 49 E5 7A 26 4F 5D F2 AB BA 80 8A X…E.I.z&O]…

0010: BA 15 32 FB E6 5D BC 57

added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject

Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: 9E F7 B6 04 13 C7 89 13

added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject

Added server’s keyKerberos Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COMKey Version 1key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: 9E F7 B6 04 13 C7 89 13

added Krb5Principal xmpp/mill-serv.landmetro.com@LANDMETRO.COM to Subject

Commit Succeeded


Raw Sent Packets

<stream:stream to=“mill-serv” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<starttls xmlns=“urn:ietf:params:xml:ns:xmpp-tls”/>

<stream:stream to=“mill-serv.landmetro.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

<auth mechanism=“GSSAPI” xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>YIIFDwYJKoZIhvcSAQICAQBuggTMIIEqADAgEFoQMCAQ6iBwMFAAAAAACjggQiYYIEHjCCBBqgAwIBBaEPGw1MQU5ETUVUUk8uQ09NoiowKKADA gEAoSEwHxsEeG1wcBsXbWlsbC1zZXJ2LmxhbmRtZXRyby5jb22jggPUMIID0KADAgEXoQMCAQqiggPCB IIDvnhgfphnBYzg6wyGq9WFVfebEptXrJ1AcoPhMgKYaLSMcxrg1igmfBsxA4YQjH8vFbxSIIwcu3vdH3czqzDklPMdHDAzHT89d1AOo14wx6UieOso9xCHxp5i37XT0eOacSNz/FQugzR7N8Z/xuRDrVbIcZneHONdZup4MMJLbgPnQK7H O1XMIkOd18fvrkLKiJ8239JcyVmKnfcd2kBFIIWS2HgmrglztIBW/hQAYAfUNeooDn7rp4nZyATerxGoAIsLW7KIIY0poiXzaMKJd99Td 2tljzIWxNkpUQhH2X0QlnkEY5G6HaiTVPJOsK1ZJuYlPbEmX0kTC2vfHuXQgSHfl1U1cw7X7y9iD61tOAg04g2h2rySEwDv9jpHaGLpax9izFE1Kle/tgFuk94gXBD264P6LrCDTOtuvaYqbMlj3eU6fw48IV8Svr54MTu33wd4Mm50XpJda452QSfheiVkUQfnbm8ca1MltOliZDEoHTSTZXWVOz4lJCO8Z5WI8cIxYttrwtdY6/eDc6i8pzbX5WzpzObrTx/u9wh I0aA1aWUBBwk4HwflbJdN8kR9zAqzZGnWIHWzxs6uWjnzI94XV5GkkC2892Yryph6ps/CG/JIIBL48ZV dYYoBPOkPAXbWOhDWoft3Q5uUMkyp5p1Kwd6kT9SmQqmESM24BEJvkJzhVUY6dU9N7QfKP0aiVBzFW1J 7o62RS4ptaMT9HZwGgU7yUMZ8QUWMxFZYxgwAs7wBX6A7W7zWDZbVrby2O2RYbqXY3EUD/ApFeZQ6T0D RH3Qy1wIcii6bt2A06aRPXFN5RJ0v/FTguqA3Or3NsXf9aztvmCCUi5PkUVFNWrNv52sRuKcPEqbzJAXAf2POYTcT7U5oiJedXz3xlipAghzRUo2QNA/ym9wvCcu*/sRGVFO/zHfikbjjxj4pPiQzDQzqXvQ4erE/QeEnVzthVCUPtT7vbbVO5D5ytLKluIsuPtFVMMQknvghCf5OsOpYfuYvUjaSvlHrg2P8nrg/juGCdhE19WHHO9RHjXZiaofAZaRcbU4iZCUhEMzI2zYXBS7SigT0Jriidvevu6 JItwyqAWq46Q4eIoySdbUwfiAW4OcuaVK8HRt47Lf1iDUY0R2dMjgcY7mebmxLHRe7KlaENkABDE9wNH2HRkQdhZgBcJShqnJ2g1LojvQl2W/VC4uVtcdX7LEbSub7YP9cwxfylapz1knqQ 9VmntCL1K0RFWlzFiRxd/kdE6nNAZukgb4wgbugAwIBA6KBswSBsA56ag1hgmvSeIUERWpuA5fOaZu7Q33lfLZ9NzqH7SXE8zc9xSASdAu44bkAIgTEeL4WnGF3we82xRSDMdl1fY7GtBqb3lxsLRDo/WwkdF lBD4s/hUZXF3gtyzSHG8UJoNz4bP*upplBZJsqFhnHV9J4Gjjv/JrzREdU1d6A9sd5z3AHtpS7uDZH/0JDFle/g+1ac8m56wEmmRQE0yUUCTM eJXFqQQ/5x67eCpzC26</auth>

<presence id=“70Hxy-1” type=“unavailable”></presence>


Raw Receieved Packets

<?xml version=‘1.0’ encoding=‘UTF-8’?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“mill-serv.landmetro.com” id=“d08d0200” xml:lang=“en” version=“1.0”>

<stream:features><starttls xmlns=“urn:ietf:params:xml:ns:xmpp-tls”></starttls><mechanisms xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><mechanism>GSSAPI</mechani sm></mechanisms><compression xmlns=“http://jabber.org/features/compress”><method>zlib</method></compression><auth xmlns=“http://jabber.org/features/iq-auth”/><register xmlns=“http://jabber.org/features/iq-register”/></stream:features>

<proceed xmlns=“urn:ietf:params:xml:ns:xmpp-tls”/>

<?xml version=‘1.0’ encoding=‘UTF-8’?><stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“mill-serv.landmetro.com” id=“d08d0200” xml:lang=“en” version=“1.0”><stream:features><mechanisms xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><mechanism>GSSAPI</mechani sm></mechanisms><compression xmlns=“http://jabber.org/features/compress”><method>zlib</method></compression><auth xmlns=“http://jabber.org/features/iq-auth”/><register xmlns=“http://jabber.org/features/iq-register”/></stream:features>

<failure xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><not-authorized/></failure >

Did you make the needed modifications to the registry of the client machines (reg edits attached below)? Is the krb5.ini on both the server an clients? Is the FQDN of the server the same as the AD bound name (They must match).

Yea, I did add the registry. Now when you say the FQDN being the same as the AD bound name, what do you mean by that?

-Mitch

What I mean is the Computer Name (found by going to the System control panel) plus the addition of your domain must match the name you set in the Openfire setup. For example:

Computer name: SomeComputer

Domain: somedomain.com

FQDN of the computer: SomeComputer.somedomain.com

Openfire Server Name = FQDN = SomeComputer.somedomain.com

You can not use a name alias.

Yes, that is set correctly.