Hi all,
first of all I am new to Spark/Openfire, but have gotten myself quite familiar with the product over the last few days. I am currently doing a pilot installation where SSO is one of the main requirements. However I have, as many others, problems getting the SSO part to work.
The warn.log in Spark throws the following error:
20.feb.2014 10:12:04 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
SASL authentication GSSAPI failed: not-authorized:
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java: 337)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
The setup is as follows:
Domain controller: Windows Server 2008 SP2 in native mode (hostname: th-snd-vmdc01.th.local)
Openfire server: Windows Server 2008 R2 64 bit (hostname: th-snd-vmim01.th.local)
Client: Windows 7 64 bit
Domain: th.local
All servers have a dns record and a corresponding PTR.
This is what I have done:
1. Created 2 AD-accounts: openfire and xmpp-openfire, one for ldap-lookups and one for keymapping
2. SPN and keymapping:
setspn -A xmpp/th-snd-vmim01.th.local@TH.LOCAL xmpp-openfire
ktpass -princ xmpp/th-snd-vmim01.th.local@TH.LOCAL -mapuser xmpp-openfire -pass * -ptype KRB5_NT_PRINCIPAL
ktab -k xmpp.keytab -a th-snd-vmim01.th.local@TH.LOCAL
3. I tested the key created above, and it returns nothing (which according to docs means everything is ok):
kinit -k -t xmpp.keytab th-snd-vmim01.th.local@TH.LOCAL "password"
4. Copied xmpp.keytab to ~\Openfire\resources
5. Created gss.conf in ~\Openfire\conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="C:\Program Files (x86)\Openfire\resources\xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="TH.LOCAL"
principal="xmpp/th-snd-vmim01.th.local@TH.LOCAL"
debug=true;
};
6. Added the following entries to the system properties:
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm TH.LOCAL
xmpp.domain th-snd-vmim01.th.local
xmpp.fqdn th-snd-vmim01.th.local
7. Created krb5.ini and added to Windows-directory on both server and client:
[libdefaults]
default_realm = TH.LOCAL
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
TH.LOCAL = {
kdc = th-snd-vmdc01.th.local
admin_server = th-snd-vmdc01.th.local
default_domain = TH.LOCAL
}
[domain_realm]
.th.local = TH.LOCAL
th.local = TH.LOCAL
8. Added regkey AllowTGTSessionKey (DWORD value 1) to HKLM\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters and both server and client
9. Added group policy for kerberos encryption on both client and server, added all protocols.
Does anyone know what I am missing here?
Any input is highly appreciated,
Thanks