I’m having issues with getting SSO to work. It looks like I’m authenticating but not authorizing. I’ve tried to follow the instructions for SSO configuration as best as I can, but I continue to get the generic Spark error: “Unable to connect using Single Sign-On. Please check your principal and server settings.”
Here’s the basics:
Openfire 3.4.1 running on a CentOS5 server
Spark 2.5.7 clients running on WinXP SP2
Active Directory running on Win2k3 servers, 2 Domain controllers(if that matters)
Windows Domain/Kerberos Realm = DOCMAGIC.COM
Openfire server name = openfire
user created for keytab creation = xmpp-openfire
command line for creation of the keytab =
ktpass -princ --xmpp/openfire.docmagic.com@DOCMAGIC.COM-- -pass password -mapuser xmpp-openfire -out jabber.keytab
keytab file placed on Openfire server in /opt/openfire/resources, chown’d to daemon:daemon and chmod’d to 640
attached gss.conf found in /opt/openfire/conf
attached openfire.xml
error message found in Spark warn.log file:
Nov 14, 2007 6:23:57 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
not-authorized(401)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:94)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:227)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:828)
at org.jivesoftware.LoginDialog$LoginPanel.access$400(LoginDialog.java:196)
at org.jivesoftware.LoginDialog$LoginPanel$1.construct(LoginDialog.java:594)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:129)
at java.lang.Thread.run(Unknown Source)
Things I’ve already tried with no change to results:
-
Using Java 1.6 Update 3(Other tests were using 1.5.0.12)
-
Adding allowtgtsessionkey information as described elsewhere to the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos key on the workstation.
-
Setting both the testing user, and the keytab user(xmpp-openfire) to use DES for encryption(changing the password after the setting was changed).
-
Restarting the openfire service/Rebooting Openfire server
-
Added ssoEnabled=True and ssoAdv=True to the spark.properties file(Spark does detect the correct user name from Windows just fine)
Any help you can provide would be much appreciated. Thanks.
M@